Skip to content

CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server

Rules and Groups employed by this XCCDF Profile

  • Set Password Strength Minimum Lowercase Characters

    The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Set Password Minimum Length

    The pam_cracklib module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccd...
    Rule Medium Severity
  • Set Password Strength Minimum Special Characters

    The pam_cracklib module's <code>ocredit=</code> parameter controls requirements for usage of special (or ``other'') characters in a password. When ...
    Rule Medium Severity
  • Set Password Retry Limit

    The pam_cracklib module's <code>retry</code> parameter controls the maximum number of times to prompt the user for the password before returning wi...
    Rule Medium Severity
  • Set Password Strength Minimum Uppercase Characters

    The pam_cracklib module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set Password Hashing Algorithm in /etc/login.defs

    In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Require Authentication for Emergency Systemd Target

    Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br><br> B...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Ensure All Accounts on the System Have Unique User IDs

    Change user IDs (UIDs), or delete accounts, so each has a unique name.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group ID

    Change the group name or delete groups, so each has a unique id.
    Rule Medium Severity
  • Ensure All Groups on the System Have Unique Group Names

    Change the group name or delete groups, so each has a unique name.
    Rule Medium Severity
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Ensure All Accounts on the System Have Unique Names

    Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | ...
    Rule Medium Severity
  • Ensure shadow Group is Empty

    The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow gr...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
  • Set Existing Passwords Maximum Age

    Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...
    Rule Medium Severity
  • Set Existing Passwords Minimum Age

    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>...
    Rule Medium Severity
  • Set Existing Passwords Warning Age

    To configure how many days prior to password expiration that a warning will be issued to users, run the command: <pre>$ sudo chage --warndays <xccd...
    Rule Medium Severity
  • Set Password Warning Age

    To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...
    Rule Medium Severity
  • Set existing passwords a period of inactivity before they been locked

    Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: <pre...
    Rule Medium Severity
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Verify All Account Password Hashes are Shadowed

    If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...
    Rule Medium Severity
  • Verify All Account Password Hashes are Shadowed with SHA512

    Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptograp...
    Rule Medium Severity
  • Ensure all users last password change date is in the past

    All users should have a password change date in the past.
    Rule Medium Severity
  • All GIDs referenced in /etc/passwd must be defined in /etc/group

    Add a group to the system for each GID referenced without a corresponding group.
    Rule Low Severity
  • Verify No .forward Files Exist

    The .forward file specifies an email address to forward the user's mail to.
    Rule Medium Severity
  • Ensure there are no legacy + NIS entries in /etc/passwd

    The <code>+</code> character in <code>/etc/passwd</code> file marks a place where entries from a network information service (NIS) should be direct...
    Rule Medium Severity
  • Ensure there are no legacy + NIS entries in /etc/shadow

    The <code>+</code> character in <code>/etc/shadow</code> file marks a place where entries from a network information service (NIS) should be direct...
    Rule Medium Severity
  • Verify No netrc Files Exist

    The <code>.netrc</code> files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files ma...
    Rule Medium Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...
    Group
  • Verify Only Root Has UID 0

    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...
    Rule High Severity
  • Verify Root Has A Primary GID 0

    The root user should have a primary group of 0.
    Rule High Severity
  • Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty

    Ensure that the group <code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_pam_wheel_group_for_su" use="legacy"></xccdf-1.2:sub></cod...
    Rule Medium Severity
  • Direct root Logins Not Allowed

    To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...
    Rule Medium Severity
  • Ensure that System Accounts Do Not Run a Shell Upon Login

    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to...
    Rule Medium Severity
  • Restrict Virtual Console Root Logins

    To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <...
    Rule Medium Severity
  • Enforce Usage of pam_wheel with Group Parameter for su Authentication

    To ensure that only users who are members of the group set in the <code>group</code> option of <code>pam_wheel.so</code> module can run commands wi...
    Rule Medium Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Set Interactive Session Timeout

    Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...
    Rule Medium Severity
  • All Interactive Users Home Directories Must Exist

    Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...
    Rule Medium Severity
  • Ensure users' .netrc Files are not group or world accessible

    While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. This rule ensures ev...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that No Dangerous Directories Exist in Root's Path

    The active path of the root account can be obtained by starting a new root shell and running: <pre># echo $PATH</pre> This will produce a colon-sep...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules