Skip to content

CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server

Rules and Groups employed by this XCCDF Profile

  • Ensure users' .netrc Files are not group or world accessible

    While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures ev...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that No Dangerous Directories Exist in Root's Path

    The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-sep...
    Group
  • Ensure that Root's Path Does Not Include World or Group-Writable Directories

    For each element in root's path, run:
    # ls -ld DIR
    and ensure that write permissions are disabled for group and other.
    Rule Medium Severity
  • Ensure that Root's Path Does Not Include Relative Paths or Null Directories

    Ensure that none of the directories in root's path is equal to a single <code>.</code> character, or that it contains any instances that lead to re...
    Rule Unknown Severity
  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...
    Group
  • Ensure the Default Bash Umask is Set Correctly

    To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bash.bashrc</c...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in login.defs

    To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in /etc/profile

    To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...
    Rule Medium Severity
  • AppArmor

    Many security vulnerabilities result from bugs in trusted programs. A trusted program runs with privileges that attackers want to possess. The prog...
    Group
  • Install the pam_apparmor Package

    The pam_apparmor package can be installed with the following command:
    $ sudo zypper install pam_apparmor
    Rule Medium Severity
  • All AppArmor Profiles are in enforce or complain mode

    AppArmor profiles define what resources applications are able to access. To set all profiles to either <code>enforce</code> or <code>complain</code...
    Rule Medium Severity
  • Ensure AppArmor is Active and Configured

    Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.<br><br> The <code>apparmor...
    Rule Medium Severity
  • GRUB2 bootloader configuration

    During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...
    Group
  • Non-UEFI GRUB2 bootloader configuration

    Non-UEFI GRUB2 bootloader configuration
    Group
  • Verify /boot/grub2/grub.cfg Group Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg User Ownership

    The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pr...
    Rule Medium Severity
  • Verify /boot/grub2/grub.cfg Permissions

    File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600. To properly set the permissions of <code>/boot/grub2/grub.cfg</code>,...
    Rule Medium Severity
  • Set Boot Loader Password in grub2

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • UEFI GRUB2 bootloader configuration

    UEFI GRUB2 bootloader configuration
    Group
  • Set the UEFI Boot Loader Password

    The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> Since plaintext passw...
    Rule High Severity
  • Configure Syslog

    The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...
    Group
  • Ensure rsyslog is Installed

    Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo zypper install rsyslog<...
    Rule Medium Severity
  • Enable rsyslog Service

    The <code>rsyslog</code> service provides syslog-style logging by default on SUSE Linux Enterprise 12. The <code>rsyslog</code> service can be ena...
    Rule Medium Severity
  • Ensure Proper Configuration of Log Files

    The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of...
    Group
  • Ensure Log Files Are Owned By Appropriate Group

    The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of ...
    Rule Medium Severity
  • Ensure Log Files Are Owned By Appropriate User

    The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each...
    Rule Medium Severity
  • Ensure System Log Files Have Correct Permissions

    The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by...
    Rule Medium Severity
  • Ensure logging is configured

    The <code>/etc/rsyslog.conf</code> and <code>/etc/rsyslog.d/*.conf</code> files specifies rules for logging and which files are to be used to log c...
    Rule Medium Severity
  • systemd-journald

    systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed journals based on logging ...
    Group
  • Ensure journald is configured to compress large log files

    The journald system can compress large log files to avoid fill the system disk.
    Rule Medium Severity
  • Ensure journald is configured to send logs to rsyslog

    Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.
    Rule Medium Severity
  • Ensure journald is configured to write log files to persistent disk

    The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upo...
    Rule Medium Severity
  • Ensure All Logs are Rotated by logrotate

    Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/message...
    Group
  • Ensure logrotate is Installed

    logrotate is installed by default. The <code>logrotate</code> package can be installed with the following command: <pre> $ sudo zypper install logr...
    Rule Medium Severity
  • Ensure Logrotate Runs Periodically

    The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate....
    Rule Medium Severity
  • Enable logrotate Timer

    The logrotate timer can be enabled with the following command:
    $ sudo systemctl enable logrotate.timer
    Rule Medium Severity
  • Rsyslog Logs Sent To Remote Host

    If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised...
    Group
  • Ensure Logs Sent To Remote Host

    To configure rsyslog to send logs to a remote log server, open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,...
    Rule Medium Severity
  • Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...
    Group
  • iptables and ip6tables

    A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default...
    Group
  • Install iptables Package

    The iptables package can be installed with the following command:
    $ sudo zypper install iptables
    Rule Medium Severity
  • Inspect and Activate Default Rules

    View the currently-enforced <code>iptables</code> rules by running the command: <pre>$ sudo iptables -nL --line-numbers</pre> The command is analog...
    Group
  • Verify iptables Enabled

    The iptables service can be enabled with the following command:
    $ sudo systemctl enable iptables.service
    Rule Medium Severity
  • Set configuration for IPv6 loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Set configuration for loopback traffic

    Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.
    Rule Medium Severity
  • Strengthen the Default Ruleset

    The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files <co...
    Group
  • Set Default iptables Policy for Incoming Packets

    To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following l...
    Rule Medium Severity
  • Ensure Outbound and Established Connections are Configured

    Configure the firewall rules for new outbound and established connections.
    Rule Medium Severity
  • IPv6

    The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the numb...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules