SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and se...Rule Medium Severity -
SLEM 5 must have system commands set to a mode of 755 or less permissive.
If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ch...Rule Medium Severity -
SLEM 5 library files must be owned by root.
If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ch...Rule Medium Severity -
SLEM 5 must have system commands group-owned by root or a system account.
If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust ch...Rule Medium Severity -
The sticky bit must be set on all SLEM 5 world-writable directories.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
SLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by th...Rule Medium Severity -
SLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly r...Rule Medium Severity -
SLEM 5 must be configured to use TCP syncookies.
Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.