Skip to content

CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server

Rules and Groups employed by this XCCDF Profile

  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set Password Hashing Algorithm in /etc/login.defs

    In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Require Authentication for Emergency Systemd Target

    Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br><br> B...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Ensure All Accounts on the System Have Unique User IDs

    Change user IDs (UIDs), or delete accounts, so each has a unique name.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group ID

    Change the group name or delete groups, so each has a unique id.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group Names

    Change the group name or delete groups, so each has a unique name.
    Rule Medium Severity
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Ensure All Accounts on the System Have Unique Names

    Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...
    Rule Medium Severity
  • Ensure shadow Group is Empty

    The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow gr...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
  • Set Existing Passwords Maximum Age

    Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...
    Rule Medium Severity
  • Set Existing Passwords Minimum Age

    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>...
    Rule Medium Severity
  • Set Existing Passwords Warning Age

    To configure how many days prior to password expiration that a warning will be issued to users, run the command: <pre>$ sudo chage --warndays <xccd...
    Rule Medium Severity
  • Set Password Warning Age

    To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules