Public Cloud Hardening for SUSE Linux Enterprise 15
Rules and Groups employed by this XCCDF Profile
-
Ensure PAM Displays Last Logon/Access Notification
To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...Rule Low Severity -
Set Lockouts for Failed Password Attempts
The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...Group -
Limit Password Reuse
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Enforce Delay After Failed Logon Attempts
To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam....Rule Medium Severity -
Set Deny For Failed Password Attempts
The SUSE Linux Enterprise 15 operating system must lock an account after - at most - <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xcc...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements, if using pam_cracklib
The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...Group -
Set Password Strength Minimum Digit Characters
The pam_cracklib module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, an...Rule Medium Severity -
Set Password Strength Minimum Different Characters
The pam_cracklib module's <code>difok</code> parameter controls requirements for usage of different characters during a password change. The number...Rule Medium Severity -
Set Password Strength Minimum Lowercase Characters
The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Set Password Minimum Length
The pam_cracklib module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccd...Rule Medium Severity -
Set Password Strength Minimum Special Characters
The pam_cracklib module's <code>ocredit=</code> parameter controls requirements for usage of special (or ``other'') characters in a password. When ...Rule Medium Severity -
Set Password Retry Limit
The pam_cracklib module's <code>retry</code> parameter controls the maximum number of times to prompt the user for the password before returning wi...Rule Medium Severity -
Set Password Strength Minimum Uppercase Characters
The pam_cracklib module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negativ...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set PAM's Common Authentication Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/common-auth</code>, the <code>au...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password<...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Disable Ctrl-Alt-Del Burst Action
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...Rule High Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.