CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Rules and Groups employed by this XCCDF Profile
-
Use Only FIPS 140-2 Validated MACs
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of FIPS-approved MACs: <pre>MACs hmac-sha2-512,hmac-sha2-2...Rule Medium Severity -
Use Only Strong Ciphers
Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those...Rule Medium Severity -
Use Only Strong Key Exchange algorithms
Limit the Key Exchange to strong algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those: <pre>KexAlgorithms <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...Rule Medium Severity -
Use Only Strong MACs
Limit the MACs to strong hash algorithms. The following line in <code>/etc/ssh/sshd_config</code> demonstrates use of those MACs: <pre>MACs <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_...Rule Medium Severity -
X Window System
The X Window System implementation included with the system is called X.org.Group -
Disable X Windows
Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is u...Group -
Remove the X Windows Package Group
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the s...Rule Medium Severity -
Disable graphical user interface
By removing the following packages, the system no longer has X Windows installed. <code>xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland</code> If X Win...Rule Medium Severity -
Configure Systemd Timer Execution of AIDE
At a minimum, AIDE should be configured to run a weekly scan. To implement a systemd service and a timer unit to run the service periodically: For example, if a systemd timer is expected to be star...Rule Medium Severity -
Record Attempts to perform maintenance activities
The SUSE Linux Enterprise 15 operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. Verify the operating s...Rule Medium Severity -
Dectivate firewalld Rules
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. Firewalls can be implemente...Group -
Uninstall firewalld Package
firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interf...Rule Medium Severity -
Verify firewalld service disabled
Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interf...Rule Medium Severity -
Configure Systemd Timesyncd Root Distance Servers
<code>systemd-timesyncd</code> server configuration should have RootDistanceMaxSec is listed in accordance with local policy. This setting describes the maximum estimated time required for a packet...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules