CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
Rules and Groups employed by this XCCDF Profile
-
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group ID
Change the group name or delete groups, so each has a unique id.Rule Medium Severity -
Ensure All Groups on the System Have Unique Group Names
Change the group name or delete groups, so each has a unique name.Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Ensure All Accounts on the System Have Unique Names
Ensure accounts on the system have unique names. To ensure all accounts have unique names, run the following command: <pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</pre> If a usernam...Rule Medium Severity -
Ensure shadow Group is Empty
The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"></xccdf-1.2:sub>-day maximum password lifeti...Rule Medium Severity -
Set Existing Passwords Minimum Age
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:$ sudo chage -m 1 USERRule Medium Severity -
Set Existing Passwords Warning Age
To configure how many days prior to password expiration that a warning will be issued to users, run the command: <pre>$ sudo chage --warndays <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_WARN_AGE <...Rule Medium Severity -
Set existing passwords a period of inactivity before they been locked
Configure user accounts that have been inactive for over a given period of time to be automatically disabled by running the following command: <pre>$ sudo chage --inactive 30<i>USER</i> </...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be investigated. The a...Rule Medium Severity -
Verify All Account Password Hashes are Shadowed with SHA512
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account ...Rule Medium Severity -
Ensure all users last password change date is in the past
All users should have a password change date in the past.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.