Skip to content
Log In

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000068-GPOS-00036

    Group
    Show

  • SRG-OS-000037-GPOS-00015

    Group
    Show

  • The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

    Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise...
    Rule Medium Severity
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • SRG-OS-000118-GPOS-00060

    Group
    Show

  • SRG-OS-000123-GPOS-00064

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must display the date and time of the last successful account logon upon logon.

    Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must not have unnecessary accounts.

    Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and a...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must not have unnecessary account capabilities.

    Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non interactive accounts should not have an interactive shell assigned to t...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system root account must be the only account with unrestricted access to the system.

    If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a U...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000373-GPOS-00156

    Group
    Show

  • The SUSE operating system must require reauthentication when using the "sudo" command.

    Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".

    The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • SRG-OS-000070-GPOS-00038

    Group
    Show

  • The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).

    ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system file integrity tool must be configured to verify extended attributes.

    Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.

    A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.

    A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.

    If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.

    If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.

    Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.

    The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.

    The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SUSE operating system kernel core dumps must be disabled unless needed.

    Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by e...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules