Definition of General System Security Profile SUSE Linux Enterprise 15 for sle15

SLES-15-150150015: Disable Mounting of cramfs

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_cramfs_disabled: Disable Mounting of cramfs

SLES-15-150150030: Disable Mounting of freevxfs

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_freevxfs_disabled: Disable Mounting of freevxfs

SLES-15-150150045: Disable Mounting of hfs

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_hfs_disabled: Disable Mounting of hfs

SLES-15-150150060: Disable Mounting of hfsplus

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_hfsplus_disabled: Disable Mounting of hfsplus

SLES-15-150150075: Disable Mounting of jffs2

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_jffs2_disabled: Disable Mounting of jffs2

SLES-15-150150090: Disable Mounting of overlayfs

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_overlayfs_disabled: Ensure overlayfs kernel module is not available

SLES-15-150150105: Disable Mounting of squashfs

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_squashfs_disabled: Disable Mounting of squashfs

SLES-15-150150120: Disable Mounting of udf

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_udf_disabled: Disable Mounting of udf

SLES-15-150150135: Disable Mounting of vFAT filesystems

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_vfat_disabled: Disable Mounting of vFAT filesystems

SLES-15-150150150: Ensure /tmp Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_tmp: Ensure /tmp Located On Separate Partition

SLES-15-150150165: Add nodev Option to /tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_tmp_nodev: Add nodev Option to /tmp

SLES-15-150150180: Add nosuid Option to /tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_tmp_nosuid: Add nosuid Option to /tmp

SLES-15-150150195: Add noexec Option to /tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_tmp_noexec: Add noexec Option to /tmp

SLES-15-150150210: Ensure /dev/shm Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_dev_shm: Ensure /dev/shm is configured

SLES-15-150150225: Add nodev Option to /dev/shms

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

SLES-15-150150240: Add nosuid Option to /dev/shm

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

SLES-15-150150255: Add noexec Option to /dev/shm

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

SLES-15-150150270: Ensure /home Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_home: Ensure /home Located On Separate Partition

SLES-15-150150285: Add nodev Option to /home

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_home_nodev: Add nodev Option to /home

SLES-15-150150300: Add nosuid Option to /home

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_home_nosuid: Add nosuid Option to /home

SLES-15-150150315: Ensure /var Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_var: Ensure /var Located On Separate Partition

SLES-15-150150330: Add nodev Option to /var

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_nodev: Add nodev Option to /var

SLES-15-150150345: Add nosuid Option to /var

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_nosuid: Add nosuid Option to /var

SLES-15-150150360: Ensure /var/tmp Located On Separate Partition

Description: None

Levels:

medium

Automated: yes

Selections:

partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

SLES-15-150150375: Add nodev Option to /var/tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_tmp_nodev: Add nodev Option to /var/tmp

SLES-15-150150390: Add nosuid Option to /var/tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

SLES-15-150150405: Add noexec Option to /var/tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_tmp_noexec: Add noexec Option to /var/tmp

SLES-15-150150420: Ensure /var/log Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_var_log: Ensure /var/log Located On Separate Partition

SLES-15-150150435: Add nodev Option to /var/log

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_nodev: Add nodev Option to /var/log

SLES-15-150150450: Add nosuid Option to /var/log

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_nosuid: Add nosuid Option to /var/log

SLES-15-150150465: Add noexec Option to /var/log

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_noexec: Add noexec Option to /var/log

SLES-15-150150480: Ensure /var/log/audit Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

SLES-15-150150495: Add nodev Option to /var/log/audit

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit

SLES-15-150150510: Add nosuid Option to /var/log/audit

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

SLES-15-150150525: Add noexec Option to /var/log/audit

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit

SLES-15-150150540: Encrypt Partitions

Description: None

Levels:

high

Automated: yes

Selections:

encrypt_partitions: Encrypt Partitions

SLES-15-150300015: Configure GPG keys

Description: None

Levels:

medium

Automated: yes

Selections:

ensure_GPG_keys_are_configured: Ensure GPG keys are configured

SLES-15-150300030: Enable gpgcheck in Main Package Manager Configuration

Description: None

Levels:

high

Automated: yes

Selections:

ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main zypper Configuration
ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All zypper Package Repositories

SLES-15-150300045: Ensure repo_gpgcheck is globally activated

Description: None

Levels:

high

Automated: no

No rules selected

SLES-15-150300060: Configure Package Manager Repositories

Description: None

Levels:

high

Automated: no

No rules selected

SLES-15-150300075: Ensure Software Patches Installed

Description: None

Levels:

medium

Automated: yes

Selections:

security_patches_up_to_date: Ensure Software Patches Installed

SLES-15-150450015: Install AppArmor

Description: None

Levels:

medium

Automated: yes

Selections:

package_apparmor_installed: Ensure AppArmor is installed

SLES-15-150450030: Ensure AppArmor is Active and Configured

Description: None

Levels:

medium

Automated: yes

Selections:

apparmor_configured: Ensure AppArmor is Active and Configured

SLES-15-150450045: All AppArmor Profiles are in enforce or complain mode

Description: None

Levels:

medium

Automated: yes

Selections:

all_apparmor_profiles_in_enforce_complain_mode: All AppArmor Profiles are in enforce or complain mode
var_apparmor_mode = complain

SLES-15-150450060: Enforce all AppArmor Profiles

Description: None

Levels:

medium

Automated: yes

Selections:

all_apparmor_profiles_enforced: Enforce all AppArmor Profiles

SLES-15-150600015: Set Boot Loader Password in grub2

Description: None

Levels:

high

Automated: yes

Selections:

grub2_password: Set Boot Loader Password in grub2
grub2_uefi_password: Set the UEFI Boot Loader Password

SLES-15-150600030: Configure Permissions on Bootloader Config

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions

SLES-15-150750015: Enable Address Space Layout Randomization (ASLR)

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

SLES-15-150750030: Restrict Core Dumps for All Users

Description: None

Levels:

medium

Automated: yes

Selections:

coredump_disable_backtraces: Disable core dump backtraces
coredump_disable_storage: Disable storing core dump
disable_users_coredumps: Disable Core Dumps for All Users
sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs

SLES-15-150750060: Enable compile options for kernel security functions

Description: None

Levels:

medium

Automated: yes

Selections:

kernel_config_seccomp: Enable seccomp to safely compute untrusted bytecode
kernel_config_seccomp_filter: Enable use of Berkeley Packet Filter with seccomp
kernel_config_security: Enable different security models
kernel_config_security_writable_hooks: Disable mutable hooks
kernel_config_security_yama: Enable Yama support

SLES-15-150750180: Enable Kernel Parameter to Enforce DAC on Hardlinks and Softlinks

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

SLES-15-150900015: Configure System Cryptography Policy

Description: None

Levels:

high

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy

SLES-15-150900030: Configure System Cryptography Policy not set to Legacy

Description: None

Levels:

high

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
var_system_crypto_policy = default_nosha1

SLES-15-150900045: Configure SSH to use System Crypto Policy

Description: None

Levels:

medium

Automated: yes

Selections:

configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy

SLES-15-150900105: Disables chacha20-poly1305 for ssh

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-151050015: Modify the System Message of the Day Banner

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_motd: Modify the System Message of the Day Banner
motd_banner_text = cis_banners

SLES-15-151050030: Modify the System Login Banner

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_issue: Modify the System Login Banner
login_banner_text = cis_banners

SLES-15-151050045: Modify the System Login Banner for Remote Connections

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_issue_net: Modify the System Login Banner for Remote Connections
remote_login_banner_text = cis_banners

SLES-15-151050060: Configure access to the Message of the Day Banner

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_motd: Verify Group Ownership of Message of the Day Banner
file_owner_etc_motd: Verify ownership of Message of the Day Banner
file_permissions_etc_motd: Verify permissions on Message of the Day Banner

SLES-15-151050075: Configure access to the System Login Banner

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_issue: Verify Group Ownership of System Login Banner
file_owner_etc_issue: Verify ownership of System Login Banner
file_permissions_etc_issue: Verify permissions on System Login Banner

SLES-15-151050090: Configure access to the System Login Banner for Remote Connections

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_issue_net: Verify Group Ownership of System Login Banner for Remote Connections
file_owner_etc_issue_net: Verify ownership of System Login Banner for Remote Connections
file_permissions_etc_issue_net: Verify permissions on System Login Banner for Remote Connections

SLES-15-151200105: Remove the GDM Package Group

Description: None

Levels:

medium

Automated: yes

Selections:

package_gdm_removed: Remove the GDM Package Group

SLES-15-151200120: Configure GDM Login Banner

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_banner_enabled: Enable GNOME3 Login Warning Banner
dconf_gnome_login_banner_text: Set the GNOME3 Login Warning Banner Text
login_banner_text = cis_default

SLES-15-151200135: Disable the GDM Login User List

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_disable_user_list: Disable the GNOME3 Login User List

SLES-15-151200150: Lock the GDM Screen When the User is Idle

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_screensaver_idle_delay: Set GNOME3 Screensaver Inactivity Timeout
dconf_gnome_screensaver_lock_delay: Set GNOME3 Screensaver Lock Delay After Activation Period
inactivity_timeout_value = 15_minutes
var_screensaver_lock_delay = 5_seconds

SLES-15-151200165: Ensure the User cannot override the GDM screen locks

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_screensaver_user_locks: Ensure Users Cannot Change GNOME3 Screensaver Settings
dconf_gnome_session_idle_user_locks: Ensure Users Cannot Change GNOME3 Session Idle Settings

SLES-15-151200180: Disable the GDM automatic mounting of removable media

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_disable_automount: Disable GNOME3 Automounting
dconf_gnome_disable_automount_open: Disable GNOME3 Automount Opening

SLES-15-151200210: Disable GDM Automount running

Description: None

Levels:

medium

Automated: yes

Selections:

dconf_gnome_disable_autorun: Disable GNOME3 Automount running

SLES-15-151200240: Disable XDMCP in GDM

Description: None

Levels:

high

Automated: yes

Selections:

gnome_gdm_disable_xdmcp: Disable XDMCP in GDM

SLES-15-300150015: Disable the Automounter

Description: None

Levels:

medium

Automated: yes

Selections:

kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver
service_autofs_disabled: Disable the Automounter

SLES-15-300150030: Disable Avahi Server Software

Description: None

Levels:

medium

Automated: yes

Selections:

package_avahi-autoipd_removed: Uninstall avahi-autoipd Server Package
package_avahi_removed: Uninstall avahi Server Package
service_avahi-daemon_disabled: Disable Avahi Server Software

SLES-15-300150045: Disable DHCP Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_dhcp_client_removed: Uninstall DHCP Client Package
package_dhcp_removed: Uninstall DHCP Server Package
service_dhcpd_disabled: Disable DHCP Service

SLES-15-300150060: Disable named Service

Description: None

Levels:

high

Automated: yes

Selections:

package_bind_removed: Uninstall bind Package
service_named_disabled: Disable named Service

SLES-15-300150075: Disable dnsmasq Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_dnsmasq_removed: Uninstall dnsmasq Package
service_dnsmasq_disabled: Disable dnsmasq Service

SLES-15-300150090: Disable Samba

Description: None

Levels:

low

Automated: yes

Selections:

package_samba_removed: Uninstall Samba Package
service_smb_disabled: Disable Samba

SLES-15-300150105: Disable LDAP Server

Description: None

Levels:

medium

Automated: yes

Selections:

package_openldap-servers_removed: Uninstall openldap-servers Package
service_slapd_disabled: Disable LDAP Server (slapd)

SLES-15-300150120: Disable vsftpd Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_vsftpd_removed: Uninstall vsftpd Package
service_vsftpd_disabled: Disable vsftpd Service

SLES-15-300150135: Disable Message Access Server Services

Description: None

Levels:

medium

Automated: yes

Selections:

package_cyrus-imapd_removed: Uninstall cyrus-imapd Package
package_dovecot_removed: Uninstall dovecot Package
service_dovecot_disabled: Disable Dovecot Service

SLES-15-300150150: Disable Network File System

Description: None

Levels:

medium

Automated: yes

Selections:

package_nfs-utils_removed: Uninstall nfs-utils Package
service_nfs_disabled: Disable Network File System (nfs)

SLES-15-300150165: Disable ypserv Service

Description: None

Levels:

high

Automated: yes

No rules selected

SLES-15-300150180: Disable the CUPS Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_cups_removed: Uninstall CUPS Package
service_cups_disabled: Disable the CUPS Service

SLES-15-300150195: Disable rpcbind Service

Description: None

Levels:

low

Automated: yes

Selections:

package_rpcbind_removed: Uninstall rpcbind Package
service_rpcbind_disabled: Disable rpcbind Service

SLES-15-300150210: Disable rsyncd Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_rsync_removed: Uninstall rsync Package
service_rsyncd_disabled: Ensure rsyncd service is disabled

SLES-15-300150225: Disable snmpd Service

Description: None

Levels:

low

Automated: yes

Selections:

package_net-snmp_removed: Uninstall net-snmp Package
service_snmpd_disabled: Disable snmpd Service

SLES-15-300150240: Disable telnet Service

Description: None

Levels:

high

Automated: yes

Selections:

package_telnet-server_removed: Uninstall telnet-server Package
service_telnet_disabled: Disable telnet Service

SLES-15-300150255: Disable tftp Service

Description: None

Levels:

high

Automated: yes

Selections:

package_tftp-server_removed: Uninstall tftp-server Package
service_tftp_disabled: Disable tftp Service

SLES-15-300150270: Disable Squid

Description: None

Levels:

medium

Automated: yes

Selections:

package_squid_removed: Uninstall squid Package
service_squid_disabled: Disable Squid

SLES-15-300150285: Disable httpd Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_httpd_removed: Uninstall httpd Package
service_httpd_disabled: Disable httpd Service

SLES-15-300150300: Disable xinetd Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_tcp_wrappers_removed: Uninstall tcpd Package
package_xinetd_removed: Uninstall xinetd Package
service_xinetd_disabled: Disable xinetd Service

SLES-15-300150315: Disable X window server services

Description: None

Levels:

medium

Automated: yes

Selections:

package_xorg-x11-server-common_removed: Remove the X Windows Package Group
xwindows_remove_packages: Disable graphical user interface

SLES-15-300150330: Disable Postfix Network Listening

Description: None

Levels:

medium

Automated: yes

Selections:

postfix_network_listening_disabled: Disable Postfix Network Listening
var_postfix_inet_interfaces = loopback-only

SLES-15-300150345: Disable not approved services to listen on a network interface

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-300300015: Remove ftp Package

Description: None

Levels:

low

Automated: yes

Selections:

package_ftp_removed: Remove ftp Package

SLES-15-300300030: Remove LDAP clients

Description: None

Levels:

low

Automated: yes

Selections:

package_openldap-clients_removed: Ensure LDAP client is not installed

SLES-15-300300045: Remove NIS Client

Description: None

Levels:

medium

Automated: yes

Selections:

package_ypbind_removed: Remove NIS Client

SLES-15-300300060: Remove telnet Clients

Description: None

Levels:

low

Automated: yes

Selections:

package_telnet_removed: Remove telnet Clients

SLES-15-300300075: Remove tftp Daemon

Description: None

Levels:

low

Automated: yes

Selections:

package_tftp_removed: Remove tftp Daemon

SLES-15-300450015: The Chrony package is installed

Description: None

Levels:

medium

Automated: yes

Selections:

package_chrony_installed: The Chrony package is installed

SLES-15-300450030: Configure Systemd Timesyncd Servers

Description: None

Levels:

medium

Automated: yes

Selections:

service_timesyncd_configured: Configure Systemd Timesyncd Servers
service_timesyncd_root_distance_configured: Configure Systemd Timesyncd Root Distance Servers

SLES-15-300450045: Enable systemd_timesyncd Service

Description: None

Levels:

high

Automated: yes

Selections:

service_timesyncd_enabled: Enable systemd_timesyncd Service

SLES-15-300450060: Configure chrony

Description: None

Levels:

medium

Automated: yes

Selections:

chronyd_configure_pool_and_server: Chrony Configure Pool and Server
chronyd_run_as_chrony_user: Ensure that chronyd is running under chrony user account
var_multiple_time_pools = suse
var_multiple_time_servers = suse

SLES-15-300450075: Enable chrony

Description: None

Levels:

medium

Automated: yes

Selections:

service_chronyd_enabled: The Chronyd service is enabled

SLES-15-300450090: Configure Time Service Maxpoll Interval

Description: None

Levels:

medium

Automated: yes

Selections:

chronyd_or_ntpd_set_maxpoll: Configure Time Service Maxpoll Interval
var_time_service_set_maxpoll = 18_hours

SLES-15-300600015: Enable cron Service

Description: None

Levels:

medium

Automated: yes

Selections:

package_cron_installed: Install the cron service
service_cron_enabled: Enable cron Service

SLES-15-300600030: Configure permissions on /etc/crontab

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_crontab: Verify Group Who Owns Crontab
file_owner_crontab: Verify Owner on crontab

SLES-15-300600045: Configure permissions on /etc/cron.hourly

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
file_owner_cron_hourly: Verify Owner on cron.hourly
file_permissions_cron_hourly: Verify Permissions on cron.hourly

SLES-15-300600060: Configure permissions on /etc/cron.daily

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_cron_daily: Verify Group Who Owns cron.daily
file_permissions_cron_daily: Verify Permissions on cron.daily

SLES-15-300600075: Configure permissions on /etc/cron.weekly

Description: None

Levels:

high

Automated: yes

Selections:

file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
file_owner_cron_weekly: Verify Owner on cron.weekly
file_permissions_cron_weekly: Verify Permissions on cron.weekly

SLES-15-300600090: Configure permissions on /etc/cron.monthly

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
file_owner_cron_monthly: Verify Owner on cron.monthly
file_permissions_cron_monthly: Verify Permissions on cron.monthly

SLES-15-300600105: Set SSH MaxSessions limit

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_cron_d: Verify Group Who Owns cron.d
file_owner_cron_d: Verify Owner on cron.d
file_permissions_cron_d: Verify Permissions on cron.d

SLES-15-300600120: Configure cron permissions

Description: None

Levels:

medium

Automated: yes

Selections:

file_cron_allow_exists: Ensure that /etc/cron.allow exists
file_cron_deny_not_exist: Ensure that /etc/cron.deny does not exist
file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file

SLES-15-300600135: Configure at permissions

Description: None

Levels:

medium

Automated: yes

Selections:

file_at_deny_not_exist: Ensure that /etc/at.deny does not exist
file_groupowner_at_allow: Verify Group Who Owns /etc/at.allow file
file_owner_at_allow: Verify User Who Owns /etc/at.allow file
file_permissions_at_allow: Verify Permissions on /etc/at.allow file

SLES-15-450150015: Identify IPv6 status

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-450150030: Deactivate Wireless Network Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SLES-15-450150045: Disable Bluetooth Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_bluetooth_disabled: Disable Bluetooth Service

SLES-15-450300015: Disable DCCP Support

Description: None

Levels:

medium

Automated: yes

Selections:

kernel_module_dccp_disabled: Disable DCCP Support

SLES-15-450300030: Disable TIPC Support

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_tipc_disabled: Disable TIPC Support

SLES-15-450300045: Disable RDS Support

Description: None

Levels:

low

Automated: yes

Selections:

kernel_module_rds_disabled: Disable RDS Support

SLES-15-450300060: Disable SCTP Support

Description: None

Levels:

medium

Automated: yes

Selections:

kernel_module_sctp_disabled: Disable SCTP Support

SLES-15-450450015: Disable IP forwarding

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding
sysctl_net_ipv6_conf_all_forwarding_value = disabled

SLES-15-450450030: Disable packet redirect sending

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

SLES-15-450450045: Ignore bogus ICMP error responses

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value = enabled

SLES-15-450450060: Ignore ICMP Broadcast Echo Requests

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value = enabled

SLES-15-450450075: Disable Accepting ICMP Redirects

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
sysctl_net_ipv4_conf_default_accept_redirects_value = disabled
sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
sysctl_net_ipv6_conf_all_accept_redirects_value = disabled
sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
sysctl_net_ipv6_conf_default_accept_redirects_value = disabled

SLES-15-450450090: Disable Accepting Secure ICMP Redirects

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
sysctl_net_ipv4_conf_all_secure_redirects_value = disabled
sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
sysctl_net_ipv4_conf_default_secure_redirects_value = disabled

SLES-15-450450105: Enable Reverse Path Filtering

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-450450120: Disable Accepting Source-Routed Packets

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
sysctl_net_ipv4_conf_all_accept_source_route_value = disabled
sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
sysctl_net_ipv4_conf_default_accept_source_route_value = disabled
sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
sysctl_net_ipv6_conf_all_accept_source_route_value = disabled
sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
sysctl_net_ipv6_conf_default_accept_source_route_value = disabled

SLES-15-450450135: Enable Logging Martian Packets

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
sysctl_net_ipv4_conf_all_log_martians_value = enabled
sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default
sysctl_net_ipv4_conf_default_log_martians_value = enabled

SLES-15-450450150: Enable TCP SYN Cookies

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
sysctl_net_ipv4_tcp_syncookies_value = enabled

SLES-15-450450165: Configure Accepting IPv6 Router Advertisements

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces
sysctl_net_ipv6_conf_all_accept_ra_value = disabled
sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
sysctl_net_ipv6_conf_default_accept_ra_value = disabled

SLES-15-450450180: Configure ARP filtering for All IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_arp_filter: Configure ARP filtering for All IPv4 Interfaces

SLES-15-450450195: Configure Response Mode of ARP Requests for All IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_arp_ignore: Configure Response Mode of ARP Requests for All IPv4 Interfaces

SLES-15-450450210: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_route_localnet: Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces

SLES-15-450600030: Install firewalld Package

Description: None

Levels:

medium

Automated: yes

Selections:

package_firewalld_installed: Install firewalld Package

SLES-15-450600045: Configure unnecessary services and ports

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-450600060: Configre firewalld loopback traffic

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-450600075: Set Default firewalld Zone for Incoming Packets

Description: None

Levels:

medium

Automated: yes

Selections:

set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

SLES-15-450600090: Enable firewalld service

Description: None

Levels:

medium

Automated: yes

Selections:

service_firewalld_enabled: Verify firewalld Enabled

SLES-15-600150015: Configure permissions on /etc/ssh/sshd_config

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
file_owner_sshd_config: Verify Owner on SSH Server config file
file_permissions_sshd_config: Verify Permissions on SSH Server config file

SLES-15-600150030: Verify Permissions on SSH Server Private *_key Key Files

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

SLES-15-600150045: Verify Permissions on SSH public host key files

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
file_owner_cron_hourly: Verify Owner on cron.hourly
file_permissions_cron_hourly: Verify Permissions on cron.hourly

SLES-15-600150060: Configure sshd Ciphers

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_approved_ciphers = cis_sle15
sshd_use_approved_ciphers: Use Only FIPS 140-2 Validated Ciphers
sshd_use_strong_ciphers: Use Only Strong Ciphers

SLES-15-600150075: Configure sshd KexAlgorithms

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_strong_kex = cis_sle15
sshd_use_strong_kex: Use Only Strong Key Exchange algorithms

SLES-15-600150090: Configure sshd MACs

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_approved_macs = cis_sle15
sshd_strong_macs = cis_sle15
sshd_use_approved_macs: Use Only FIPS 140-2 Validated MACs
sshd_use_strong_macs: Use Only Strong MACs

SLES-15-600150105: Configure sshd access

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_limit_user_access: Limit Users' SSH Access

SLEM-5-SMA-02100000: Verify No netrc Files Exist

Description: None

Levels:

medium

Automated: yes

Selections:

no_netrc_files: Verify No netrc Files Exist

SLES-15-600150120: Configure sshd Banner

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_enable_warning_banner: Enable SSH Warning Banner

SLES-15-600150135: Configure sshd ClientAliveInterval and ClientAliveCountMax

Description: None

Levels:

medium

Automated: yes

No rules selected

SLES-15-600150150: Disable sshd Forwarding

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_tcp_forwarding: Disable SSH TCP Forwarding

SLES-15-600150165: Disable sshd GSSAPIAuthentication

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_gssapi_auth: Disable GSSAPI Authentication

SLES-15-600150180: Disable sshd HostbasedAuthentication

Description: None

Levels:

medium

Automated: yes

Selections:

disable_host_auth: Disable Host-Based Authentication

SLES-15-600150195: Enable sshd IgnoreRhosts

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_rhosts: Disable SSH Support for .rhosts Files

SLES-15-600150210: Configure sshd LoginGraceTime

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_login_grace_time: Ensure SSH LoginGraceTime is configured
var_sshd_set_login_grace_time = 60

SLES-15-600150225: Configure sshd LogLevel

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

SLES-15-600150240: Configure sshd MaxAuthTries

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_max_auth_tries_value = 4
sshd_set_max_auth_tries: Set SSH authentication attempt limit

SLES-15-600150255: Configure sshd MaxStartups

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_maxstartups: Ensure SSH MaxStartups is configured
var_sshd_set_maxstartups = 10:30:60

SLES-15-600150270: Configure sshd MaxSession

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_max_sessions: Set SSH MaxSessions limit
var_sshd_max_sessions = 10

SLES-15-600150285: Disable sshd PermitEmptyPasswords

Description: None

Levels:

high

Automated: yes

Selections:

sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

SLES-15-600150300: Disable sshd PermitRootLogin

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_root_login: Disable SSH Root Login

SLES-15-600150315: Disable sshd PermitUserEnvironment

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

SLES-15-600150330: Enable sshd PAM

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_enable_pam: Enable PAM

SLES-15-600150345: Disable SSH Support for User Known Hosts

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

SLES-15-600150360: Disable X11 Forwarding

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_x11_forwarding: Disable X11 Forwarding

SLES-15-600150375: Enable Use of Strict Mode Checking

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_enable_strictmodes: Enable Use of Strict Mode Checking

SLES-15-600150390: Enable SSH Print Last Log

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_print_last_log: Enable SSH Print Last Log

SLES-15-600150405: Allow Only SSH Protocol 2

Description: None

Levels:

high

Automated: yes

Selections:

sshd_allow_only_protocol2: Allow Only SSH Protocol 2

SLES-15-600150435: Disable Kerberos Authentication

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_kerb_auth: Disable Kerberos Authentication

SLES-15-600300015: Install sudo Package

Description: None

Levels:

medium

Automated: yes

Selections:

package_sudo_installed: Install sudo Package

SLES-15-600300030: Ensure Only Users Logged In To Real tty Can Execute Sudo

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

SLES-15-600300045: Configure a sudo Custom logfile

Description: None

Levels:

low

Automated: yes

Selections:

sudo_custom_logfile: Ensure Sudo Logfile Exists - sudo logfile
var_sudo_logfile = var_log_sudo_log

SLES-15-600300060: Ensure Users Re-Authenticate for Privilege Escalation - sudo

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo

SLES-15-600300075: Require Re-Authentication When Using the sudo Command

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command

SLES-15-600300090: Configure sudo authentication timeout

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_require_reauthentication: Require Re-Authentication When Using the sudo Command
var_sudo_timestamp_timeout = 15_minutes

SLES-15-600300105: Restrict access to the su command

Description: None

Levels:

medium

Automated: yes

Selections:

ensure_pam_wheel_group_empty: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
use_pam_wheel_group_for_su: Enforce Usage of pam_wheel with Group Parameter for su Authentication
var_pam_wheel_group_for_su = cis

SLES-15-600300120: The operating system must restrict privilege elevation to authorized personnel

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

SLES-15-600300135: Ensure sudo only includes the default configuration directory

Description: None

Levels:

medium

Automated: yes

Selections:

sudoers_default_includedir: Ensure sudo only includes the default configuration directory

SLES-15-600300150: Ensure sudo Runs In A Minimal Environment - sudo env_reset

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_env_reset: Ensure sudo Runs In A Minimal Environment - sudo env_reset

SLES-15-600300165: Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_ignore_dot: Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

SLES-15-600300180: Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC

Description: None

Levels:

high

Automated: yes

Selections:

sudo_add_noexec: Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC

SLES-15-600300195: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_requiretty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

SLES-15-600300210: Ensure sudo umask is appropriate - sudo umask

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_umask: Ensure sudo umask is appropriate - sudo umask

SLES-15-600300225: Ensure a dedicated group owns sudo

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_dedicated_group: Ensure a dedicated group owns sudo

SLES-15-600300240: Explicit arguments in sudo specifications

Description: None

Levels:

medium

Automated: yes

Selections:

sudoers_explicit_command_args: Explicit arguments in sudo specifications

SLES-15-600300255: Don't define allowed commands in sudoers by means of exclusion

Description: None

Levels:

medium

Automated: yes

Selections:

sudoers_no_command_negation: Don't define allowed commands in sudoers by means of exclusion

SLES-15-600300270: Don't target root user in the sudoers file

Description: None

Levels:

medium

Automated: yes

Selections:

sudoers_no_root_target: Don't target root user in the sudoers file

SLES-15-600450030: Configure lockout for failed password attempts

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
var_accounts_passwords_pam_faillock_deny = 5

SLES-15-600450045: Configure password unlock time

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
var_accounts_passwords_pam_faillock_unlock_time = 900

SLES-15-600450060: Configure the root Account for Failed Password Attempts

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts

SLES-15-600450090: Configure password number of changed characters

Description: None

Levels:

medium

Automated: yes

Selections:

cracklib_accounts_password_pam_difok: Set Password Strength Minimum Different Characters
var_password_pam_difok = 2

SLES-15-600450105: Configure password length

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
var_password_pam_minlen = 14

SLES-15-600450120: Configure password complexity

Description: None

Levels:

medium

Automated: yes

Selections:

cracklib_accounts_password_pam_dcredit: Set Password Strength Minimum Digit Characters
cracklib_accounts_password_pam_lcredit: Set Password Strength Minimum Lowercase Characters
cracklib_accounts_password_pam_ocredit: Set Password Strength Minimum Special Characters
cracklib_accounts_password_pam_ucredit: Set Password Strength Minimum Uppercase Characters
var_password_pam_dcredit = 1
var_password_pam_lcredit = 1
var_password_pam_ocredit = 1
var_password_pam_ucredit = 1

SLES-15-600450180: Configure password history remember

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_pam_pwhistory_remember: Limit Password Reuse
var_password_pam_remember = 5

SLES-15-600450225: Prevent Login to Accounts With Empty Password

Description: None

Levels:

high

Automated: yes

Selections:

no_empty_passwords: Prevent Login to Accounts With Empty Password

SLES-15-600450255: Set PAM's Password Hashing Algorithm

Description: None

Levels:

medium

Automated: yes

Selections:

set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
var_password_hashing_algorithm_pam = sha512

SLES-15-600600015: Configure password expiration

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_maximum_age_login_defs: Set Password Maximum Age
accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
var_accounts_maximum_age_login_defs = 365

SLES-15-600600030: Configure minimum password days

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_minimum_age_login_defs: Set Password Minimum Age
accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
var_accounts_minimum_age_login_defs = 1

SLES-15-600600045: Configure password expiration warning days

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_set_warn_age_existing: Set Existing Passwords Warning Age
accounts_password_warn_age_login_defs: Set Password Warning Age
var_accounts_password_warn_age_login_defs = 7

SLES-15-600600060: Configure strong password hashing algorithm

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512
set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs

SLES-15-600600075: Configure inactive password lock

Description: None

Levels:

medium

Automated: yes

Selections:

account_disable_post_pw_expiration: Set Account Expiration Following Inactivity
accounts_set_post_pw_existing: Set existing passwords a period of inactivity before they been locked
var_account_disable_post_pw_expiration = 30

SLES-15-600600090: Ensure all users last password change date is in the past

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_last_change_is_in_past: Ensure all users last password change date is in the past

SLES-15-600600105: Verify Only Root Has UID 0

Description: None

Levels:

high

Automated: yes

Selections:

accounts_no_uid_except_zero: Verify Only Root Has UID 0

SLES-15-600600120: Verify Root Has A Primary GID 0

Description: None

Levels:

high

Automated: yes

Selections:

accounts_root_gid_zero: Verify Root Has A Primary GID 0

SLES-15-600600135: Verify Only Group Root Has GID 0

Description: None

Levels:

high

Automated: yes

Selections:

groups_no_zero_gid_except_root: Verify Only Group Root Has GID 0

SLES-15-600600150: Ensure Authentication Required for with Single User Mode

Description: None

Levels:

medium

Automated: yes

Selections:

ensure_root_password_configured: Ensure Authentication Required for Single User Mode

SLES-15-600600165: Verify root path integrity

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_root_path_dirs_no_write: Ensure that Root's Path Does Not Include World or Group-Writable Directories
root_path_no_dot: Ensure that Root's Path Does Not Include Relative Paths or Null Directories

SLES-15-600600180: Ensure the Root Bash Umask is Set Correctly

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_umask_root: Ensure the Root Bash Umask is Set Correctly

SLES-15-600600195: Verify system accounts do not have a valid login shell

Description: None

Levels:

medium

Automated: yes

Selections:

no_password_auth_for_systemaccounts: Ensure that System Accounts Are Locked
no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

SLES-15-600600210: Verify Non-Interactive Accounts Are Locked

Description: None

Levels:

medium

Automated: yes

Selections:

no_invalid_shell_accounts_unlocked: Verify Non-Interactive Accounts Are Locked

SLES-15-600600215: Only Authorized Local User Accounts Exist on Operating System

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_authorized_local_users: Only Authorized Local User Accounts Exist on Operating System
var_accounts_authorized_local_users_regex = sle15

SLES-15-600600225: Ensure nologin Shell is Not Listed in /etc/shells

Description: None

Levels:

medium

Automated: yes

Selections:

no_nologin_in_shells: Ensure nologin Shell is Not Listed in /etc/shells

SLES-15-600600240: Configure default user shell timeout

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_tmout: Set Interactive Session Timeout
var_accounts_tmout = 15_min

SLES-15-600600255: Configure default user umask

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs
accounts_umask_etc_profile: Ensure the Default Umask is Set Correctly in /etc/profile
var_accounts_user_umask = 027

SLES-15-600600270: Ensure Home Directories are Created for New Users

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_have_homedir_login_defs: Ensure Home Directories are Created for New Users

SLES-15-600600285: Limit the Number of Concurrent Login Sessions Allowed Per User

Description: None

Levels:

low

Automated: yes

Selections:

accounts_max_concurrent_login_sessions: Limit the Number of Concurrent Login Sessions Allowed Per User

SLES-15-600600300: Ensure that Users Path Contains Only Local Directories

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_user_home_paths_only: Ensure that Users Path Contains Only Local Directories

SLES-15-600600315: Install Smart Card Packages For Multifactor Authentication

Description: None

Levels:

medium

Automated: yes

Selections:

install_smartcard_packages: Install Smart Card Packages For Multifactor Authentication

SLES-15-600600330: Enable Smart Card Logins in PAM

Description: None

Levels:

medium

Automated: yes

Selections:

smartcard_pam_enabled: Enable Smart Card Logins in PAM

SLES-15-600600345: Configure Smart Card Certificate Authority Validation

Description: None

Levels:

medium

Automated: yes

Selections:

smartcard_configure_ca: Configure Smart Card Certificate Authority Validation

SLES-15-600600360: Title

Description: None

Levels:

medium

Automated: yes

Selections:

smartcard_configure_cert_checking: Configure Smart Card Certificate Status Checking

SLES-15-750150015: Install AIDE

Description: None

Levels:

medium

Automated: yes

Selections:

aide_build_database: Build and Test AIDE Database
package_aide_installed: Install AIDE

SLES-15-750150030: Configure Systemd Timer Execution of AIDE

Description: None

Levels:

medium

Automated: yes

Selections:

aide_periodic_checking_systemd_timer: Configure Systemd Timer Execution of AIDE

SLES-15-750150045: Configure AIDE to Verify the Audit Tools

Description: None

Levels:

medium

Automated: yes

Selections:

aide_check_audit_tools: Configure AIDE to Verify the Audit Tools

SLES-15-750300015: Enable systemd-journald Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_systemd-journald_enabled: Enable systemd-journald Service

SLES-15-750300030: Configure journald log file access

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-750300045: Configure ournald log file rotation

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-750300060: Ensure One Logging Service Is In Use

Description: None

Levels:

medium

Automated: yes

Selections:

logging_services_active: Ensure One Logging Service Is In Use

SLES-15-750300075: Install systemd-journal-remote

Description: None

Levels:

medium

Automated: yes

Selections:

package_systemd-journal-remote_installed: Install systemd-journal-remote Package

SLES-15-750300090: Configure systemd-journal-upload authentication

Description: None

Levels:

medium

Automated: yes

Selections:

systemd_journal_upload_server_tls: Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile
systemd_journal_upload_url: Configure systemd-journal-upload URL

SLES-15-750300105: Enable systemd-journal-upload Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_systemd-journal-upload_enabled: Enable systemd-journal-upload Service

SLES-15-750300120: Disable systemd-journal-remote Socket

Description: None

Levels:

medium

Automated: yes

Selections:

socket_systemd-journal-remote_disabled: Disable systemd-journal-remote Socket

SLES-15-750300135: Disable journald ForwardToSyslog

Description: None

Levels:

medium

Automated: yes

Selections:

journald_disable_forward_to_syslog: Ensure journald ForwardToSyslog is disabled

SLES-15-750300150: Configure journald Compress

Description: None

Levels:

medium

Automated: yes

Selections:

journald_compress: Ensure journald is configured to compress large log files

SLES-15-750300165: Configure journald Storage

Description: None

Levels:

medium

Automated: yes

Selections:

journald_storage: Ensure journald is configured to write log files to persistent disk

SLES-15-750300180: Verify Logs Sent To Remote Host

Description: None

Levels:

medium

Automated: yes

Selections:

rsyslog_remote_loghost: Ensure Logs Sent To Remote Host

SLES-15-750300195: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

Description: None

Levels:

medium

Automated: yes

Selections:

rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

SLES-15-750300210: Ensure rsyslog is Installed

Description: None

Levels:

medium

Automated: yes

Selections:

package_rsyslog_installed: Ensure rsyslog is Installed

SLES-15-750300225: Enable rsyslog Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_rsyslog_enabled: Enable rsyslog Service

SLES-15-750300240: Configure journald to send logs to rsyslog

Description: None

Levels:

medium

Automated: yes

Selections:

journald_forward_to_syslog: Ensure journald is configured to send logs to rsyslog

SLES-15-750300255: Configure rsyslog Default File Permissions

Description: None

Levels:

medium

Automated: yes

Selections:

rsyslog_filecreatemode: Ensure rsyslog Default File Permissions Configured

SLES-15-750300270: Configure rsyslog logging

Description: None

Levels:

medium

Automated: yes

Selections:

rsyslog_logging_configured: Ensure logging is configured

SLES-15-750300285: Configure rsyslog logrotate

Description: None

Levels:

medium

Automated: yes

Selections:

ensure_logrotate_activated: Ensure Logrotate Runs Periodically
package_logrotate_installed: Ensure logrotate is Installed
timer_logrotate_enabled: Enable logrotate Timer

SLES-15-750300300: Configure access to all logfiles has been

Description: None

Levels:

medium

Automated: yes

Selections:

rsyslog_files_groupownership: Ensure Log Files Are Owned By Appropriate Group
rsyslog_files_ownership: Ensure Log Files Are Owned By Appropriate User
rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions

SLES-15-750450015: Ensure the audit Subsystem is Installed

Description: None

Levels:

medium

Automated: yes

Selections:

package_audit-libs_installed: Ensure the libaudit1 package as a part of audit Subsystem is Installed
package_audit_installed: Ensure the audit Subsystem is Installed

SLES-15-750450030: Enable Auditing for Processes Which Start Prior to the Audit Daemon

Description: None

Levels:

low

Automated: yes

Selections:

grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

SLES-15-750450045: Extend Audit Backlog Limit for the Audit Daemon

Description: None

Levels:

low

Automated: yes

Selections:

grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

SLES-15-750450060: Enable auditd Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_auditd_enabled: Enable auditd Service

SLES-15-750450075: Configure auditd Max Log File Size

Description: None

Levels:

medium

Automated: yes

Selections:

auditd_data_retention_max_log_file: Configure auditd Max Log File Size
var_auditd_max_log_file = 6

SLES-15-750450090: Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Description: None

Levels:

medium

Automated: yes

Selections:

auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
var_auditd_max_log_file_action = keep_logs

SLES-15-750450105: Disable the system when audit logs are full

Description: None

Levels:

medium

Automated: yes

Selections:

auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
var_auditd_action_mail_acct = root
var_auditd_admin_space_left_action = halt
var_auditd_space_left_action = email

SLES-15-750450120: Configure auditd mail_acct Action on Low Disk Space

Description: None

Levels:

medium

Automated: yes

Selections:

auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
var_auditd_action_mail_acct = root
var_auditd_admin_space_left_action = cis_sle15
var_auditd_space_left_action = cis_sle15

SLES-15-750450135: Ensure auditd Collects System Administrator Actions

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions

SLES-15-750450150: Record Events When Executables Are Run As Another User

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_suid_auid_privilege_function: Record Events When Executables Are Run As Another User

SLES-15-750450165: Record Attempts to perform maintenance activities

Description: None

Levels:

medium

Automated: yes

Selections:

audit_sudo_log_events: Record Attempts to perform maintenance activities

SLES-15-750450180: Record attempts to alter the date and time

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
audit_rules_time_settimeofday: Record attempts to alter time through settimeofday
audit_rules_time_stime: Record Attempts to Alter Time Through stime
audit_rules_time_watch_localtime: Record Attempts to Alter the localtime File

SLES-15-750450195: Record Events that Modify the System's Network Environment

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment

SLES-15-750450210: Record Events of Use of Privileged Commands

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands: Ensure auditd Collects Information on the Use of Privileged Commands

SLES-15-750450225: Record Events of unsuccessful file access attempts

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_unsuccessful_file_modification_creat: Record Unsuccessful Access Attempts to Files - creat
audit_rules_unsuccessful_file_modification_ftruncate: Record Unsuccessful Access Attempts to Files - ftruncate
audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open
audit_rules_unsuccessful_file_modification_openat: Record Unsuccessful Access Attempts to Files - openat
audit_rules_unsuccessful_file_modification_truncate: Record Unsuccessful Access Attempts to Files - truncate

SLES-15-750450240: Record Events that modify user/group information

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SLES-15-750450255: Record Events of discretionary access control permission modification

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

SLES-15-750450270: Ensure auditd Collects Information on Exporting to Media (successful)

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)

SLES-15-750450285: Record Attempts to Alter Process and Session Initiation Information

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

SLES-15-750450300: Record Attempts to Alter Logon and Logout Events

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_login_events_faillog: Record Attempts to Alter Logon and Logout Events - faillog
audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

SLES-15-750450315: Ensure auditd Collects File Deletion Events by User

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

SLES-15-750450330: Record Events that Modify the System''s Mandatory Access Controls

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
audit_rules_mac_modification_usr_share: Record Events that Modify the System's Mandatory Access Controls in usr/share

SLES-15-750450345: Record Any Attempts to Run chcon

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_execution_chcon: Record Any Attempts to Run chcon

SLES-15-750450360: Record Any Attempts to Run setfacl

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_execution_setfacl: Record Any Attempts to Run setfacl

SLES-15-750450375: Record Any Attempts to Run chacl

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_execution_chacl: Record Any Attempts to Run chacl

SLES-15-750450390: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_usermod: Ensure auditd Collects Information on the Use of Privileged Commands - usermod

SLES-15-750450405: Ensure auditd Collects Information on the Use of Privileged Commands

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_kernel_module_loading: Ensure auditd Collects Information on Kernel Module Loading and Unloading
audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod
audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

SLES-15-750450420: Make the auditd Configuration Immutable

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_immutable: Make the auditd Configuration Immutable

SLES-15-750450435: Verify that the running and on disk configuration is the same

Description: None

Levels:

medium

Automated: no

No rules selected

SLES-15-750450450: Remove Default Configuration to Disable Syscall Auditing

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_enable_syscall_auditing: Remove Default Configuration to Disable Syscall Auditing

SLES-15-750450465: Ensure auditd Collects Information on the Use of Privileged Commands - chage

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_chage: Ensure auditd Collects Information on the Use of Privileged Commands - chage

SLES-15-750450480: Ensure auditd Collects Information on the Use of Privileged Commands - chfn

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_chfn: Ensure auditd Collects Information on the Use of Privileged Commands - chfn

SLES-15-750450495: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_chsh: Ensure auditd Collects Information on the Use of Privileged Commands - chsh

SLES-15-750450510: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_crontab: Ensure auditd Collects Information on the Use of Privileged Commands - crontab

SLES-15-750450525: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_newgrp: Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

SLES-15-750450540: System Audit Logs Must Have Mode 0750 or Less Permissive

Description: None

Levels:

medium

Automated: yes

Selections:

directory_permissions_var_log_audit: System Audit Logs Must Have Mode 0750 or Less Permissive

SLES-15-750450555: System Audit Logs Must Have Mode 0640 or Less Permissive

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_var_log_audit: System Audit Logs Must Have Mode 0640 or Less Permissive

SLES-15-750450570: System Audit Logs Must Be Owned By Root

Description: None

Levels:

medium

Automated: yes

Selections:

file_ownership_var_log_audit_stig: System Audit Logs Must Be Owned By Root

SLES-15-750450585: System Audit Logs Must Be Group Owned By Root

Description: None

Levels:

medium

Automated: yes

Selections:

file_group_ownership_var_log_audit: System Audit Logs Must Be Group Owned By Root

SLES-15-750450600: Audit Configuration Files Permissions are 640 or More Restrictive

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_audit_configuration: Audit Configuration Files Permissions are 640 or More Restrictive

SLES-15-750450615: Audit Configuration Files Must Be Owned By Root

Description: None

Levels:

medium

Automated: yes

Selections:

file_ownership_audit_configuration: Audit Configuration Files Must Be Owned By Root

SLES-15-750450630: Audit Configuration Files Must Be Owned By Group root

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupownership_audit_configuration: Audit Configuration Files Must Be Owned By Group root

SLES-15-750450645: Verify that audit tools Have Mode 0755 or less

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_audit_binaries: Verify that audit tools Have Mode 0755 or less

SLES-15-750450660: Verify that audit tools are owned by root

Description: None

Levels:

medium

Automated: yes

Selections:

file_ownership_audit_binaries: Verify that audit tools are owned by root

SLES-15-750450675: Verify that audit tools are owned by group root

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupownership_audit_binaries: Verify that audit tools are owned by group root

SLES-15-750450690: Record Any Attempts to Run ssh-agent

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_ssh_agent: Record Any Attempts to Run ssh-agent

SLES-15-750450705: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_privileged_commands_ssh_keysign: Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

SLES-15-900150000: Verify and Correct File Permissions and Ownership with RPM

Description: None

Levels:

high

Automated: yes

Selections:

rpm_verify_ownership: Verify and Correct Ownership with RPM
rpm_verify_permissions: Verify and Correct File Permissions with RPM

SLES-15-900150015: Configure access to /etc/passwd

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
file_groupowner_etc_passwd: Verify Group Who Owns passwd File
file_owner_etc_gshadow: Verify User Who Owns gshadow File
file_owner_etc_passwd: Verify User Who Owns passwd File
file_permissions_etc_gshadow: Verify Permissions on gshadow File
file_permissions_etc_passwd: Verify Permissions on passwd File

SLES-15-900150030: Configure access to /etc/passwd-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File

SLES-15-900150045: Configure access to /etc/group

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_group: Verify Group Who Owns group File
file_owner_etc_group: Verify User Who Owns group File
file_permissions_etc_group: Verify Permissions on group File

SLES-15-900150060: Configure access to /etc/group-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
file_owner_backup_etc_group: Verify User Who Owns Backup group File
file_permissions_backup_etc_group: Verify Permissions on Backup group File

SLES-15-900150075: Configure access to /etc/shadow

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_shadow: Verify Group Who Owns shadow File
file_owner_etc_shadow: Verify User Who Owns shadow File
file_permissions_etc_shadow: Verify Permissions on shadow File

SLES-15-900150090: Configure access to /etc/shadow-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File

SLES-15-900150105: Configure access to /etc/gshadow

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
file_owner_etc_gshadow: Verify User Who Owns gshadow File
file_permissions_etc_gshadow: Verify Permissions on gshadow File

SLES-15-900150120: Configure access to /etc/gshadow-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File

SLES-15-900150135: Configure access to /etc/shells

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_shells: Verify Group Who Owns /etc/shells File
file_owner_etc_shells: Verify Who Owns /etc/shells File
file_permissions_etc_shells: Verify Permissions on /etc/shells File

SLES-15-900150150: Configure access to /etc/security/opasswd

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_security_opasswd: Verify Group Who Owns /etc/security/opasswd File
file_groupowner_etc_security_opasswd_old: Verify Group Who Owns /etc/security/opasswd.old File
file_owner_etc_security_opasswd: Verify User Who Owns /etc/security/opasswd File
file_owner_etc_security_opasswd_old: Verify User Who Owns /etc/security/opasswd.old File
file_permissions_etc_security_opasswd: Verify Permissions on /etc/security/opasswd File
file_permissions_etc_security_opasswd_old: Verify Permissions on /etc/security/opasswd.old File

SLES-15-900150165: Verify that No World-Writable Files Exist

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist

SLES-15-900150180: Verify that All Files Are Owned by a User

Description: None

Levels:

medium

Automated: yes

Selections:

no_files_unowned_by_user: Ensure All Files Are Owned by a User

SLES-15-900150195: Ensure All SUID Executables Are Authorized

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized

SLES-15-900150210: Verify access to /etc/ipsec

Description: None

Levels:

medium

Automated: yes

Selections:

directory_groupowner_etc_ipsecd: Verify Group Who Owns /etc/ipsec.d Directory
directory_owner_etc_ipsecd: Verify User Who Owns /etc/ipsec.d Directory
directory_permissions_etc_ipsecd: Verify Permissions On /etc/ipsec.d Directory
file_groupowner_etc_ipsec_conf: Verify Group Who Owns /etc/ipsec.conf File
file_groupowner_etc_ipsec_secrets: Verify Group Who Owns /etc/ipsec.secrets File

SLES-15-900150225: Verify access to /etc/nftables

Description: None

Levels:

medium

Automated: yes

Selections:

directory_groupowner_etc_nftables: Verify Group Who Owns /etc/nftables Directory
directory_owner_etc_nftables: Verify User Who Owns /etc/nftables Directory
directory_permissions_etc_nftables: Verify Permissions On /etc/nftables Directory

SLES-15-900150240: Verify access to /etc/selinux

Description: None

Levels:

medium

Automated: yes

Selections:

directory_groupowner_etc_selinux: Verify Group Who Owns /etc/selinux Directory
directory_owner_etc_selinux: Verify User Who Owns /etc/selinux Directory
directory_permissions_etc_selinux: Verify Permissions On /etc/selinux Directory

SLES-15-900150255: Verify access to /etc/sudoers.d

Description: None

Levels:

medium

Automated: yes

Selections:

directory_groupowner_etc_sudoersd: Verify Group Who Owns /etc/sudoers.d Directory
directory_owner_etc_sudoersd: Verify User Who Owns /etc/sudoers.d Directory
directory_permissions_etc_sudoersd: Verify Permissions On /etc/sudoers.d Directory

SLES-15-900150270: Verify access to /etc/sysctl.d

Description: None

Levels:

medium

Automated: yes

Selections:

directory_groupowner_etc_sysctld: Verify Group Who Owns /etc/sysctl.d Directory
directory_owner_etc_sysctld: Verify User Who Owns /etc/sysctl.d Directory
directory_permissions_etc_sysctld: Verify Permissions On /etc/sysctl.d Directory

SLES-15-900300015: Verify All Account Password Hashes are Shadowed

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_all_shadowed: Verify All Account Password Hashes are Shadowed

SLES-15-900300030: Verify that /etc/shadow password fields are not empty

Description: None

Levels:

medium

Automated: yes

Selections:

no_legacy_plus_entries_etc_passwd: Ensure there are no legacy + NIS entries in /etc/passwd
no_legacy_plus_entries_etc_shadow: Ensure there are no legacy + NIS entries in /etc/shadow

SLES-15-900300045: Verify that all groups in /etc/passwd exist in /etc/group

Description: None

Levels:

low

Automated: yes

Selections:

gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

SLES-15-900300060: Verify that no duplicate UIDs exist

Description: None

Levels:

medium

Automated: yes

Selections:

account_unique_id: Ensure All Accounts on the System Have Unique User IDs

SLES-15-900300075: Verify that no duplicate GIDs exist

Description: None

Levels:

medium

Automated: yes

Selections:

group_unique_id: Ensure All Groups on the System Have Unique Group ID

SLES-15-900300090: Verify that no duplicate user names exist

Description: None

Levels:

medium

Automated: yes

Selections:

account_unique_name: Ensure All Accounts on the System Have Unique Names

SLES-15-900300105: Verify that no duplicate group names exist

Description: None

Levels:

medium

Automated: yes

Selections:

group_unique_name: Ensure All Groups on the System Have Unique Group Names

SLES-15-900300120: Configure local interactive user home directories

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist
file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group
file_ownership_home_directories: All Interactive User Home Directories Must Be Owned By The Primary User
file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

SLES-15-900300135: Configure local interactive user dot files access

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_user_dot_group_ownership: User Initialization Files Must Be Group-Owned By The Primary Group
accounts_user_dot_user_ownership: User Initialization Files Must Be Owned By the Primary User
file_permission_user_bash_history: Ensure User Bash History File Has Correct Permissions
file_permission_user_init_files: Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
no_forward_files: Verify No .forward Files Exist
no_netrc_files: Verify No netrc Files Exist
no_rsh_trust_files: Remove Rsh Trust Files
var_user_initialization_files_regex = all_dotfiles