PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
Rules and Groups employed by this XCCDF Profile
-
Configure auditd Number of Logs Retained
Determine how many log files <code>auditd</code> should retain when it rotates logs. Edit the file <code>/etc/audit/auditd.conf</code>. Add or modi...Rule Medium Severity -
Configure auditd space_left on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space is running low but prior to running out of space completely. Ed...Rule Medium Severity -
Configure auditd space_left Action on Low Disk Space
The <code>auditd</code> service can be configured to take an action when disk space <i>starts</i> to run low. Edit the file <code>/etc/audit/auditd...Rule Medium Severity -
GRUB2 bootloader configuration
During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows ...Group -
Non-UEFI GRUB2 bootloader configuration
Non-UEFI GRUB2 bootloader configurationGroup -
Verify /boot/grub2/grub.cfg Group Ownership
The file <code>/boot/grub2/grub.cfg</code> should be group-owned by the <code>root</code> group to prevent destruction or modification of the file....Rule Medium Severity -
Verify /boot/grub2/grub.cfg User Ownership
The file <code>/boot/grub2/grub.cfg</code> should be owned by the <code>root</code> user to prevent destruction or modification of the file. To pr...Rule Medium Severity -
Configure Syslog
The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lac...Group -
Ensure Proper Configuration of Log Files
The file <code>/etc/rsyslog.conf</code> controls where log message are written. These are controlled by lines called <i>rules</i>, which consist of...Group -
Ensure Log Files Are Owned By Appropriate Group
The group-owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of ...Rule Medium Severity -
Ensure Log Files Are Owned By Appropriate User
The owner of all log files written by <code>rsyslog</code> should be <code>root</code>. These log files are determined by the second part of each...Rule Medium Severity -
Ensure System Log Files Have Correct Permissions
The file permissions for all log files written by <code>rsyslog</code> should be set to 640, or more restrictive. These log files are determined by...Rule Medium Severity -
Ensure All Logs are Rotated by logrotate
Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first line, which should look like this (wrapped for clarity): <pre>/var/log/message...Group -
Ensure logrotate is Installed
logrotate is installed by default. The <code>logrotate</code> package can be installed with the following command: <pre> $ sudo zypper install logr...Rule Medium Severity -
Ensure Logrotate Runs Periodically
The <code>logrotate</code> utility allows for the automatic rotation of log files. The frequency of rotation is specified in <code>/etc/logrotate....Rule Medium Severity -
Enable logrotate Timer
Thelogrotatetimer can be enabled with the following command:$ sudo systemctl enable logrotate.timer
Rule Medium Severity -
Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses th...Group -
IPSec Support
Support for Internet Protocol Security (IPsec) is provided with Libreswan.Group -
Install strongswan Package
The Strongswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The <code...Rule Medium Severity -
iptables and ip6tables
A host-based firewall called <code>netfilter</code> is included as part of the Linux kernel distributed with the system. It is activated by default...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.