CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Rules and Groups employed by this XCCDF Profile
-
Ensure that /etc/at.deny does not exist
The file/etc/at.deny
should not exist. Use/etc/at.allow
instead.Rule Medium Severity -
Ensure that /etc/cron.deny does not exist
The file/etc/cron.deny
should not exist. Use/etc/cron.allow
instead.Rule Medium Severity -
Verify Group Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, ...Rule Medium Severity -
Verify Group Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</cod...Rule Medium Severity -
Verify User Who Owns /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/at.allow</code>, run the comm...Rule Medium Severity -
Verify User Who Owns /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the ...Rule Medium Severity -
Verify Permissions on /etc/at.allow file
If <code>/etc/at.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>/e...Rule Medium Severity -
Verify Permissions on /etc/cron.allow file
If <code>/etc/cron.allow</code> exists, it must have permissions <code>0640</code> or more restrictive. To properly set the permissions of <code>...Rule Medium Severity -
DHCP
The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....Group -
Disable DHCP Client
DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of ...Group -
Uninstall DHCP Client Package
If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The <code>dhcp-client</code> package can be remove...Rule Medium Severity -
Disable DHCP Server
The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...Group -
Uninstall DHCP Server Package
If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...Rule Medium Severity -
Disable DHCP Service
The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be ...Rule Medium Severity -
DNS Server
Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...Group -
Disable DNS Server
DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on S...Group -
Uninstall bind Package
The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...Rule Low Severity -
Disable named Service
Thenamed
service can be disabled with the following command:$ sudo systemctl mask --now named.service
Rule Medium Severity -
FTP Server
FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...Group -
Disable vsftpd if Possible
To minimize attack surface, disable vsftpd if at all possible.Group -
Uninstall vsftpd Package
Thevsftpd
package can be removed with the following command:$ sudo zypper remove vsftpd
Rule High Severity -
Disable vsftpd Service
Thevsftpd
service can be disabled with the following command:$ sudo systemctl mask --now vsftpd.service
Rule Medium Severity -
Web Server
The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...Group -
Disable Apache if Possible
If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.Group -
Uninstall httpd Package
Thehttpd
package can be removed with the following command:$ sudo zypper remove httpd
Rule Unknown Severity -
IMAP and POP3 Server
Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...Group -
Disable Dovecot
If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.Group -
Uninstall dovecot Package
Thedovecot
package can be removed with the following command:$ sudo zypper remove dovecot
Rule Unknown Severity -
Disable Dovecot Service
Thedovecot
service can be disabled with the following command:$ sudo systemctl mask --now dovecot.service
Rule Unknown Severity -
LDAP
LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. SUSE Linux Enterprise 12 includ...Group -
Configure OpenLDAP Clients
This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...Group -
Ensure LDAP client is not installed
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...Rule Low Severity -
Configure OpenLDAP Server
This section details some security-relevant settings for an OpenLDAP server.Group -
Uninstall openldap-servers Package
The openldap2 package is not installed by default on a SUSE Linux Enterprise 12 system. It is needed only by the OpenLDAP server, not by the client...Rule Low Severity -
Mail Server Software
Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...Group -
Configure SMTP For Mail Clients
This section discusses settings for Postfix in a submission-only e-mail configuration.Group -
Disable Postfix Network Listening
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following <code>inet_interfaces</code> line appears: <pre>inet_interfaces =...Rule Medium Severity -
NFS and RPC
The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circ...Group -
Uninstall nfs-utils Package
Thenfs-utils
package can be removed with the following command:$ sudo zypper remove nfs-utils
Rule Low Severity -
Disable All NFS Services if Possible
If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable sub...Group -
Disable Services Used Only by NFS
If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. <br><br> All of these daemons run with elevated privileges, a...Group -
Uninstall rpcbind Package
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Configure NFS Clients
The steps in this section are appropriate for systems which operate as NFS clients.Group -
Disable NFS Server Daemons
There is no need to run the NFS server daemons <code>nfs</code> and <code>rpcsvcgssd</code> except on a small number of properly secured systems de...Group -
Disable Network File System (nfs)
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is...Rule Unknown Severity -
Network Time Protocol
The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictabl...Group -
The Chrony package is installed
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or se...Rule Medium Severity -
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Ensure that chronyd is running under chrony user account
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and us...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.