PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
Rules and Groups employed by this XCCDF Profile
-
Configure auditd Number of Logs Retained
Determine how many log files <code>auditd</code> should retain when it rotates logs. Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line, substituting <i>NUMLOGS</i>...Rule Medium Severity -
Configure auditd space_left on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file <code>/etc/audit/auditd.conf</code>. A...Rule Medium Severity -
Configure auditd space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line, substitut...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly ...Group -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
Verify /boot/grub2/grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file. To properly set the group owner of <code>/boot/g...Rule Medium Severity -
Verify /boot/grub2/grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To properly set the owner of <code>/boot/grub2/grub.cfg...Rule Medium Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lac...Group -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of a <i>selector</i> and an <i>action</i>. These rul...Group -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> a...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate User
The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each Rule line in <code>/etc/rsyslog.conf</code> and t...Rule Medium Severity -
Ensure System Log Files Have Correct Permissions
The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in <code>/etc/r...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spoole...Group -
Ensure logrotate is Installed
logrotate is installed by default. Thelogrotatepackage can be installed with the following command:$ sudo zypper install logrotate
Rule Medium Severity -
Ensure Logrotate Runs Periodically
The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, which triggers a cron task or a timer...Rule Medium Severity -
Enable logrotate Timer
Thelogrotatetimer can be enabled with the following command:$ sudo systemctl enable logrotate.timer
Rule Medium Severity -
Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...Group -
IPSec Support
Support for Internet Protocol Security (IPsec) is provided with Libreswan.Group -
Install strongswan Package
The Strongswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The <code>strongswan</code> package can be installed with t...Rule Medium Severity -
iptables and ip6tables
A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program <code...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.