CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Disable Prelinking
The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line insi...Rule Medium Severity -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaide
package can be installed with the following command:$ sudo zypper install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/bin/aide --init</pre> By default, the database will be written to the file...Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Ensure /dev/shm is configured
The <code>/dev/shm</code> is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) ca...Rule Low Severity -
Ensure /tmp Located On Separate Partition
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...Rule Low Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...Group -
Remove the GDM Package Group
By removing the <code>gdm</code> package, the system no longer has GNOME installed installed. If X Windows is not installed then the system canno...Rule Medium Severity -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...Rule High Severity -
Configure GNOME3 DConf User Profile
By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database al...Rule High Severity -
Sudo
<code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...Group -
Install sudo Package
Thesudo
package can be installed with the following command:$ sudo zypper install sudo
Rule Medium Severity -
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by ma...Rule Medium Severity -
Ensure Sudo Logfile Exists - sudo logfile
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CI...Rule Low Severity -
Updating Software
The <code>zypper</code> command line tool is used to install and update software packages. The system also provides a graphical software update too...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.