Guide to the Secure Configuration of SUSE Linux Enterprise 15
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Number of log files for auditd to retain
The setting for num_logs in /etc/audit/auditd.confValue -
Size remaining in disk space before prompting space_left_action
The setting for space_left (MB) in /etc/audit/auditd.confValue -
Action for auditd to take when disk space just starts to run low
The setting for space_left_action in /etc/audit/auditd.confValue -
The percentage remaining in disk space before prompting space_left_action
The setting for space_left as a percentage in /etc/audit/auditd.confValue -
Configure audispd Plugin To Send Logs To Remote Server
Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the <code>remote_server...Rule Medium Severity -
Configure a Sufficiently Large Partition for Audit Logs
The SUSE Linux Enterprise 15 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when a...Rule Medium Severity -
Configure audispd's Plugin disk_full_action When Disk Is Full
Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file <code>/etc/audit/audisp-re...Rule Medium Severity -
Encrypt Audit Records Sent With audispd Plugin
Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. ...Rule Medium Severity -
Configure audispd's Plugin network_failure_action On Network Failure
Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file <code>/etc/audit/audis...Rule Medium Severity -
Configure auditd to use audispd's syslog plugin
To configure the <code>auditd</code> service to use the <code>syslog</code> plug-in of the <code>audispd</code> audit event multiplexor, set the <c...Rule Medium Severity -
Configure auditd Disk Error Action on Disk Error
The <code>auditd</code> service can be configured to take an action when there is a disk error. Edit the file <code>/etc/audit/auditd.conf</code>. ...Rule Medium Severity -
Configure auditd Disk Error Action on Disk Error
The <code>auditd</code> service can be configured to take an action when there is a disk error. Edit the file <code>/etc/audit/auditd.conf</code>. ...Rule Medium Severity -
Configure auditd Disk Full Action when Disk Space Is Full
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Configure auditd Disk Full Action when Disk Space Is Full
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Configure auditd mail_acct Action on Low Disk Space
The <code>auditd</code> service can be configured to send email to a designated account in certain situations. Add or correct the following line in...Rule Medium Severity -
Configure auditd admin_space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Configure auditd flush priority
The <code>auditd</code> service can be configured to synchronously write audit event data to disk. Add or correct the following line in <code>/etc/...Rule Medium Severity -
Configure auditd Max Log File Size
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file <code>/etc/audit/auditd.conf</code>. Add...Rule Medium Severity -
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action ta...Rule Medium Severity -
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action ta...Rule Medium Severity -
Configure auditd Number of Logs Retained
Determine how many log files <code>auditd</code> should retain when it rotates logs. Edit the file <code>/etc/audit/auditd.conf</code>. Add or modi...Rule Medium Severity -
Configure auditd space_left on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Configure auditd space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd...Rule Medium Severity -
Set number of records to cause an explicit flush to audit logs
To configure Audit daemon to issue an explicit flush to disk command after writing <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_aud...Rule Medium Severity -
Include Local Events in Audit Logs
To configure Audit daemon to include local events in Audit logs, set <code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf<...Rule Medium Severity -
Resolve information before writing to audit logs
To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set <co...Rule Low Severity -
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit <code>/etc/audit/...Rule Medium Severity -
Write Audit Logs to the Disk
To configure Audit daemon to write Audit logs to the disk, set <code>write_logs</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>. ...Rule Medium Severity -
System Accounting with auditd
The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section makes use of recommended configuration settin...Group -
AppArmor
Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The prog...Group -
AppArmor profiles mode
enforce - Set all AppArmor profiles to enforce mode
complain - Set all AppArmor profiles to complain modeValue -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ sudo zypper install pam_apparmor
Rule Medium Severity -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
abrt_upload_watch_anon_write SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
net.ipv6.conf.all.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.all.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.all.forwarding
Toggle IPv6 ForwardingValue -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo...Rule Medium Severity -
All AppArmor Profiles are in enforce or complain mode
AppArmor profiles define what resources applications are able to access. To set all profiles to either <code>enforce</code> or <code>complain</code...Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br><br> The <code>apparmor...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
L1TF vulnerability mitigation
Defines the L1TF vulneratility mitigations to employ.Value -
MDS vulnerability mitigation
Defines the MDS vulneratility mitigation to employ.Value -
Confidence level on Hardware Random Number Generator
Defines the level of trust on the hardware random number generators available in the system and the percentage of entropy to credit.Value -
Spec Store Bypass Mitigation
This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.Value -
Disable Recovery Booting
SUSE Linux Enterprise 15 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_...Rule Medium Severity -
IOMMU configuration directive
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical u...Rule Unknown Severity -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
Configure L1 Terminal Fault mitigations
L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Ca...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.