Guide to the Secure Configuration of SUSE Linux Enterprise 12
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Enable dnf-automatic Timer
Thednf-automatictimer can be enabled with the following command:$ sudo systemctl enable dnf-automatic.timer
Rule Medium Severity -
Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it mor...Group -
Login Banner Verbiage
Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escap...Value -
fail_interval
Interval for counting failed login attempts before account lockoutValue -
Modify the System Login Banner for Remote Connections
To configure the system login banner edit <code>/etc/issue.net</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is ...Rule Medium Severity -
Modify the System Message of the Day Banner
To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is eit...Rule Medium Severity -
Verify Group Ownership of System Login Banner
To properly set the group owner of/etc/issue, run the command:$ sudo chgrp root /etc/issue
Rule Medium Severity -
Verify Group Ownership of System Login Banner for Remote Connections
To properly set the group owner of/etc/issue.net, run the command:$ sudo chgrp root /etc/issue.net
Rule Medium Severity -
Verify Group Ownership of Message of the Day Banner
To properly set the group owner of/etc/motd, run the command:$ sudo chgrp root /etc/motd
Rule Medium Severity -
fail_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
Verify ownership of Message of the Day Banner
To properly set the owner of/etc/motd, run the command:$ sudo chown root /etc/motd
Rule Medium Severity -
Verify permissions on System Login Banner for Remote Connections
To properly set the permissions of/etc/issue.net, run the command:$ sudo chmod 0644 /etc/issue.net
Rule Medium Severity -
Verify permissions on Message of the Day Banner
To properly set the permissions of/etc/motd, run the command:$ sudo chmod 0644 /etc/motd
Rule Medium Severity -
Implement a GUI Warning Banner
In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in t...Group -
Enable GNOME3 Login Warning Banner
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting <code>banner-message-enable</code> ...Rule Medium Severity -
tally2_unlock_time
Seconds before automatic unlocking or permanently locking after excessive failed loginsValue -
faildelay_delay
Delay next login attempt after a failed loginValue -
pwhistory_remember
Prevent password re-use using password history lookupValue -
Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable fed...Rule Medium Severity -
Password Hashing algorithm
Specify the system default encryption algorithm for encrypting passwords. Defines the value set as ENCRYPT_METHOD in /etc/login.defs.Value -
remember
The last n passwords for each user are saved in <code>/etc/security/opasswd</code> in order to force password change history and keep the user from alternating between the same password too frequen...Value -
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: <pre>$ sudo...Rule Medium Severity -
Set Up a Private Namespace in PAM Configuration
To setup a private namespace add the following line to/etc/pam.d/login:session required pam_namespace.so
Rule Low Severity -
The PAM configuration should not be changed automatically
Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.Rule Medium Severity -
Account Lockouts Must Persist
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.Rule Medium Severity -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using therememberoption for thepam_unixorpam_pwhistoryPAM modules.Rule Medium Severity -
Enforce Delay After Failed Logon Attempts
To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam.d/common-auth</code> to make sure its <code>delay<...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Configure the root Account lock for Failed Password Attempts via pam_tally2
This rule configures the system to lock out therootaccount after a number of incorrect login attempts usingpam_tally2.so.Rule Medium Severity -
Set Lockout Time for Failed Password Attempts using pam_tally2
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts usingpam_tally2.so.Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of...Group -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
dcredit
Minimum number of digits in passwordValue -
Set Password Strength Minimum Digit Characters
The pam_cracklib module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many d...Rule Medium Severity -
Set Password Strength Minimum Different Characters
The pam_cracklib module's <code>difok</code> parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of cha...Rule Medium Severity -
Set Password Strength Minimum Lowercase Characters
The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Set Password Minimum Length
The pam_cracklib module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Password Strength Minimum Special Characters
The pam_cracklib module's <code>ocredit=</code> parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be req...Rule Medium Severity -
Set Password Retry Limit
The pam_cracklib module's <code>retry</code> parameter controls the maximum number of times to prompt the user for the password before returning with error. Make sure it is configured with a value ...Rule Medium Severity -
Set Password Strength Minimum Uppercase Characters
The pam_cracklib module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
difok
Minimum number of characters not present in old passwordValue -
lcredit
Minimum number of lower case in passwordValue -
Set Password Hashing Algorithm in /etc/libuser.conf
In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or update the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" use="legacy"...Rule Medium Severity -
Set Password Hashing Rounds in /etc/login.defs
In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000</code>. For example: <pre>SHA_CRYPT_MIN_ROUNDS 50...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Login timeout for idle sessions
Specify duration of allowed idle time.Value -
Disable Ctrl-Alt-Del Reboot Activation
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> k...Rule High Severity -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...Group -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Red Hat Enterprise Linux servers and workstation...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.