Definition of General System Security Profile SUSE Linux Enterprise Micro (SLEM) 5 for slmicro5
based on not_publicly_available
SLEM-5-SET-01020000: Ensure /tmp Located On Separate Partition
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01040000: Add nodev Option to /tmp
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01050000: Add nosuid Option to /tmp
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01060000: Configure /dev/shm
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01070000: Add noexec Option to /dev/shm
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01080000: Add nodev Option to /dev/shm
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01090000: Add nosuid Option to /dev/shm
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01100000: Ensure /var Located On Separate Partition
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01160000: Ensure /var/log/audit Located On Separate Partition
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01170000: Ensure /home Located On Separate Partition
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01100000: Ensure /var Located On Separate Partition
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01180000: Add nodev Option to /home
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01190000: Add noexec Option to Removable Media Partitions
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01200000: Add nodev Option to Removable Media Partitions
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01210000: Add nosuid Option to Removable Media Partitions
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01220000: Verify that All World-Writable Directories Have Sticky Bits Set
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-01240000: Disable Modprobe Loading of USB Storage Driver
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-02010000: Configure GPG keys
Description: None
Levels:
Automated: no
Selections:
SLEM-5-SET-02020000: Configure package manager repositories
Description: None
Levels:
Automated: no
Selections:
SLEM-5-SET-02030000: Ensure gpgcheck Enabled In Main zypper Configuration
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-03010000: Install sudo Package
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-03020000: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
Description: None
Levels:
Automated: yes
Selections:
- sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
SLEM-5-SET-03030000: Ensure Sudo Logfile Exists - sudo logfile
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-03030000: Configure grup.cfg Group/User Ownership and Permissions
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-04010000: The AIDE package must be installed if it is to be available for integrity checking
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-04020000: Configure Systemd Timer Execution of AIDE
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-05010000: Set the Boot Loader Password
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-05030000: Require Authentication for Emergency and Single User mode
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-06020000: Enable NX/XD Support
Description: None
Levels:
Automated: partially
Selections:
SLEM-5-SET-06030000: Enable Randomized Layout of Virtual Address Space
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010100: Modify the System Message of the Day Banner
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010200: Modify the System Login Banner
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010300: Modify the System Login Banner for Remote Connections
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010400: Verify Ownership and Permissions of/on Message of the Day Banner
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010500: Verify Ownership and Permissions of/on System Login Banner
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-08010600: Verify Ownership and Permissions of/on System Login Banner for Remote Connections
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SET-09000000: Ensure Software Patches Installed
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-01010000: The xinetd package is uninstalled, and its service is disabled
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02010100: The Chrony package is installed
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02010300: Configure the Chrony
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02030000: Uninstall Avahi Server
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02040000: Uninstall CUPS
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02050000: Uninstall DHCP Server
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02060000: Uninstall openldap-servers
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02070000: Uninstall nfs-utils
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02080000: Uninstall rpcbind
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02090000: Uninstall bind
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02100000: Uninstall vsftpd
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02120000: Uninstall dovecot (IMAP/POP3)
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02130000: Uninstall samba
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02150000: Uninstall net-snmp
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02170000: Uninstall rsync
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-02190000: Uninstall telnet-server Package
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-03020000: Uninstall rsh
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-03030000: Uninstall talk
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SER-04000000: Uninstall nonessential services
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-NET-01010000: Disable IPv6
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-01020000: Deactivate Wireless Network Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-02010000: Disable IP Forwarding
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-02020000: Disable Packet Redirect Sending
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03010000: Disable forwarding source-routed packets
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03020000: Disable accepting Internet Control Message Protocol (ICMP) redirects
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03030000: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03040000: Log suspicious packets on all IPv4 interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03050000: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03060000: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03070000: Enable Reverse Path Filtering on all IPv4 Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03080000: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-03090000: Disable Accepting Router Advertisements on all IPv6 Interfaces
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-04020000: Disable SCTP Support
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-05010100: Install firewalld
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-05010300: Verify firewalld Enabled
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-05010400: Set Default firewalld Zone for Incoming Packets
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-NET-05010500: Ensure firewalld network interfaces are assigned to appropriate zone
Description: None
Levels:
Automated: no
Selections:
SLEM-5-NET-05010600: Ensure firewalld Unnecessary Services and Ports Are Not Accepted
Description: None
Levels:
Automated: no
Selections:
SLEM-5-AUD-01010100: Ensure the audit Subsystem is Installed
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01010200: Enable auditd Service
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01020100: Configure auditd Max Log File Size
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01020200: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01020300: Configure auditd actions on Low Disk Space
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01030000: Record attempts to modify the date and time
Description: None
Levels:
Automated: partially
Selections:
SLEM-5-AUD-01040000: Collect events that modify user/group information
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01050000: Record Events that Modify the System's Network Environment
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01060000: Record Events that Modify the System''s Mandatory Access Control
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01060000: Collect login and logout events
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01080000: Record Attempts to Alter Process and Session Initiation Information
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01090000: Collect discretionary access control permission modification events
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01100000: Record Unsuccessful Access Attempts to Files - open
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01011000: Ensure auditd Collects Information on the Use of Privileged Commands
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-AUD-01012000: Ensure auditd Collects Information on Exporting to Media (successful)
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01013000: Ensure auditd Collects File Deletion Events by Users
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01014000: Ensure auditd Collects System Administrator Actions
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01015000: Record Attempts to perform maintenance activities
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01016000: Collect kernel module loading and unloading
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-01017000: Make the auditd Configuration Immutable
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AUD-02010500: Configure systemd-journal-remote to send logs to a remote log host
Description: None
Levels:
Automated: no
Selections:
SLEM-5-AUD-02030000: Verify permissions of log files
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02010000: Verify Ownership and Permissions of/on SSH Server config file
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02020000: Verify Permissions on SSH Server Private *_key Key Files
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02030000: Verify Permissions on SSH Server Public *.pub Key Files
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02040000: Limit Users' SSH Access
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02050000: Set SSH Daemon LogLevel to VERBOSE
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02060000: Disable X11 Forwarding
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02070000: Set SSH authentication attempt limit
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02080000: Disable SSH Support for .rhosts Files
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02090000: Disable Host-Based Authentication
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02100000: Disable SSH Root Login
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02110000: Disable SSH Access via Empty Passwords
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02120000: Do Not Allow SSH Environment Options
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02130000: Use only strong Ciphers
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02140000: Use only strong MAC algorithms
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02150000: Use Only Strong Key Exchange algorithms
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02160000: Configure SSH Idle Timeout Interval
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02170000: Ensure SSH LoginGraceTime is configured
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02180000: Configure SSH warning banner
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02190000: Enable SSH PAM
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02200000: Disable SSH TCP Forwarding
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02210000: Ensure SSH MaxStartups is configured
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-02220000: Set SSH MaxSessions limit
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-03010000: Configure password creation requirements
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-03020000: Set Deny For Failed Password Attempts
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-03030000: Limit Password Reuse
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010100: Verify All Account Password Hashes are Shadowed with SHA512
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010200: Set Existing Passwords Maximum Age
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010300: Set Existing Passwords Minimum Age
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010400: Set and Apply Password Warning Age
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010500: Set Account Expiration Following Inactivity
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04010600: Ensure all users last password change date is in the past
Description: None
Levels:
Automated: partially
Selections:
SLEM-5-AAA-04020000: Ensure that System Accounts Do Not Run a Shell Upon Login
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04030000: Verify Root Has A Primary GID 0
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-04040000: Set Interactive Session Timeout
Description: None
Levels:
Automated: partially
Selections:
SLEM-5-AAA-04050000: Ensure the Default Umask is Set Correctly in login.defs
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-05050000: Restrict direct and virtual console Root Logins
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-AAA-05060000: Enforce Usage of pam_wheel on the System for su Authentication
Description: None
Levels:
Automated: partially
Selections:
SLEM-5-SMA-01010000: Verify and Correct Ownership and File Permissions with RPM
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-SMA-01020000: Configure permissions on /etc/passwd
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01030000: Configure permissions on /etc/shadow
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01040000: Configure permissions on /etc/group
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01050000: Configure permissions on /etc/passwd-
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01060000: Configure permissions on /etc/shadow-
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01070000: Configure permissions on /etc/group-
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01080000: Ensure No World-Writable Files Exist
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01090000: Ensure All Files Are Owned by a Use
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01100000: Ensure All Files Are Owned by a Group
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-01110000: Ensure All SUID Executables Are Authorized
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-SMA-01120000: Ensure All SGID Executables Are Authorized
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-SMA-02010000: Verify All Account Password Hashes are Shadowed
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02020000: Ensure there are no legacy NIS entries in /etc/passwd and /etc/shadow
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02030000: Verify Only Root Has UID 0
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02040000: Ensure Root's path Integrity
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02050000: All Interactive Users Home Directories Must Exist
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02060000: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02070000: All Interactive User Home Directories Must Be Group-Owned By The Primary Group
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02080000: User Initialization Files Must Not Run World-Writable Programs
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02090000: Verify No .forward Files Exist
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02100000: Verify No netrc Files Exist
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02110000: Ensure users' .netrc Files are not group or world accessible
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02120000: Remove Rsh Trust Files
Description: None
Levels:
Automated: no
No rules selected
SLEM-5-SMA-02130000: Ensure all GIDs referenced in /etc/passwd are defined in /etc/group
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02140000: Ensure All Accounts on the System Have Unique User IDs
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02150000: Ensure All Groups on the System Have Unique Group ID
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02160000: Ensure All Accounts on the System Have Unique Names
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02170000: Ensure All Groups on the System Have Unique Group Names
Description: None
Levels:
Automated: yes
Selections:
SLEM-5-SMA-02180000: Ensure shadow Group on the System is Empty
Description: None
Levels:
Automated: yes
Selections: