Definition of General System Security Profile SUSE Linux Enterprise Micro (SLEM) 5 for slmicro5

SLEM-5-SET-01020000: Ensure /tmp Located On Separate Partition

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_tmp: Ensure /tmp Located On Separate Partition

SLEM-5-SET-01040000: Add nodev Option to /tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_tmp_nodev: Add nodev Option to /tmp

SLEM-5-SET-01050000: Add nosuid Option to /tmp

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_tmp_nosuid: Add nosuid Option to /tmp

SLEM-5-SET-01060000: Configure /dev/shm

Description: None

Levels:

low

Automated: yes

Selections:

partition_for_dev_shm: Ensure /dev/shm is configured

SLEM-5-SET-01070000: Add noexec Option to /dev/shm

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_noexec: Add noexec Option to /dev/shm

SLEM-5-SET-01080000: Add nodev Option to /dev/shm

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_nodev: Add nodev Option to /dev/shm

SLEM-5-SET-01090000: Add nosuid Option to /dev/shm

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

SLEM-5-SET-01100000: Ensure /var Located On Separate Partition

Description: None

Levels:

medium

Automated: yes

Selections:

partition_for_var: Ensure /var Located On Separate Partition

SLEM-5-SET-01160000: Ensure /var/log/audit Located On Separate Partition

Description: None

Levels:

medium

Automated: yes

Selections:

partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

SLEM-5-SET-01170000: Ensure /home Located On Separate Partition

Description: None

Levels:

medium

Automated: yes

Selections:

partition_for_home: Ensure /home Located On Separate Partition

SLEM-5-SET-01100000: Ensure /var Located On Separate Partition

Description: None

Levels:

medium

Automated: yes

Selections:

partition_for_var: Ensure /var Located On Separate Partition

SLEM-5-SET-01180000: Add nodev Option to /home

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_home_nodev: Add nodev Option to /home

SLEM-5-SET-01190000: Add noexec Option to Removable Media Partitions

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

SLEM-5-SET-01200000: Add nodev Option to Removable Media Partitions

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions

SLEM-5-SET-01210000: Add nosuid Option to Removable Media Partitions

Description: None

Levels:

medium

Automated: yes

Selections:

mount_option_nosuid_removable_partitions: Add nosuid Option to Removable Media Partitions

SLEM-5-SET-01220000: Verify that All World-Writable Directories Have Sticky Bits Set

Description: None

Levels:

medium

Automated: yes

Selections:

dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

SLEM-5-SET-01240000: Disable Modprobe Loading of USB Storage Driver

Description: None

Levels:

medium

Automated: yes

Selections:

kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

SLEM-5-SET-02010000: Configure GPG keys

Description: None

Levels:

medium

Automated: no

Selections:

ensure_GPG_keys_are_configured: Ensure GPG keys are configured

SLEM-5-SET-02020000: Configure package manager repositories

Description: None

Levels:

medium

Automated: no

Selections:

ensure_package_repositories_are_configured: Ensure package manager repositories are configured

SLEM-5-SET-02030000: Ensure gpgcheck Enabled In Main zypper Configuration

Description: None

Levels:

high

Automated: yes

Selections:

ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main zypper Configuration

SLEM-5-SET-03010000: Install sudo Package

Description: None

Levels:

medium

Automated: yes

Selections:

package_sudo_installed: Install sudo Package

SLEM-5-SET-03020000: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Description: None

Levels:

medium

Automated: yes

Selections:

sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

SLEM-5-SET-03030000: Ensure Sudo Logfile Exists - sudo logfile

Description: None

Levels:

low

Automated: yes

Selections:

sudo_custom_logfile: Ensure Sudo Logfile Exists - sudo logfile
var_sudo_logfile = var_log_sudo_log

SLEM-5-SET-03030000: Configure grup.cfg Group/User Ownership and Permissions

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions

SLEM-5-SET-04010000: The AIDE package must be installed if it is to be available for integrity checking

Description: None

Levels:

medium

Automated: yes

Selections:

aide_build_database: Build and Test AIDE Database
package_aide_installed: Install AIDE

SLEM-5-SET-04020000: Configure Systemd Timer Execution of AIDE

Description: None

Levels:

medium

Automated: yes

Selections:

aide_periodic_checking_systemd_timer: Configure Systemd Timer Execution of AIDE

SLEM-5-SET-05010000: Set the Boot Loader Password

Description: None

Levels:

high

Automated: yes

Selections:

grub2_password: Set Boot Loader Password in grub2
grub2_uefi_password: Set the UEFI Boot Loader Password

SLEM-5-SET-05030000: Require Authentication for Emergency and Single User mode

Description: None

Levels:

medium

Automated: yes

Selections:

require_emergency_target_auth: Require Authentication for Emergency Systemd Target
require_singleuser_auth: Require Authentication for Single User Mode

SLEM-5-SET-06020000: Enable NX/XD Support

Description: None

Levels:

medium

Automated: partially

Selections:

bios_enable_execution_restrictions: Enable NX or XD Support in the BIOS
install_PAE_kernel_on_x86-32: Install PAE Kernel on Supported 32-bit x86 Systems

SLEM-5-SET-06030000: Enable Randomized Layout of Virtual Address Space

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

SLEM-5-SET-08010100: Modify the System Message of the Day Banner

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_motd: Modify the System Message of the Day Banner
motd_banner_text = cis_banners

SLEM-5-SET-08010200: Modify the System Login Banner

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_issue: Modify the System Login Banner
login_banner_text = cis_banners

SLEM-5-SET-08010300: Modify the System Login Banner for Remote Connections

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_issue_net: Modify the System Login Banner for Remote Connections
remote_login_banner_text = cis_banners

SLEM-5-SET-08010400: Verify Ownership and Permissions of/on Message of the Day Banner

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_motd: Verify Group Ownership of Message of the Day Banner
file_owner_etc_motd: Verify ownership of Message of the Day Banner
file_permissions_etc_motd: Verify permissions on Message of the Day Banner

SLEM-5-SET-08010500: Verify Ownership and Permissions of/on System Login Banner

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_issue: Verify Group Ownership of System Login Banner
file_owner_etc_issue: Verify ownership of System Login Banner
file_permissions_etc_issue: Verify permissions on System Login Banner

SLEM-5-SET-08010600: Verify Ownership and Permissions of/on System Login Banner for Remote Connections

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_issue_net: Verify Group Ownership of System Login Banner for Remote Connections
file_owner_etc_issue_net: Verify ownership of System Login Banner for Remote Connections
file_permissions_etc_issue_net: Verify permissions on System Login Banner for Remote Connections

SLEM-5-SET-09000000: Ensure Software Patches Installed

Description: None

Levels:

medium

Automated: yes

Selections:

security_patches_up_to_date: Ensure Software Patches Installed

SLEM-5-SER-01010000: The xinetd package is uninstalled, and its service is disabled

Description: None

Levels:

low

Automated: yes

Selections:

package_tcp_wrappers_removed: Uninstall tcpd Package
package_xinetd_removed: Uninstall xinetd Package
service_xinetd_disabled: Disable xinetd Service

SLEM-5-SER-02010100: The Chrony package is installed

Description: None

Levels:

medium

Automated: yes

Selections:

package_chrony_installed: The Chrony package is installed

SLEM-5-SER-02010300: Configure the Chrony

Description: None

Levels:

medium

Automated: yes

Selections:

chronyd_configure_pool_and_server: Chrony Configure Pool and Server
chronyd_run_as_chrony_user: Ensure that chronyd is running under chrony user account
var_multiple_time_pools = suse
var_multiple_time_servers = suse

SLEM-5-SER-02030000: Uninstall Avahi Server

Description: None

Levels:

medium

Automated: yes

Selections:

package_avahi-autoipd_removed: Uninstall avahi-autoipd Server Package
package_avahi_removed: Uninstall avahi Server Package
service_avahi-daemon_disabled: Disable Avahi Server Software

SLEM-5-SER-02040000: Uninstall CUPS

Description: None

Levels:

medium

Automated: yes

Selections:

package_cups_removed: Uninstall CUPS Package
service_cups_disabled: Disable the CUPS Service

SLEM-5-SER-02050000: Uninstall DHCP Server

Description: None

Levels:

medium

Automated: yes

Selections:

package_dhcp_client_removed: Uninstall DHCP Client Package
package_dhcp_removed: Uninstall DHCP Server Package
service_dhcpd_disabled: Disable DHCP Service

SLEM-5-SER-02060000: Uninstall openldap-servers

Description: None

Levels:

low

Automated: yes

Selections:

package_openldap-servers_removed: Uninstall openldap-servers Package

SLEM-5-SER-02070000: Uninstall nfs-utils

Description: None

Levels:

medium

Automated: yes

Selections:

package_nfs-utils_removed: Uninstall nfs-utils Package
service_nfs_disabled: Disable Network File System (nfs)

SLEM-5-SER-02080000: Uninstall rpcbind

Description: None

Levels:

low

Automated: yes

Selections:

package_rpcbind_removed: Uninstall rpcbind Package
service_rpcbind_disabled: Disable rpcbind Service

SLEM-5-SER-02090000: Uninstall bind

Description: None

Levels:

medium

Automated: yes

Selections:

package_bind_removed: Uninstall bind Package
service_named_disabled: Disable named Service

SLEM-5-SER-02100000: Uninstall vsftpd

Description: None

Levels:

medium

Automated: yes

Selections:

package_vsftpd_removed: Uninstall vsftpd Package
service_vsftpd_disabled: Disable vsftpd Service

SLEM-5-SER-02120000: Uninstall dovecot (IMAP/POP3)

Description: None

Levels:

medium

Automated: yes

Selections:

package_dovecot_removed: Uninstall dovecot Package
service_dovecot_disabled: Disable Dovecot Service

SLEM-5-SER-02130000: Uninstall samba

Description: None

Levels:

low

Automated: yes

Selections:

package_samba_removed: Uninstall Samba Package
service_smb_disabled: Disable Samba

SLEM-5-SER-02150000: Uninstall net-snmp

Description: None

Levels:

low

Automated: yes

Selections:

package_net-snmp_removed: Uninstall net-snmp Package
service_snmpd_disabled: Disable snmpd Service

SLEM-5-SER-02170000: Uninstall rsync

Description: None

Levels:

low

Automated: yes

Selections:

service_rsyncd_disabled: Ensure rsyncd service is disabled

SLEM-5-SER-02190000: Uninstall telnet-server Package

Description: None

Levels:

high

Automated: yes

Selections:

package_telnet-server_removed: Uninstall telnet-server Package

SLEM-5-SER-03020000: Uninstall rsh

Description: None

Levels:

medium

Automated: yes

Selections:

package_rsh_removed: Uninstall rsh Package

SLEM-5-SER-03030000: Uninstall talk

Description: None

Levels:

medium

Automated: yes

Selections:

package_talk_removed: Uninstall talk Package

SLEM-5-SER-04000000: Uninstall nonessential services

Description: None

Levels:

medium

Automated: no

No rules selected

SLEM-5-NET-01010000: Disable IPv6

Description: None

Levels:

medium

Automated: yes

Selections:

grub2_ipv6_disable_argument: Ensure IPv6 is disabled through kernel boot parameter
sysctl_net_ipv6_conf_all_disable_ipv6: Disable IPv6 Addressing on All IPv6 Interfaces

SLEM-5-NET-01020000: Deactivate Wireless Network Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

wireless_disable_interfaces: Deactivate Wireless Network Interfaces

SLEM-5-NET-02010000: Disable IP Forwarding

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding

SLEM-5-NET-02020000: Disable Packet Redirect Sending

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

SLEM-5-NET-03010000: Disable forwarding source-routed packets

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

SLEM-5-NET-03020000: Disable accepting Internet Control Message Protocol (ICMP) redirects

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

SLEM-5-NET-03030000: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

SLEM-5-NET-03040000: Log suspicious packets on all IPv4 interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
sysctl_net_ipv4_conf_all_log_martians_value = enabled
sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default
sysctl_net_ipv4_conf_default_log_martians_value = enabled

SLEM-5-NET-03050000: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value = enabled

SLEM-5-NET-03060000: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value = enabled

SLEM-5-NET-03070000: Enable Reverse Path Filtering on all IPv4 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
sysctl_net_ipv4_conf_all_rp_filter_value = enabled
sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
sysctl_net_ipv4_conf_default_rp_filter_value = enabled

SLEM-5-NET-03080000: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

SLEM-5-NET-03090000: Disable Accepting Router Advertisements on all IPv6 Interfaces

Description: None

Levels:

medium

Automated: yes

Selections:

sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces
sysctl_net_ipv6_conf_all_accept_ra_value = disabled
sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
sysctl_net_ipv6_conf_default_accept_ra_value = disabled

SLEM-5-NET-04020000: Disable SCTP Support

Description: None

Levels:

high

Automated: yes

Selections:

kernel_module_sctp_disabled: Disable SCTP Support

SLEM-5-NET-05010100: Install firewalld

Description: None

Levels:

medium

Automated: yes

Selections:

package_firewalld_installed: Install firewalld Package

SLEM-5-NET-05010300: Verify firewalld Enabled

Description: None

Levels:

medium

Automated: yes

Selections:

service_firewalld_enabled: Verify firewalld Enabled

SLEM-5-NET-05010400: Set Default firewalld Zone for Incoming Packets

Description: None

Levels:

medium

Automated: yes

Selections:

set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

SLEM-5-NET-05010500: Ensure firewalld network interfaces are assigned to appropriate zone

Description: None

Levels:

medium

Automated: no

Selections:

set_firewalld_appropriate_zone: Ensure network interfaces are assigned to appropriate zone

SLEM-5-NET-05010600: Ensure firewalld Unnecessary Services and Ports Are Not Accepted

Description: None

Levels:

medium

Automated: no

Selections:

unnecessary_firewalld_services_ports_disabled: Ensure Unnecessary Services and Ports Are Not Accepted

SLEM-5-AUD-01010100: Ensure the audit Subsystem is Installed

Description: None

Levels:

medium

Automated: yes

Selections:

package_audit_installed: Ensure the audit Subsystem is Installed

SLEM-5-AUD-01010200: Enable auditd Service

Description: None

Levels:

medium

Automated: yes

Selections:

service_auditd_enabled: Enable auditd Service

SLEM-5-AUD-01020100: Configure auditd Max Log File Size

Description: None

Levels:

high

Automated: yes

Selections:

auditd_data_retention_max_log_file: Configure auditd Max Log File Size
var_auditd_max_log_file = 6

SLEM-5-AUD-01020200: Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Description: None

Levels:

high

Automated: yes

Selections:

auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
var_auditd_max_log_file_action = keep_logs

SLEM-5-AUD-01020300: Configure auditd actions on Low Disk Space

Description: None

Levels:

high

Automated: yes

Selections:

auditd_data_retention_action_mail_acct: Configure auditd mail_acct Action on Low Disk Space
auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
var_auditd_action_mail_acct = root
var_auditd_admin_space_left_action = halt
var_auditd_space_left_action = email

SLEM-5-AUD-01030000: Record attempts to modify the date and time

Description: None

Levels:

high

Automated: partially

Selections:

audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
audit_rules_time_settimeofday: Record attempts to alter time through settimeofday
audit_rules_time_stime: Record Attempts to Alter Time Through stime
audit_rules_time_watch_localtime: Record Attempts to Alter the localtime File

SLEM-5-AUD-01040000: Collect events that modify user/group information

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

SLEM-5-AUD-01050000: Record Events that Modify the System's Network Environment

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment

SLEM-5-AUD-01060000: Record Events that Modify the System''s Mandatory Access Control

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
audit_rules_mac_modification_usr_share: Record Events that Modify the System's Mandatory Access Controls in usr/share

SLEM-5-AUD-01060000: Collect login and logout events

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

SLEM-5-AUD-01080000: Record Attempts to Alter Process and Session Initiation Information

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

SLEM-5-AUD-01090000: Collect discretionary access control permission modification events

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown

SLEM-5-AUD-01100000: Record Unsuccessful Access Attempts to Files - open

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_unsuccessful_file_modification_open: Record Unsuccessful Access Attempts to Files - open

SLEM-5-AUD-01011000: Ensure auditd Collects Information on the Use of Privileged Commands

Description: None

Levels:

medium

Automated: no

No rules selected

SLEM-5-AUD-01012000: Ensure auditd Collects Information on Exporting to Media (successful)

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_media_export: Ensure auditd Collects Information on Exporting to Media (successful)

SLEM-5-AUD-01013000: Ensure auditd Collects File Deletion Events by Users

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_file_deletion_events_rename: Ensure auditd Collects File Deletion Events by User - rename
audit_rules_file_deletion_events_renameat: Ensure auditd Collects File Deletion Events by User - renameat
audit_rules_file_deletion_events_unlink: Ensure auditd Collects File Deletion Events by User - unlink
audit_rules_file_deletion_events_unlinkat: Ensure auditd Collects File Deletion Events by User - unlinkat

SLEM-5-AUD-01014000: Ensure auditd Collects System Administrator Actions

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions

SLEM-5-AUD-01015000: Record Attempts to perform maintenance activities

Description: None

Levels:

medium

Automated: yes

Selections:

audit_sudo_log_events: Record Attempts to perform maintenance activities

SLEM-5-AUD-01016000: Collect kernel module loading and unloading

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod
audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

SLEM-5-AUD-01017000: Make the auditd Configuration Immutable

Description: None

Levels:

medium

Automated: yes

Selections:

audit_rules_immutable: Make the auditd Configuration Immutable

SLEM-5-AUD-02010500: Configure systemd-journal-remote to send logs to a remote log host

Description: None

Levels:

medium

Automated: no

Selections:

package_systemd-journal-remote_installed: Install systemd-journal-remote Package
service_systemd-journal-upload_enabled: Enable systemd-journal-upload Service
systemd_journal_upload_server_tls: Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile
systemd_journal_upload_url: Configure systemd-journal-upload URL

SLEM-5-AUD-02030000: Verify permissions of log files

Description: None

Levels:

medium

Automated: yes

Selections:

permissions_local_var_log: Verify permissions of log files

SLEM-5-AAA-02010000: Verify Ownership and Permissions of/on SSH Server config file

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
file_owner_sshd_config: Verify Owner on SSH Server config file
file_permissions_sshd_config: Verify Permissions on SSH Server config file

SLEM-5-AAA-02020000: Verify Permissions on SSH Server Private *_key Key Files

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

SLEM-5-AAA-02030000: Verify Permissions on SSH Server Public *.pub Key Files

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_sshd_pub_key: Verify Permissions on SSH Server Public *.pub Key Files

SLEM-5-AAA-02040000: Limit Users' SSH Access

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_limit_user_access: Limit Users' SSH Access

SLEM-5-AAA-02050000: Set SSH Daemon LogLevel to VERBOSE

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

SLEM-5-AAA-02060000: Disable X11 Forwarding

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_x11_forwarding: Disable X11 Forwarding

SLEM-5-AAA-02070000: Set SSH authentication attempt limit

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_max_auth_tries_value = 4
sshd_set_max_auth_tries: Set SSH authentication attempt limit

SLEM-5-AAA-02080000: Disable SSH Support for .rhosts Files

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_rhosts: Disable SSH Support for .rhosts Files

SLEM-5-AAA-02090000: Disable Host-Based Authentication

Description: None

Levels:

medium

Automated: yes

Selections:

disable_host_auth: Disable Host-Based Authentication

SLEM-5-AAA-02100000: Disable SSH Root Login

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_disable_root_login: Disable SSH Root Login

SLEM-5-AAA-02110000: Disable SSH Access via Empty Passwords

Description: None

Levels:

high

Automated: yes

Selections:

sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

SLEM-5-AAA-02120000: Do Not Allow SSH Environment Options

Description: None

Levels:

high

Automated: yes

Selections:

sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

SLEM-5-AAA-02130000: Use only strong Ciphers

Description: None

Levels:

high

Automated: yes

Selections:

sshd_use_approved_ciphers: Use Only FIPS 140-2 Validated Ciphers
sshd_use_approved_ciphers_ordered_stig: Use Only FIPS 140-2 Validated Ciphers

SLEM-5-AAA-02140000: Use only strong MAC algorithms

Description: None

Levels:

high

Automated: yes

Selections:

sshd_use_approved_macs: Use Only FIPS 140-2 Validated MACs
sshd_use_approved_macs_ordered_stig: Use Only FIPS 140-2 Validated MACs

SLEM-5-AAA-02150000: Use Only Strong Key Exchange algorithms

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_strong_kex = cis_sle15
sshd_use_strong_kex: Use Only Strong Key Exchange algorithms

SLEM-5-AAA-02160000: Configure SSH Idle Timeout Interval

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_idle_timeout_value = 10_minutes
sshd_set_idle_timeout: Set SSH Client Alive Interval
sshd_set_keepalive: Set SSH Client Alive Count Max
var_sshd_set_keepalive = 1

SLEM-5-AAA-02170000: Ensure SSH LoginGraceTime is configured

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_login_grace_time: Ensure SSH LoginGraceTime is configured
var_sshd_set_login_grace_time = 60

SLEM-5-AAA-02180000: Configure SSH warning banner

Description: None

Levels:

medium

Automated: yes

Selections:

banner_etc_issue: Modify the System Login Banner
login_banner_text = dod_banners
sshd_enable_warning_banner: Enable SSH Warning Banner

SLEM-5-AAA-02190000: Enable SSH PAM

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_enable_pam: Enable PAM

SLEM-5-AAA-02200000: Disable SSH TCP Forwarding

Description: None

Levels:

high

Automated: yes

Selections:

sshd_disable_tcp_forwarding: Disable SSH TCP Forwarding

SLEM-5-AAA-02210000: Ensure SSH MaxStartups is configured

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_maxstartups: Ensure SSH MaxStartups is configured
var_sshd_set_maxstartups = 10:30:60

SLEM-5-AAA-02220000: Set SSH MaxSessions limit

Description: None

Levels:

medium

Automated: yes

Selections:

sshd_set_max_sessions: Set SSH MaxSessions limit
var_sshd_max_sessions = 10

SLEM-5-AAA-03010000: Configure password creation requirements

Description: None

Levels:

medium

Automated: yes

Selections:

cracklib_accounts_password_pam_dcredit: Set Password Strength Minimum Digit Characters
cracklib_accounts_password_pam_lcredit: Set Password Strength Minimum Lowercase Characters
cracklib_accounts_password_pam_minlen: Set Password Minimum Length
cracklib_accounts_password_pam_ocredit: Set Password Strength Minimum Special Characters
cracklib_accounts_password_pam_retry: Set Password Retry Limit
cracklib_accounts_password_pam_ucredit: Set Password Strength Minimum Uppercase Characters
var_password_pam_retry = 3

SLEM-5-AAA-03020000: Set Deny For Failed Password Attempts

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_passwords_pam_tally2: Set Deny For Failed Password Attempts
var_password_pam_tally2 = 3

SLEM-5-AAA-03030000: Limit Password Reuse

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_pam_pwhistory_remember: Limit Password Reuse
var_password_pam_remember = 5
var_password_pam_remember_control_flag = requisite

SLEM-5-AAA-04010100: Verify All Account Password Hashes are Shadowed with SHA512

Description: None

Levels:

high

Automated: yes

Selections:

accounts_password_all_shadowed_sha512: Verify All Account Password Hashes are Shadowed with SHA512
set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
var_password_hashing_algorithm = SHA512

SLEM-5-AAA-04010200: Set Existing Passwords Maximum Age

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_maximum_age_login_defs: Set Password Maximum Age
accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
var_accounts_maximum_age_login_defs = 60

SLEM-5-AAA-04010300: Set Existing Passwords Minimum Age

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_minimum_age_login_defs: Set Password Minimum Age
accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
var_accounts_minimum_age_login_defs = 1

SLEM-5-AAA-04010400: Set and Apply Password Warning Age

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_set_warn_age_existing: Set Existing Passwords Warning Age
accounts_password_warn_age_login_defs: Set Password Warning Age
var_accounts_password_warn_age_login_defs = 7

SLEM-5-AAA-04010500: Set Account Expiration Following Inactivity

Description: None

Levels:

medium

Automated: yes

Selections:

account_disable_post_pw_expiration: Set Account Expiration Following Inactivity

SLEM-5-AAA-04010600: Ensure all users last password change date is in the past

Description: None

Levels:

medium

Automated: partially

Selections:

accounts_password_last_change_is_in_past: Ensure all users last password change date is in the past

SLEM-5-AAA-04020000: Ensure that System Accounts Do Not Run a Shell Upon Login

Description: None

Levels:

medium

Automated: yes

Selections:

no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

SLEM-5-AAA-04030000: Verify Root Has A Primary GID 0

Description: None

Levels:

high

Automated: yes

Selections:

accounts_root_gid_zero: Verify Root Has A Primary GID 0

SLEM-5-AAA-04040000: Set Interactive Session Timeout

Description: None

Levels:

medium

Automated: partially

Selections:

accounts_tmout: Set Interactive Session Timeout
var_accounts_tmout = 15_min

SLEM-5-AAA-04050000: Ensure the Default Umask is Set Correctly in login.defs

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_umask_etc_login_defs: Ensure the Default Umask is Set Correctly in login.defs

SLEM-5-AAA-05050000: Restrict direct and virtual console Root Logins

Description: None

Levels:

medium

Automated: yes

Selections:

no_direct_root_logins: Direct root Logins Not Allowed
securetty_root_login_console_only: Restrict Virtual Console Root Logins

SLEM-5-AAA-05060000: Enforce Usage of pam_wheel on the System for su Authentication

Description: None

Levels:

medium

Automated: partially

Selections:

ensure_pam_wheel_group_empty: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
use_pam_wheel_group_for_su: Enforce Usage of pam_wheel with Group Parameter for su Authentication
var_pam_wheel_group_for_su = cis

SLEM-5-SMA-01010000: Verify and Correct Ownership and File Permissions with RPM

Description: None

Levels:

high

Automated: no

No rules selected

SLEM-5-SMA-01020000: Configure permissions on /etc/passwd

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
file_groupowner_etc_passwd: Verify Group Who Owns passwd File
file_owner_etc_gshadow: Verify User Who Owns gshadow File
file_owner_etc_passwd: Verify User Who Owns passwd File
file_permissions_etc_gshadow: Verify Permissions on gshadow File
file_permissions_etc_passwd: Verify Permissions on passwd File

SLEM-5-SMA-01030000: Configure permissions on /etc/shadow

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_shadow: Verify Group Who Owns shadow File
file_owner_etc_shadow: Verify User Who Owns shadow File
file_permissions_etc_shadow: Verify Permissions on shadow File

SLEM-5-SMA-01040000: Configure permissions on /etc/group

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_etc_group: Verify Group Who Owns group File
file_owner_etc_group: Verify User Who Owns group File
file_permissions_etc_group: Verify Permissions on group File

SLEM-5-SMA-01050000: Configure permissions on /etc/passwd-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File

SLEM-5-SMA-01060000: Configure permissions on /etc/shadow-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File

SLEM-5-SMA-01070000: Configure permissions on /etc/group-

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
file_owner_backup_etc_group: Verify User Who Owns Backup group File
file_permissions_backup_etc_group: Verify Permissions on Backup group File

SLEM-5-SMA-01080000: Ensure No World-Writable Files Exist

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist

SLEM-5-SMA-01090000: Ensure All Files Are Owned by a Use

Description: None

Levels:

medium

Automated: yes

Selections:

no_files_unowned_by_user: Ensure All Files Are Owned by a User

SLEM-5-SMA-01100000: Ensure All Files Are Owned by a Group

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

SLEM-5-SMA-01110000: Ensure All SUID Executables Are Authorized

Description: None

Levels:

medium

Automated: no

No rules selected

SLEM-5-SMA-01120000: Ensure All SGID Executables Are Authorized

Description: None

Levels:

medium

Automated: no

No rules selected

SLEM-5-SMA-02010000: Verify All Account Password Hashes are Shadowed

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_password_all_shadowed: Verify All Account Password Hashes are Shadowed

SLEM-5-SMA-02020000: Ensure there are no legacy NIS entries in /etc/passwd and /etc/shadow

Description: None

Levels:

medium

Automated: yes

Selections:

no_legacy_plus_entries_etc_passwd: Ensure there are no legacy + NIS entries in /etc/passwd
no_legacy_plus_entries_etc_shadow: Ensure there are no legacy + NIS entries in /etc/shadow

SLEM-5-SMA-02030000: Verify Only Root Has UID 0

Description: None

Levels:

high

Automated: yes

Selections:

accounts_no_uid_except_zero: Verify Only Root Has UID 0

SLEM-5-SMA-02040000: Ensure Root's path Integrity

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_root_path_dirs_no_write: Ensure that Root's Path Does Not Include World or Group-Writable Directories
root_path_no_dot: Ensure that Root's Path Does Not Include Relative Paths or Null Directories

SLEM-5-SMA-02050000: All Interactive Users Home Directories Must Exist

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

SLEM-5-SMA-02060000: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Description: None

Levels:

medium

Automated: yes

Selections:

file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

SLEM-5-SMA-02070000: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

Description: None

Levels:

medium

Automated: yes

Selections:

file_groupownership_home_directories: All Interactive User Home Directories Must Be Group-Owned By The Primary Group

SLEM-5-SMA-02080000: User Initialization Files Must Not Run World-Writable Programs

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_user_dot_no_world_writable_programs: User Initialization Files Must Not Run World-Writable Programs

SLEM-5-SMA-02090000: Verify No .forward Files Exist

Description: None

Levels:

medium

Automated: yes

Selections:

no_forward_files: Verify No .forward Files Exist

SLEM-5-SMA-02100000: Verify No netrc Files Exist

Description: None

Levels:

medium

Automated: yes

Selections:

no_netrc_files: Verify No netrc Files Exist

SLEM-5-SMA-02110000: Ensure users' .netrc Files are not group or world accessible

Description: None

Levels:

medium

Automated: yes

Selections:

accounts_users_netrc_file_permissions: Ensure users' .netrc Files are not group or world accessible

SLEM-5-SMA-02120000: Remove Rsh Trust Files

Description: None

Levels:

high

Automated: no

No rules selected

SLEM-5-SMA-02130000: Ensure all GIDs referenced in /etc/passwd are defined in /etc/group

Description: None

Levels:

low

Automated: yes

Selections:

gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

SLEM-5-SMA-02140000: Ensure All Accounts on the System Have Unique User IDs

Description: None

Levels:

medium

Automated: yes

Selections:

account_unique_id: Ensure All Accounts on the System Have Unique User IDs

SLEM-5-SMA-02150000: Ensure All Groups on the System Have Unique Group ID

Description: None

Levels:

medium

Automated: yes

Selections:

group_unique_id: Ensure All Groups on the System Have Unique Group ID

SLEM-5-SMA-02160000: Ensure All Accounts on the System Have Unique Names

Description: None

Levels:

medium

Automated: yes

Selections:

account_unique_name: Ensure All Accounts on the System Have Unique Names

SLEM-5-SMA-02170000: Ensure All Groups on the System Have Unique Group Names

Description: None

Levels:

medium

Automated: yes

Selections:

group_unique_name: Ensure All Groups on the System Have Unique Group Names

SLEM-5-SMA-02180000: Ensure shadow Group on the System is Empty

Description: None

Levels:

medium

Automated: yes

Selections:

ensure_shadow_group_empty: Ensure shadow Group is Empty