SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented.
<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized in...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000142-GPOS-00071
<GroupDescription></GroupDescription>Group -
SLEM 5 must be configured to use TCP syncookies.
<VulnDiscussion>Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.
<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. Thes...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000423-GPOS-00187
<GroupDescription></GroupDescription>Group -
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.
<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...Rule High Severity -
SRG-OS-000423-GPOS-00187
<GroupDescription></GroupDescription>Group -
SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personn...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.
<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...Rule High Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group -
SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notific...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
SLEM 5 must not allow unattended or automatic logon via SSH.
<VulnDiscussion>Failure to restrict system access via SSH to authenticated users negatively impacts SLEM 5 security.</VulnDiscussion>&l...Rule High Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personn...Rule Medium Severity -
SRG-OS-000126-GPOS-00066
<GroupDescription></GroupDescription>Group -
SLEM 5 must deny direct logons to the root account using remote access via SSH.
<VulnDiscussion>To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
<GroupDescription></GroupDescription>Group -
SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH clien...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
<GroupDescription></GroupDescription>Group -
SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote...Rule High Severity -
SRG-OS-000125-GPOS-00065
<GroupDescription></GroupDescription>Group -
SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote acce...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.