Skip to content

Guide to the Secure Configuration of SUSE Linux Enterprise 12

Rules, Groups, and Values defined within the XCCDF Benchmark

  • selinuxuser_execstack SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • ssh_sysadm_login SELinux Boolean

    default - Default SELinux boolean setting.
    on - SELinux boolean is enabled.
    off - SELinux boolean is disabled.
    Value
  • Configure the polyinstantiation_enabled SELinux Boolean

    By default, the SELinux boolean <code>polyinstantiation_enabled</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_polyinstantiati...
    Rule Medium Severity
  • Configure the secure_mode_insmod SELinux Boolean

    By default, the SELinux boolean <code>secure_mode_insmod</code> is disabled. This setting should be configured to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" us...
    Rule Medium Severity
  • Disable the selinuxuser_execheap SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execheap</code> is disabled. When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. If this setting is enabled,...
    Rule Medium Severity
  • Disable the selinuxuser_execstack SELinux Boolean

    By default, the SELinux boolean <code>selinuxuser_execstack</code> is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disab...
    Rule Medium Severity
  • Services

    The best protection against vulnerable software is running less software. This section describes how to review the software which SUSE Linux Enterprise 12 installs on a system and disable software ...
    Group
  • Ensure nonessential services are removed or masked

    A network port is identified by its number, the associated IP address, and the type of the communication protocol such as TCP or UDP. A listening port is a network port on which an application or ...
    Rule Low Severity
  • Avahi Server

    The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on t...
    Group
  • Configure Avahi if Necessary

    If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is <code>/etc/avahi/avahi-daemon.conf</code>. The following se...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules