Skip to content

PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12

Rules and Groups employed by this XCCDF Profile

  • Install Smart Card Packages For Multifactor Authentication

    Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>pa...
    Rule Medium Severity
  • Enable the pcscd Service

    The pcscd service can be enabled with the following command:
    $ sudo systemctl enable pcscd.service
    Rule Medium Severity
  • Configure opensc Smart Card Drivers

    The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent...
    Rule Medium Severity
  • Force opensc To Use Defined Smart Card Driver

    The OpenSC smart card middleware can auto-detect smart card drivers; however by forcing the smart card driver in use by your organization, opensc w...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Ensure All Accounts on the System Have Unique User IDs

    Change user IDs (UIDs), or delete accounts, so each has a unique name.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group ID

    Change the group name or delete groups, so each has a unique id.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group Names

    Change the group name or delete groups, so each has a unique name.
    Rule Medium Severity
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Ensure All Accounts on the System Have Unique Names

    Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Verify All Account Password Hashes are Shadowed

    If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...
    Rule Medium Severity
  • All GIDs referenced in /etc/passwd must be defined in /etc/group

    Add a group to the system for each GID referenced without a corresponding group.
    Rule Low Severity
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...
    Group
  • Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty

    Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></cod...
    Rule Medium Severity
  • Enforce Usage of pam_wheel with Group Parameter for su Authentication

    To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands wi...
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Ensure the default plugins for the audit dispatcher are Installed

    The audit-audispd-plugins package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Mandatory Access Controls

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Ensure auditd Collects Information on Exporting to Media (successful)

    At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to u...
    Rule Medium Severity
  • Record Events that Modify the System's Network Environment

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter Process and Session Initiation Information

    The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>auge...
    Rule Medium Severity
  • Ensure auditd Collects System Administrator Actions

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/group

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/gshadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/security/opasswd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/passwd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/shadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • System Audit Logs Must Be Owned By Root

    All audit logs must be owned by root user and group. By default, the path for audit log is <pre>/var/log/audit/</pre>. To properly set the owner o...
    Rule Medium Severity
  • System Audit Logs Must Have Mode 0640 or Less Permissive

    If <code>log_group</code> in <code>/etc/audit/auditd.conf</code> is set to a group other than the <code>root</code> group account, change the mode...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls

    At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present e...
    Group
  • Record Events that Modify the System's Discretionary Access Controls - chmod

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - chown

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchmod

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchmodat

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchown

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchownat

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fremovexattr

    At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fsetxattr

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - lchown

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - lremovexattr

    At a minimum, the audit system should collect file permission changes for all users and root. <br><br> If the <code>auditd</code> daemon is configu...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules