Skip to content

Public Cloud Hardening for SUSE Linux Enterprise 15

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...
    Group
  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...
    Group
  • Software Integrity Checking

    Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...
    Group
  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...
    Group
  • Configure AIDE to Verify the Audit Tools

    The operating system file integrity tool must be configured to protect the integrity of the audit tools.
    Rule Medium Severity
  • Configure AIDE to Verify Access Control Lists (ACLs)

    By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> optio...
    Rule Low Severity
  • Configure AIDE to Verify Extended Attributes

    By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code>...
    Rule Low Severity
  • Sudo

    <code>Sudo</code>, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrato...
    Group
  • Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

    The sudo <code>use_pty</code> tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by ma...
    Rule Medium Severity
  • Ensure Sudo Logfile Exists - sudo logfile

    A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CI...
    Rule Low Severity
  • Updating Software

    The <code>zypper</code> command line tool is used to install and update software packages. The system also provides a graphical software update too...
    Group
  • Ensure gpgcheck Enabled In Main zypper Configuration

    The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check p...
    Rule High Severity
  • Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...
    Group
  • Warning Banners for System Accesses

    Each system should expose as little information about itself as possible. <br><br> System banners, which are typically displayed just before a logi...
    Group
  • Modify the System Login Banner

    To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or...
    Rule Medium Severity
  • Modify the System Message of the Day Banner

    To configure the system message banner edit <code>/etc/motd</code>. Replace the default text with a message compliant with the local site policy or...
    Rule Medium Severity
  • Verify Group Ownership of System Login Banner

    To properly set the group owner of /etc/issue, run the command:
    $ sudo chgrp root /etc/issue
    Rule Medium Severity
  • Verify ownership of System Login Banner

    To properly set the owner of /etc/issue, run the command:
    $ sudo chown root /etc/issue 
    Rule Medium Severity
  • Protect Accounts by Configuring PAM

    PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and confi...
    Group
  • Ensure PAM Displays Last Logon/Access Notification

    To configure the system to notify users of last logon/access using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings i...
    Rule Low Severity
  • Set Lockouts for Failed Password Attempts

    The <code>pam_faillock</code> PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentati...
    Group
  • Limit Password Reuse

    Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...
    Rule Medium Severity
  • Enforce Delay After Failed Logon Attempts

    To configure the system to introduce a delay after failed logon attempts, add or correct the <code>pam_faildelay</code> settings in <code>/etc/pam....
    Rule Medium Severity
  • Set Deny For Failed Password Attempts

    The SUSE Linux Enterprise 15 operating system must lock an account after - at most - <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xcc...
    Rule Medium Severity
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
  • Set Password Quality Requirements, if using pam_cracklib

    The <code>pam_cracklib</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <code...
    Group
  • Set Password Strength Minimum Digit Characters

    The pam_cracklib module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, an...
    Rule Medium Severity
  • Set Password Strength Minimum Different Characters

    The pam_cracklib module's <code>difok</code> parameter controls requirements for usage of different characters during a password change. The number...
    Rule Medium Severity
  • Set Password Strength Minimum Lowercase Characters

    The pam_cracklib module's <code>lcredit=</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Set Password Minimum Length

    The pam_cracklib module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccd...
    Rule Medium Severity
  • Set Password Strength Minimum Special Characters

    The pam_cracklib module's <code>ocredit=</code> parameter controls requirements for usage of special (or ``other'') characters in a password. When ...
    Rule Medium Severity
  • Set Password Retry Limit

    The pam_cracklib module's <code>retry</code> parameter controls the maximum number of times to prompt the user for the password before returning wi...
    Rule Medium Severity
  • Set Password Strength Minimum Uppercase Characters

    The pam_cracklib module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set PAM's Common Authentication Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/common-auth</code>, the <code>au...
    Rule Medium Severity
  • Set PAM''s Password Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the <code>password<...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Disable Ctrl-Alt-Del Burst Action

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...
    Rule High Severity
  • Configure Screen Locking

    When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...
    Group
  • Hardware Tokens for Authentication

    The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. I...
    Group
  • Configure Smart Card Certificate Authority Validation

    Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...
    Rule Medium Severity
  • Configure Smart Card Certificate Status Checking

    Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
  • Set Existing Passwords Maximum Age

    Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules