Skip to content
Log In

Guide to the Secure Configuration of openSUSE

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable the IPv6 protocol

    Disable support for IP version 6 (IPv6). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CONFIG_IPV6</co...
    Rule Medium Severity
    Show

  • Disable kexec system call

    <code>kexec</code> is a system call that implements the ability to shutdown your current kernel, and to start another kernel. It is like a reboot but it is independent of the system firmware. And l...
    Rule Low Severity
    Show

  • Disable legacy (BSD) PTY support

    Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for slaves of pseudo terminals, and use only the modern ptys (devpts) interface. The configuration that ...
    Rule Medium Severity
    Show

  • Enable module signature verification

    Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The conf...
    Rule Medium Severity
    Show

  • Enable automatic signing of all modules

    Sign all modules during make modules_install. Without this option, modules must be signed manually, using the scripts/sign-file tool. The configuration that was used to build kernel is available a...
    Rule Medium Severity
    Show

  • Require modules to be validly signed

    Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for...
    Rule Medium Severity
    Show

  • Specify the hash to use when signing modules

    This configures the kernel to build and sign modules using <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"></xccdf-1.2:sub> as the hash func...
    Rule Medium Severity
    Show

  • Specify module signing key to use

    Setting this option to something other than its default of <code>certs/signing_key.pem</code> will disable the autogeneration of signing keys and allow the kernel modules to be signed with a key of...
    Rule Medium Severity
    Show

  • Sign kernel modules with SHA-512

    This configures the kernel to build and sign modules using SHA512 as the hash function. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check th...
    Rule Medium Severity
    Show

  • Enable poison without sanity check

    Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some of the overhead of the poisoning feature. This configuration is available from kernel 4.6. The configu...
    Rule Medium Severity
    Show

  • Use zero for poisoning instead of debugging value

    Instead of using the existing poison value, fill the pages with zeros. This makes it harder to detect when errors are occurring due to sanitization but the zeroing at free means that it is no longe...
    Rule Medium Severity
    Show

  • Remove the kernel mapping in user mode

    This feature reduces the number of hardware side channels by ensuring that the majority of kernel addresses are not mapped into userspace. This configuration is available from kernel 4.15, but may ...
    Rule High Severity
    Show

  • Kernel panic oops

    Enable the kernel to panic when it oopses. This has the same effect as setting oops=panic on the kernel command line. The configuration that was used to build kernel is available at <code>/boot/co...
    Rule Medium Severity
    Show

  • Kernel panic timeout

    Set the timeout value (in seconds) until a reboot occurs when the kernel panics. A timeout of 0 configures the system to wait forever. With a timeout value greater than 0, the system will wait the ...
    Rule Medium Severity
    Show

  • Disable support for /proc/kkcore

    Provides a virtual ELF core file of the live kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the configuration value for <code>CON...
    Rule Low Severity
    Show

  • Randomize the address of the kernel image (KASLR)

    In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical address at which the kernel image is decompressed and the virtual address where the kernel image is map...
    Rule Medium Severity
    Show

  • Randomize the kernel memory sections

    Randomizes the base virtual address of kernel memory sections (physical memory mapping, vmalloc &amp; vmemmap). This configuration is available from kernel 4.8, but may be available if backported b...
    Rule Medium Severity
    Show

  • Avoid speculative indirect branches in kernel

    Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern supp...
    Rule Medium Severity
    Show

  • Enable seccomp to safely compute untrusted bytecode

    This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process ...
    Rule Medium Severity
    Show

  • Enable use of Berkeley Packet Filter with seccomp

    Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used ...
    Rule Medium Severity
    Show

  • Enable different security models

    This allows you to choose different security modules to be configured into your kernel. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check th...
    Rule Medium Severity
    Show

  • Disable mutable hooks

    Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To ...
    Rule Medium Severity
    Show

  • Enable Yama support

    This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use o...
    Rule Medium Severity
    Show

  • Enable SLUB debugging support

    SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to build kernel is available at <code>/boot/config-*</cod...
    Rule Medium Severity
    Show

  • Enable TCP/IP syncookie support

    Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoi...
    Rule Medium Severity
    Show

  • Unmap kernel when running in userspace (aka KAISER)

    Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when...
    Rule Medium Severity
    Show

  • Disable x86 vsyscall emulation

    Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending pro...
    Rule Low Severity
    Show

  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The rsyslog package can be installed with the following command: 
     $ sudo zypper install rsyslog
    Rule Medium Severity
    Show

  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on openSUSE. The <code>rsyslog</code> service can be enabled with the following command: <pre>$ sudo systemctl enable rsys...
    Rule Medium Severity
    Show

  • Ensure Proper Configuration of Log Files

    The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...
    Group
    Show

  • Ensure Rsyslog Authenticates Off-Loaded Audit Records

    Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this uti...
    Rule Medium Severity
    Show

  • Ensure Log Files Are Owned By Appropriate User

    The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and t...
    Rule Medium Severity
    Show

  • systemd-journald

    systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging information that is received from a variety of sou...
    Group
    Show

  • Enable systemd-journald Service

    The <code>systemd-journald</code> service is an essential component of systemd. The <code>systemd-journald</code> service can be enabled with the following command: <pre>$ sudo systemctl enable sy...
    Rule Medium Severity
    Show

  • Ensure All Logs are Rotated by logrotate

    Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...
    Group
    Show

  • Ensure logrotate is Installed

    logrotate is installed by default. The logrotate package can be installed with the following command: 
     $ sudo zypper install logrotate
    Rule Medium Severity
    Show

  • Configure rsyslogd to Accept Remote Messages If Acting as a Log Server

    By default, <code>rsyslog</code> does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the ...
    Group
    Show

  • Ensure syslog-ng is Installed

    syslog-ng can be installed in replacement of rsyslog. The syslog-ng-core package can be installed with the following command: 
    $ sudo zypper install syslog-ng-core
    Rule Medium Severity
    Show

  • Enable syslog-ng Service

    The <code>syslog-ng</code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian. The <code>syslog-ng</code> service can be enabled with the following command: <pr...
    Rule Medium Severity
    Show

  • Enable rsyslog to Accept Messages via TCP, if Acting As Log Server

    The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...
    Rule Unknown Severity
    Show

  • Enable rsyslog to Accept Messages via UDP, if Acting As Log Server

    The <code>rsyslog</code> daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <code>/etc/r...
    Rule Unknown Severity
    Show

  • Remote Log Server

    Specify an URI or IP address of a remote host where the log messages will be sent and stored.
    Value
    Show

  • Ensure Logs Sent To Remote Host

    To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file, which describes the multiple directives necessary...
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on All IPv6 Interfaces

    To disable support for (<code>ipv6</code>) addressing on all interface add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>net.ipv6....
    Rule Medium Severity
    Show

  • Inspect and Activate Default Rules

    View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analogous for <code>ip6tables</code>. <br> <br> ...
    Group
    Show

  • Verify ip6tables Enabled if Using IPv6

    The ip6tables service can be enabled with the following command: 
    $ sudo systemctl enable ip6tables.service
    Rule Medium Severity
    Show

  • Verify iptables Enabled

    The iptables service can be enabled with the following command: 
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
    Show

  • Set Default ip6tables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/ip6tables</code>: <pre...
    Rule Medium Severity
    Show

  • Disable IPv6 Addressing on IPv6 Interfaces by Default

    To disable support for (<code>ipv6</code>) addressing on interfaces by default add the following line to <code>/etc/sysctl.d/ipv6.conf</code> (or another file in <code>/etc/sysctl.d</code>): <pre>n...
    Rule Medium Severity
    Show

  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in <code>/etc/sysconfig/iptables</code>: <pre>...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules