CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Rules and Groups employed by this XCCDF Profile
-
Verify Owner on cron.weekly
To properly set the owner of/etc/cron.weekly, run the command:$ sudo chown root /etc/cron.weekly
Rule Medium Severity -
Verify Owner on crontab
To properly set the owner of/etc/crontab, run the command:$ sudo chown root /etc/crontab
Rule Medium Severity -
Verify Permissions on cron.d
To properly set the permissions of/etc/cron.d, run the command:$ sudo chmod 0700 /etc/cron.d
Rule Medium Severity -
Verify Permissions on cron.daily
To properly set the permissions of/etc/cron.daily, run the command:$ sudo chmod 0700 /etc/cron.daily
Rule Medium Severity -
Verify Permissions on cron.hourly
To properly set the permissions of/etc/cron.hourly, run the command:$ sudo chmod 0700 /etc/cron.hourly
Rule Medium Severity -
Verify Permissions on cron.monthly
To properly set the permissions of/etc/cron.monthly, run the command:$ sudo chmod 0700 /etc/cron.monthly
Rule Medium Severity -
Verify Permissions on cron.weekly
To properly set the permissions of/etc/cron.weekly, run the command:$ sudo chmod 0700 /etc/cron.weekly
Rule Medium Severity -
Verify Permissions on crontab
To properly set the permissions of/etc/crontab, run the command:$ sudo chmod 0600 /etc/crontab
Rule Medium Severity -
Restrict at and cron to Authorized Users if Necessary
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to delay execution of processes. If these files exist an...Group -
Ensure that /etc/at.deny does not exist
The file/etc/at.denyshould not exist. Use/etc/at.allowinstead.Rule Medium Severity -
Ensure that /etc/cron.deny does not exist
The file/etc/cron.denyshould not exist. Use/etc/cron.allowinstead.Rule Medium Severity -
Verify Group Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chgrp root /etc/at.al...Rule Medium Severity -
Verify Group Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chgrp root /etc/c...Rule Medium Severity -
Verify User Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/at.allow</code>, run the command: <pre>$ sudo chown root /etc/at.allow </pre> ...Rule Medium Severity -
Verify User Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the command: <pre>$ sudo chown root /etc/cron.allow </...Rule Medium Severity -
Verify Permissions on /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/at.allow</code>, run the command: <pre>$ sudo c...Rule Medium Severity -
Verify Permissions on /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/etc/cron.allow</code>, run the command: <pre>$ su...Rule Medium Severity -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server. <br> <br> This guide recommends configuring...Group -
Disable DHCP Client
DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree ...Group -
Uninstall DHCP Client Package
If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The <code>dhcp-client</code> package can be removed with the following command: <pre> $ sudo zypper ...Rule Medium Severity -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled...Group -
Uninstall DHCP Server Package
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with the following command: <pre> $ sudo zypper remove...Rule Medium Severity -
Disable DHCP Service
The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be disabled with the following command: <pre>$ sudo s...Rule Medium Severity -
DNS Server
Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any ...Group -
Disable DNS Server
DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on SUSE Linux Enterprise 12 by default. The remainder ...Group -
Uninstall bind Package
Thenamedservice is provided by thebindpackage. Thebindpackage can be removed with the following command:$ sudo zypper remove bind
Rule Low Severity -
Disable named Service
Thenamedservice can be disabled with the following command:$ sudo systemctl mask --now named.service
Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured an...Group -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Uninstall vsftpd Package
Thevsftpdpackage can be removed with the following command:$ sudo zypper remove vsftpd
Rule High Severity -
Disable vsftpd Service
Thevsftpdservice can be disabled with the following command:$ sudo systemctl mask --now vsftpd.service
Rule Medium Severity -
Web Server
The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br> <br> <ul> <li>The HTTP port is commo...Group -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Uninstall httpd Package
Thehttpdpackage can be removed with the following command:$ sudo zypper remove httpd
Rule Unknown Severity -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a> contains more detailed information abou...Group -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
Uninstall dovecot Package
Thedovecotpackage can be removed with the following command:$ sudo zypper remove dovecot
Rule Unknown Severity -
Disable Dovecot Service
Thedovecotservice can be disabled with the following command:$ sudo systemctl mask --now dovecot.service
Rule Unknown Severity -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. SUSE Linux Enterprise 12 includes software that enables a system to act as both a...Group -
Configure OpenLDAP Clients
This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. SUSE Linux Enterprise 12 provid...Group -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>openldap2-client</code> package can be removed wit...Rule Low Severity -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Uninstall openldap-servers Package
The openldap2 package is not installed by default on a SUSE Linux Enterprise 12 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system...Rule Low Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not r...Group -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces = <xccdf-1.2:sub idref="xccdf_org.ssgproject.conten...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NF...Group -
Uninstall nfs-utils Package
Thenfs-utilspackage can be removed with the following command:$ sudo zypper remove nfs-utils
Rule Low Severity -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS.Group -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br> <br> All of these daemons run with elevated privileges, and many listen for network connections. I...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules