DISA STIG for SUSE Linux Enterprise 15
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...Group -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo zypper install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/bin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new</code>. Storing...Rule Medium Severity -
Configure AIDE to Verify the Audit Tools
The operating system file integrity tool must be configured to protect the integrity of the audit tools.Rule Medium Severity -
Configure Notification of Post-AIDE Scan Details
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the fo...Rule Medium Severity -
Configure AIDE to Verify Access Control Lists (ACLs)
By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> to the appropri...Rule Low Severity -
Configure AIDE to Verify Extended Attributes
By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> to the...Rule Low Severity -
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic mod...Group -
Verify '/proc/sys/crypto/fips_enabled' exists
On a system where FIPS 140-2 mode is enabled, <code>/proc/sys/crypto/fips_enabled</code> must exist. To verify FIPS mode, run the following command: <pre>cat /proc/sys/crypto/fips_enabled</pre> ...Rule High Severity -
Operating System Vendor Support and Certification
The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A ce...Group -
The Installed Operating System Is Vendor Supported
The installed operating system must be maintained by a vendor. SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches.Rule High Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base pla...Group -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...Group -
Encrypt Partitions
SUSE Linux Enterprise 15 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation t...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.