Skip to content

CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server

Rules and Groups employed by this XCCDF Profile

  • Ensure that /etc/at.deny does not exist

    The file /etc/at.deny should not exist. Use /etc/at.allow instead.
    Rule Medium Severity
  • Ensure that /etc/cron.deny does not exist

    The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
    Rule Medium Severity
  • Verify Group Who Owns /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, ...
    Rule Medium Severity
  • Verify Group Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</cod...
    Rule Medium Severity
  • Verify User Who Owns /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/at.allow</code>, run the comm...
    Rule Medium Severity
  • Verify User Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the ...
    Rule Medium Severity
  • Verify Permissions on /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/e...
    Rule Medium Severity
  • Verify Permissions on /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>...
    Rule Medium Severity
  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
  • Disable DHCP Client

    DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of ...
    Group
  • Uninstall DHCP Client Package

    If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The <code>dhcp-client</code> package can be remove...
    Rule Medium Severity
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...
    Rule Medium Severity
  • Disable DHCP Service

    The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be ...
    Rule Medium Severity
  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...
    Group
  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on S...
    Group
  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
  • Disable named Service

    The named service can be disabled with the following command:
    $ sudo systemctl mask --now named.service
    Rule Medium Severity
  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...
    Group
  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command:
     $ sudo zypper remove vsftpd
    Rule High Severity
  • Disable vsftpd Service

    The vsftpd service can be disabled with the following command:
    $ sudo systemctl mask --now vsftpd.service
    Rule Medium Severity
  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
  • Uninstall httpd Package

    The httpd package can be removed with the following command:
    $ sudo zypper remove httpd
    Rule Unknown Severity
  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
  • Uninstall dovecot Package

    The dovecot package can be removed with the following command:
    $ sudo zypper remove dovecot
    Rule Unknown Severity
  • Disable Dovecot Service

    The dovecot service can be disabled with the following command:
    $ sudo systemctl mask --now dovecot.service
    Rule Unknown Severity
  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. SUSE Linux Enterprise 12 includ...
    Group
  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...
    Group
  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...
    Rule Low Severity
  • Configure OpenLDAP Server

    This section details some security-relevant settings for an OpenLDAP server.
    Group
  • Uninstall openldap-servers Package

    The openldap2 package is not installed by default on a SUSE Linux Enterprise 12 system. It is needed only by the OpenLDAP server, not by the client...
    Rule Low Severity
  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
  • Configure SMTP For Mail Clients

    This section discusses settings for Postfix in a submission-only e-mail configuration.
    Group
  • Disable Postfix Network Listening

    Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...
    Rule Medium Severity
  • NFS and RPC

    The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...
    Group
  • Uninstall nfs-utils Package

    The nfs-utils package can be removed with the following command:
    $ sudo zypper remove nfs-utils
    Rule Low Severity
  • Disable All NFS Services if Possible

    If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...
    Group
  • Disable Services Used Only by NFS

    If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...
    Group
  • Uninstall rpcbind Package

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...
    Rule Low Severity
  • Disable rpcbind Service

    The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...
    Rule Low Severity
  • Configure NFS Clients

    The steps in this section are appropriate for systems which operate as NFS clients.
    Group
  • Disable NFS Server Daemons

    There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...
    Group
  • Disable Network File System (nfs)

    The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...
    Rule Unknown Severity
  • Network Time Protocol

    The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...
    Group
  • The Chrony package is installed

    System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...
    Rule Medium Severity
  • Chrony Configure Pool and Server

    <code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...
    Rule Medium Severity
  • Ensure that chronyd is running under chrony user account

    chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules