Skip to content

CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server

Rules and Groups employed by this XCCDF Profile

  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
  • Disable DHCP Client

    DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of ...
    Group
  • Uninstall DHCP Client Package

    If the system does not need to act as a DHCP client, the dhcp-client package can be uninstalled. The <code>dhcp-client</code> package can be remove...
    Rule Medium Severity
  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...
    Rule Medium Severity
  • Disable DHCP Service

    The <code>dhcpd</code> service should be disabled on any system that does not need to act as a DHCP server. The <code>dhcpd</code> service can be ...
    Rule Medium Severity
  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...
    Group
  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on S...
    Group
  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
  • Disable named Service

    The named service can be disabled with the following command:
    $ sudo systemctl mask --now named.service
    Rule Medium Severity
  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...
    Group
  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command:
     $ sudo zypper remove vsftpd
    Rule High Severity
  • Disable vsftpd Service

    The vsftpd service can be disabled with the following command:
    $ sudo systemctl mask --now vsftpd.service
    Rule Medium Severity
  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
  • Uninstall httpd Package

    The httpd package can be removed with the following command:
    $ sudo zypper remove httpd
    Rule Unknown Severity
  • Disable httpd Service

    The httpd service can be disabled with the following command:
    $ sudo systemctl mask --now httpd.service
    Rule Unknown Severity
  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules