SLES 12 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information s...Rule Medium Severity -
The SUSE operating system SSH daemon must be configured with a timeout interval.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.Rule Medium Severity -
The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, pote...Rule Medium Severity -
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory inclu...Rule Medium Severity -
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.Rule Medium Severity -
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect in...Rule Medium Severity -
The SUSE operating system must have the packages required for multifactor authentication to be installed.
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect cred...Rule Medium Severity -
The SUSE operating system must implement certificate status checking for multifactor authentication.
Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the...Rule Medium Severity -
The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds ...Rule Medium Severity -
The SUSE operating system must restrict privilege elevation to authorized personnel.
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file...Rule Medium Severity -
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, ...Rule Medium Severity -
The SUSE operating system library directories must have mode 0755 or less permissive.
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are ...Rule Medium Severity -
The SUSE operating system library files must be owned by root.
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are ...Rule Medium Severity -
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are ...Rule Medium Severity -
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often over...Rule Medium Severity -
The SUSE operating system must not have accounts configured with blank or null passwords.
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.Rule High Severity -
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.
Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmwa...Rule Medium Severity -
The SUSE operating system must automatically expire temporary accounts within 72 hours.
Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the nee...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.