I - Mission Critical Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforce...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforce...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000480-GPOS-00225
<GroupDescription></GroupDescription>Group -
The SUSE operating system must prevent the use of dictionary words for passwords.
<VulnDiscussion>If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of pas...Rule Medium Severity -
SRG-OS-000123-GPOS-00064
<GroupDescription></GroupDescription>Group -
The SUSE operating system must never automatically remove or disable emergency administrator accounts.
<VulnDiscussion>Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid acc...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...Rule Medium Severity -
SRG-OS-000480-GPOS-00226
<GroupDescription></GroupDescription>Group -
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain acc...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.</VulnDiscussio...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system must display the date and time of the last successful account logon upon logon.
<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthoriz...Rule Low Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
There must be no .shosts files on the SUSE operating system.
<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based auth...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
There must be no shosts.equiv files on the SUSE operating system.
<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is n...Rule High Severity -
SRG-OS-000478-GPOS-00223
<GroupDescription></GroupDescription>Group -
FIPS 140-2 mode must be enabled on the SUSE operating system.
<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single...Rule Medium Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
<VulnDiscussion>SUSE operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent una...Rule High Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
The sticky bit must be set on all SUSE operating system world-writable directories.
<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of infor...Rule Medium Severity -
SRG-OS-000363-GPOS-00150
<GroupDescription></GroupDescription>Group -
Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized ...Rule Medium Severity -
SRG-OS-000447-GPOS-00201
<GroupDescription></GroupDescription>Group -
The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.
<VulnDiscussion>If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardwa...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</V...Rule Low Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The SUSE operating system file integrity tool must be configured to verify extended attributes.
<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</Vuln...Rule Low Severity -
SRG-OS-000278-GPOS-00108
<GroupDescription></GroupDescription>Group -
The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit in...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
The SUSE operating system tool zypper must have gpgcheck enabled.
<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This re...Rule Medium Severity -
SRG-OS-000437-GPOS-00194
<GroupDescription></GroupDescription>Group -
The SUSE operating system must remove all outdated software components after updated versions have been installed.
<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed m...Rule Medium Severity -
SRG-OS-000378-GPOS-00163
<GroupDescription></GroupDescription>Group -
The SUSE operating system must disable the USB mass storage kernel module.
<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Per...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.