SUSE Linux Enterprise Server 15 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protec...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
Group -
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually ch...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
Group -
SRG-OS-000076-GPOS-00044
Group -
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
Group -
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force...Rule Medium Severity -
SRG-OS-000078-GPOS-00046
Group -
The SUSE operating system must employ passwords with a minimum of 15 characters.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
SRG-OS-000266-GPOS-00101
Group -
The SUSE operating system must enforce passwords that contain at least one special character.
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting att...Rule Medium Severity -
SRG-OS-000480-GPOS-00225
Group -
The SUSE operating system must prevent the use of dictionary words for passwords.
If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses an...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
The SUSE operating system must not be configured to allow blank or null passwords.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...Rule High Severity -
SRG-OS-000004-GPOS-00004
Group -
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000004-GPOS-00004
Group -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the newgrp command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for a uses of the chsh command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the chage command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the crontab command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the chfn command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000037-GPOS-00015
Group -
The SUSE operating system must generate audit records for all uses of the umount system call.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.