Skip to content

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system root account must be the only account with unrestricted access to the system.

    &lt;VulnDiscussion&gt;If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricte...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must restrict privilege elevation to authorized personnel.

    &lt;VulnDiscussion&gt;The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their pa...
    Rule Medium Severity
  • SRG-OS-000373-GPOS-00156

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must require re-authentication when using the "sudo" command.

    &lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When opera...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".

    &lt;VulnDiscussion&gt;The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authe...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.

    &lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files th...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.

    &lt;VulnDiscussion&gt;Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of un...
    Rule Medium Severity
  • SRG-OS-000069-GPOS-00037

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must enforce passwords that contain at least one uppercase character.

    &lt;VulnDiscussion&gt;Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or ...
    Rule Medium Severity
  • SRG-OS-000070-GPOS-00038

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must enforce passwords that contain at least one lowercase character.

    &lt;VulnDiscussion&gt;Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or ...
    Rule Medium Severity
  • SRG-OS-000071-GPOS-00039

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must enforce passwords that contain at least one numeric character.

    &lt;VulnDiscussion&gt;Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or ...
    Rule Medium Severity
  • SRG-OS-000072-GPOS-00040

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.

    &lt;VulnDiscussion&gt;If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chanc...
    Rule Medium Severity
  • SRG-OS-000073-GPOS-00041

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

    &lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are...
    Rule Medium Severity
  • SRG-OS-000073-GPOS-00041

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.

    &lt;VulnDiscussion&gt;The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing roun...
    Rule Medium Severity
  • SRG-OS-000073-GPOS-00041

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.

    &lt;VulnDiscussion&gt;The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing roun...
    Rule Medium Severity
  • SRG-OS-000075-GPOS-00043

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).

    &lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforce...
    Rule Medium Severity
  • SRG-OS-000075-GPOS-00043

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).

    &lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforce...
    Rule Medium Severity
  • SRG-OS-000076-GPOS-00044

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.

    &lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...
    Rule Medium Severity
  • SRG-OS-000076-GPOS-00044

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.

    &lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...
    Rule Medium Severity
  • SRG-OS-000077-GPOS-00045

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ a password history file.

    &lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...
    Rule Medium Severity
  • SRG-OS-000077-GPOS-00045

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must not allow passwords to be reused for a minimum of five generations.

    &lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...
    Rule Medium Severity
  • SRG-OS-000078-GPOS-00046

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must employ passwords with a minimum of 15 characters.

    &lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...
    Rule Medium Severity
  • SRG-OS-000266-GPOS-00101

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must enforce passwords that contain at least one special character.

    &lt;VulnDiscussion&gt;Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or s...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00225

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must prevent the use of dictionary words for passwords.

    &lt;VulnDiscussion&gt;If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of pas...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must not be configured to allow blank or null passwords.

    &lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are...
    Rule High Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

    &lt;VulnDiscussion&gt;Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestab...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

    &lt;VulnDiscussion&gt;Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestab...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules