PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
Rules and Groups employed by this XCCDF Profile
-
Chrony Configure Pool and Server
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Specify Additional Remote NTP Servers
Depending on specific functional requirements of a concrete production environment, the SUSE Linux Enterprise 12 system can be configured to utiliz...Rule Medium Severity -
A remote time server for Chrony is configured
<code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of s...Rule Medium Severity -
Obsolete Services
This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or...Group -
Ensure rsyncd service is disabled
Thersyncdservice can be disabled with the following command:$ sudo systemctl mask --now rsyncd.service
Rule Medium Severity -
Xinetd
The <code>xinetd</code> service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access co...Group -
Uninstall xinetd Package
Thexinetdpackage can be removed with the following command:$ sudo zypper remove xinetd
Rule Low Severity -
NIS
The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and oth...Group -
Remove NIS Client
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system conf...Rule Unknown Severity -
Rlogin, Rsh, and Rexec
The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.Group -
Uninstall rsh Package
Thershpackage contains the client commands for the rsh servicesRule Unknown Severity -
Chat/Messaging Services
The talk software makes it possible for users to send and receive messages across systems through a terminal session.Group -
Uninstall talk Package
The <code>talk</code> package contains the client program for the Internet talk protocol, which allows the user to chat with other users on differe...Rule Medium Severity -
Telnet
The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication informat...Group -
Remove telnet Clients
The telnet client allows users to start connections to other systems via the telnet protocol.Rule Low Severity -
Print Support
The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print...Group -
Disable the CUPS Service
Thecupsservice can be disabled with the following command:$ sudo systemctl mask --now cups.service
Rule Unknown Severity -
Samba(SMB) Microsoft Windows File Sharing Server
When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two soft...Group -
Disable Samba if Possible
Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to pr...Group -
Uninstall Samba Package
Thesambapackage can be removed with the following command:$ sudo zypper remove samba
Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.