SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SLEM 5 must employ a password history file.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...Rule Medium Severity -
SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be co...Rule Medium Severity -
SLEM 5 must have the packages required for multifactor authentication to be installed.
Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will no...Rule Medium Severity -
SLEM 5 must implement certificate status checking for multifactor authentication.
Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the...Rule Medium Severity -
SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM ...Rule Medium Severity -
SLEM 5 must use a file integrity tool to verify correct operation of all security functions.
Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmwa...Rule Medium Severity -
SLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.
If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for e...Rule Medium Severity -
SLEM 5 must have the auditing package installed.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
To ensure SLEM 5 has a sufficient storage capacity in which to write the audit logs, SLEM 5 must be able to allocate audit record storage capacity. The task of allocating audit record storage capa...Rule Medium Severity -
SLEM 5 audit system must take appropriate action when the audit storage volume is full.
It is critical that when SLEM 5 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failure...Rule Medium Severity -
SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.
Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit infor...Rule Medium Severity -
The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
SLEM 5 must generate audit records for a uses of the "chsh" command.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Medium Severity -
SLEM 5 must generate audit records for all uses of the "crontab" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SLEM 5 must generate audit records for all uses of the "insmod" command.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
SLEM 5 must generate audit records for all uses of the "modprobe" command.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
SLEM 5 must generate audit records for all uses of the "rmmod" command.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit rec...Rule Medium Severity -
SLEM 5 must generate audit records for all uses of the "sudoedit" command.
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or...Rule Medium Severity -
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity -
SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.