Guide to the Secure Configuration of SUSE Linux Enterprise 15
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AppArmor profiles mode
enforce - Set all AppArmor profiles to enforce mode
complain - Set all AppArmor profiles to complain modeValue -
Install the pam_apparmor Package
Thepam_apparmorpackage can be installed with the following command:$ sudo zypper install pam_apparmor
Rule Medium Severity -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.rp_filter
Enables source route verificationValue -
abrt_upload_watch_anon_write SELinux Boolean
default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled.Value -
net.ipv6.conf.all.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirec...Value -
net.ipv6.conf.all.autoconf
Enable auto configuration on IPv6 interfacesValue -
net.ipv6.conf.all.forwarding
Toggle IPv6 ForwardingValue -
Enforce all AppArmor Profiles
AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command: <pre>$ sudo...Rule Medium Severity -
All AppArmor Profiles are in enforce or complain mode
AppArmor profiles define what resources applications are able to access. To set all profiles to either <code>enforce</code> or <code>complain</code...Rule Medium Severity -
Ensure AppArmor is Active and Configured
Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br><br> The <code>apparmor...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
L1TF vulnerability mitigation
Defines the L1TF vulneratility mitigations to employ.Value -
MDS vulnerability mitigation
Defines the MDS vulneratility mitigation to employ.Value -
Confidence level on Hardware Random Number Generator
Defines the level of trust on the hardware random number generators available in the system and the percentage of entropy to credit.Value -
Spec Store Bypass Mitigation
This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.Value -
Disable Recovery Booting
SUSE Linux Enterprise 15 systems support an "recovery boot" option that can be used to prevent services from being started. The <code>GRUB_DISABLE_...Rule Medium Severity -
IOMMU configuration directive
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical u...Rule Unknown Severity -
Set the UEFI Boot Loader Password
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...Rule High Severity -
Configure L1 Terminal Fault mitigations
L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Ca...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.