SUSE Linux Enterprise Server 15 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized in...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All SUSE operating system files and directories must have a valid owner.
<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UI...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All SUSE operating system files and directories must have a valid group owner.
<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as ...Rule Medium Severity -
SRG-OS-000480-GPOS-00228
<GroupDescription></GroupDescription>Group -
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary acc...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.</VulnDiscussio...Rule High Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not allow unattended or automatic logon via SSH.
<VulnDiscussion>Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating system security.</VulnD...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/e...Rule Medium Severity -
SRG-OS-000373-GPOS-00156
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not be configured to bypass password requirements for privilege escalation.
<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When opera...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not have accounts configured with blank or null passwords.
<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with ...Rule High Severity -
SRG-OS-000250-GPOS-00093
<GroupDescription></GroupDescription>Group -
The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed an...Rule Medium Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
The SUSE operating system must restrict access to the kernel message buffer.
<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional s...Rule Low Severity -
SRG-OS-000363-GPOS-00150
<GroupDescription></GroupDescription>Group -
The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.
<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnotice...Rule Medium Severity -
SRG-OS-000123-GPOS-00064
<GroupDescription></GroupDescription>Group -
The SUSE operating system must automatically expire temporary accounts within 72 hours.
<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new s...Rule Medium Severity -
SRG-OS-000363-GPOS-00150
<GroupDescription></GroupDescription>Group -
The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.