{ "format_version": 3, "policy": { "external_id": "1a523ff6847063a2025ddd1bbdce6a13", "name": "CIS SUSE Linux Enterprise 16 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.1", "description": "Center for Internet Security benchmark — Level 1 server hardening for SUSE Linux Enterprise 16 (and compatible openSUSE Leap variants). Generated from CIS_SUSE_Linux_Enterprise_16_Benchmark_v1.0.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "4f902e52d86ff198cda5ba7f4e58fbb8", "name": "1.1.1.1 — Ensure cramfs kernel module is not available", "description": "Ensure cramfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the cramfs kernel module. \n\n1. Run the following commands to unload the cramfs kernel module: \n\n# modprobe -r cramfs 2>/dev/null \n# rmmod cramfs 2>/dev/null \n\n2. Perform the following to disable the cramfs kernel module: \n\nCreate a file ending in .conf with install cramfs /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install cramfs /bin/false\" >> /etc/modprobe.d/60-\ncramfs.conf \nCreate a file ending in .conf with blacklist cramfs in the /et...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^cramfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "40e7532eae2cafb63f3a97a0254cc0fc", "name": "1.1.1.4 — Ensure hfs kernel module is not available", "description": "Ensure hfs kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the hfs kernel module. \n\n1. Run the following commands to unload the hfs kernel module: \n\n# modprobe -r hfs 2>/dev/null \n# rmmod hfs 2>/dev/null \n\n2. Perform the following to disable the hfs kernel module: \n\nCreate a file ending in .conf with install hfs /bin/false in the /etc/modprobe.d/ \ndirectory. \nExample: \n# printf '%s\\n' \"\" \"install hfs /bin/false\" >> /etc/modprobe.d/60-hfs.conf \nCreate a file ending in .conf with blacklist hfs in the /etc/modprobe.d/ directory. \nEx...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfs ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "1e12b58d64bfbece3fe305dd287ad08f", "name": "1.1.1.5 — Ensure hfsplus kernel module is not available", "description": "Ensure hfsplus kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the hfsplus kernel module. \n\n1. Run the following commands to unload the hfsplus kernel module: \n\n# modprobe -r hfsplus 2>/dev/null \n# rmmod hfsplus 2>/dev/null \n\n2. Perform the following to disable the hfsplus kernel module: \n\nCreate a file ending in .conf with install hfsplus /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install hfsplus /bin/false\" >> /etc/modprobe.d/60-\nhfsplus.conf \nCreate a file ending in .conf with blacklist hfsplus i...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^hfsplus ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "a554c73965a7325e859c5f1076e7f4d9", "name": "1.1.1.6 — Ensure jffs2 kernel module is not available", "description": "Ensure jffs2 kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the jffs2 kernel module. \n\n1. Run the following commands to unload the jffs2 kernel module: \n\n# modprobe -r jffs2 2>/dev/null \n# rmmod jffs2 2>/dev/null \n\n2. Perform the following to disable the jffs2 kernel module: \n\nCreate a file ending in .conf with install jffs2 /bin/false in the \n/etc/modprobe.d/ directory. \nExample: \n# printf '%s\\n' \"\" \"install jffs2 /bin/false\" >> /etc/modprobe.d/60-\njffs2.conf \nCreate a file ending in .conf with blacklist jffs2 in the /etc/modprob...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^jffs2 ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "38ee137de32ec8a81f89f97fb45d139f", "name": "1.1.1.9 — Ensure udf kernel module is not available", "description": "Ensure udf kernel module is not available", "rational": "Removing support for unneeded filesystem types reduces the local attack surface of the \nsystem. If this filesystem type is not needed, disable it.", "remediation": "Unload and disable the udf kernel module. \n\n1. Run the following commands to unload the udf kernel module: \n\n# modprobe -r udf 2>/dev/null \n# rmmod udf 2>/dev/null \n\n2. Perform the following to disable the udf kernel module: \n\nCreate a file ending in .conf with install udf /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '%s\\n' \"\" \"install udf /bin/false\" >> /etc/modprobe.d/60-udf.conf \nCreate a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory \nExam...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^udf ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "65ec2b287ee5771d7a01dc91659fd6d0", "name": "1.1.2.1.1 — Ensure /tmp is tmpfs or a separate partition", "description": "Ensure /tmp is tmpfs or a separate partition", "rational": "Making /tmp its own file system allows an administrator to set additional mount options \nsuch as the noexec option on the mount, making /tmp useless for an attacker to install \nexecutable code. It would also prevent an attacker from establishing a hard link to a \nsystem setuid program and wait for it to be updated. Once the program was updated, \nthe hard link would be broken, and the attacker w...", "remediation": "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at \nboot time. \n# systemctl unmask tmp.mount \nFor specific configuration requirements of the /tmp mount for your environment, modify \n/etc/fstab. \nExample of using tmpfs with specific mount options: \ntmpfs /tmp \n0 \nNote: the size=2G is an example of setting a specific size for tmpfs. \nExample of using a volume or disk with specific mount options. The source location of \nthe volume or disk will vary dependin...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "tmp.mount", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "a9c13f8618a5d4cd66f75dd5d538a378", "name": "1.1.2.1.2 — Ensure nodev option set on /tmp partition", "description": "Ensure nodev option set on /tmp partition", "rational": "Since the /tmp filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \nRun the following command to remount /tmp with the configured options: \n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0d7a207ce360debf53cd84c325b7ce16", "name": "1.1.2.1.3 — Ensure nosuid option set on /tmp partition", "description": "Ensure nosuid option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot create setuid files in /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \nRun the following command to remount /tmp with the configured options: \n# mount -o remount /tmp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "1da2d92d8756cf51b4db57c4410f00d8", "name": "1.1.2.1.4 — Ensure noexec option set on /tmp partition", "description": "Ensure noexec option set on /tmp partition", "rational": "Since the /tmp filesystem is only intended for temporary file storage, set this option to \nensure that users cannot run executable binaries from /tmp.", "remediation": "- IF - a separate partition exists for /tmp. \nEdit the /etc/fstab file and add noexec to the fourth field (mounting options) for the \n/tmp partition. \nExample: \n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 \nRun the following command to remount /tmp with the configured options: \n# mount -o remount /tmp \n\nInternal Only - General \n\nPage 73", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /tmp", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "noexec" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "150460f9df963a599cf0b83d18eb4c73", "name": "1.1.2.3.2 — Ensure nodev option set on /home partition", "description": "Ensure nodev option set on /home partition", "rational": "Since the /home filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /home.", "remediation": "- IF - a separate partition exists for /home. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/home partition. \nExample: \n /home defaults,rw,nosuid,nodev,relatime 0 0 \nRun the following command to remount /home with the configured options: \n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e2f1a1dbcf4e2b3fb9bc708585739adf", "name": "1.1.2.3.3 — Ensure nosuid option set on /home partition", "description": "Ensure nosuid option set on /home partition", "rational": "Since the /home filesystem is only intended for user file storage, set this option to \nensure that users cannot create setuid files in /home.", "remediation": "- IF - a separate partition exists for /home. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/home partition. \nExample: \n /home defaults,rw,nosuid,nodev,relatime 0 0 \nRun the following command to remount /home with the configured options: \n# mount -o remount /home", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /home", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d0382dfb2e3f1f58bd3216d026bc32ce", "name": "1.1.2.4.2 — Ensure nodev option set on /var partition", "description": "Ensure nodev option set on /var partition", "rational": "Since the /var filesystem is not intended to support devices, set this option to ensure \nthat users cannot create a block or character special devices in /var.", "remediation": "- IF - a separate partition exists for /var. \nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the \n/var partition. \nExample: \n /var defaults,rw,nosuid,nodev,relatime 0 0 \nRun the following command to remount /var with the configured options: \n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nodev" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "f0489cbbb867eecf33cd0231b3e4d3ad", "name": "1.1.2.4.3 — Ensure nosuid option set on /var partition", "description": "Ensure nosuid option set on /var partition", "rational": "Since the /var filesystem is only intended for variable files such as logs, set this option \nto ensure that users cannot create setuid files in /var.", "remediation": "- IF - a separate partition exists for /var. \nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the \n/var partition. \nExample: \n /var defaults,rw,nosuid,nodev,relatime 0 0 \nRun the following command to remount /var with the configured options: \n# mount -o remount /var", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "nosuid" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "7e435564f708c24e60c6b1dc03ffe5af", "name": "1.1.2.6.1 — Ensure separate partition exists for /var/log", "description": "Ensure separate partition exists for /var/log", "rational": "The default installation only creates a single / partition. Since the /var/log directory \ncontains log files which can grow quite large, there is a risk of resource exhaustion. It \nwill essentially have the whole disk available to fill up and impact the system as a whole. \nConfiguring /var/log as its own file system allows an administrator to set additional \nmount options such as noexec/nosuid/...", "remediation": "For new installations, during installation create a custom partition setup and specify a \nseparate partition for /var/log . \nFor systems that were previously installed, create a new partition and configure \n/etc/fstab as appropriate. \nNote: Using Btrfs subvolumes instead of traditional disk partitions changes how disk \nspace is allocated and enforced, quotas may need to be configured to enforce storage \nlimits and prevent resource exhaustion.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "findmnt -kn /var/log", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "ec18dd0b0e7fefdc1200d97a2e2bb616", "name": "1.2.1.2 — Ensure gpgcheck is configured", "description": "Ensure gpgcheck is configured", "rational": "It is important to ensure that an RPM's package signature is always checked prior to \ninstallation to ensure that the software is obtained from a trusted source.", "remediation": "Edit /etc/zypp/zypp.conf and set gpgcheck=on: \nExample \n# sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=on/' /etc/zypp/zypp.conf \nEdit any failing files in /etc/zypp/repos.d/* and set all instances starting with \ngpgcheck to on. \nExample: \n# find /etc/zypp/repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec \nsed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=on/' {} \\; \nNote: true,yes, or 1 is also acceptable. \n\nInternal Only - General \n\nPage 131", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*gpgcheck\\h*=\\h*(0|false|no|off)\\b' /etc/zypp/zypp.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "2749945659a33cea2cf3dc9e11f3e6e4", "name": "1.2.1.5 — Ensure weak dependencies are configured", "description": "Ensure weak dependencies are configured", "rational": "Unless a system specifically requires the additional capabilities provides by the weak \ndependencies, it is recommended that the packages are not installed to reduce the \npotential attack surface.", "remediation": "Edit /etc/zypp/zypp.conf and set solver.onlyRequires = true. \nExample script: \n#!/usr/bin/env bash \n\n{ \n if grep -Pq '^solver.onlyRequires' /etc/zypp/zypp.conf; then \n sed -i 's/^solver.onlyRequires\\s*=\\s*.*/solver.onlyRequires = true/' \n/etc/zypp/zypp.conf \n else \n printf '%s\\n' \"\" \"solver.onlyRequires = true\" >> /etc/zypp/zypp.conf \n fi \n}", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*solver.onlyRequires\\h*=\\h*true\\b' /etc/zypp/zypp.conf", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "af38a450ec6b1803d6760805417cd620", "name": "1.3.1.1 — Ensure SELinux is installed", "description": "Ensure SELinux is installed", "rational": "Without a Mandatory Access Control system installed only the default Discretionary \nAccess Control system will be available.", "remediation": "Run the following command to install SELinux: \n# zypper install libselinux1", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "libselinux1", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "cafabe19f6f916eef79a6d8cb1a00394", "name": "1.3.1.3 — Ensure SELinux policy is configured", "description": "Ensure SELinux policy is configured", "rational": "Security configuration requirements vary from site to site. Some sites may mandate a \npolicy that is stricter than the default policy, which is perfectly acceptable. This item is \nintended to ensure that at least the default recommendations are met.", "remediation": "Edit /etc/selinux/config and add set the SELINUXTYPE line to targeted or mls: \nExample: \nSELINUXTYPE=targeted", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*SELINUXTYPE\\h*=\\h*(targeted|mls)\\b' /etc/selinux/config", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "b894701b59cc5a22cfdda2534924d0c1", "name": "1.3.1.5 — Ensure the SELinux mode is not disabled", "description": "Ensure the SELinux mode is not disabled", "rational": "Running SELinux in disabled mode is strongly discouraged; not only does the system \navoid enforcing the SELinux policy, it also avoids labeling any persistent objects such \nas files, making it difficult to enable SELinux in the future. \n\nInternal Only - General \n\nPage 154", "remediation": "Note: Only apply one set of remediation steps either SELinux is disabled or SELinux \nnot currently disabled. \nIf SELinux is currently disabled: \n\n1. Update the SELinux running state to either enforcing or permissive: \n\nReset the security context on the running system: \n# restorecon -R / \nRun the following command to create /etc/selinux/.autorelabel: \n# touch /etc/selinux/.autorelabel \n\n2. Edit /etc/selinux/config and update the SELINUX parameter to either \n\nSELINUX=enforcing or SELINUX=perm...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Pi -- '^\\h*SELINUX=(enforcing|permissive)\\b' /etc/selinux/config", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "cb8d5942af4671c4c086e8e6900af36b", "name": "1.3.1.7 — Ensure SETroubleshoot is not installed", "description": "Ensure SETroubleshoot is not installed", "rational": "The SETroubleshoot service is an unnecessary daemon to have running on a server, \nespecially if X Windows is disabled.", "remediation": "Run the following command to uninstall setroubleshoot: \n# zypper remove setroubleshoot", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "setroubleshoot", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6b8487534bef8cc02e42455795b1ce39", "name": "1.4.1 — Ensure bootloader password is set", "description": "Ensure bootloader password is set", "rational": "Requiring a boot password upon execution of the boot loader will prevent an \nunauthorized user from entering boot parameters or changing the boot partition. This \nprevents users from weakening security (e.g. turning off auditing at boot time).", "remediation": "Create an encrypted password with grub2-mkpasswd-pbkdf2: \n# grub2-mkpasswd-pbkdf2 \n\nEnter password: \nReenter password: \n\nPBKDF2 hash of your password is \nAdd the following into /etc/grub.d/40_custom \nset superusers=\"\" \npassword_pbkdf2

\nRun the following command to import the changes into the main configuration file: \n# grub2-mkconfig -o /boot/grub2/grub.cfg", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/boot/grub2/grub.cfg", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\s*password" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d7cb0cd702e75ac48bc4291a2bbbe1ac", "name": "1.5.1 — Ensure fs.protected_hardlinks is configured", "description": "Ensure fs.protected_hardlinks is configured", "rational": "Disallowing hardlinks mitigates vulnerabilities based on unsecure file systems accessed \nby privileged programs. This reduces the risk of an exploitation vector exploiting unsafe \nuse of open or creat.", "remediation": "1. Review all files being used by systemd sysctl and comment out or remove all \nfs.protected_hardlinks lines that are not fs.protected_hardlinks=1. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"fs.protected_hardlinks\" l_value=\"1\" \n l_grep=\"${l_option//./(\\\\.|\\\\/)}\" a_files=() \n l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \\ \n || readlink -e /usr/lib/systemd/systemd-sysctl)\" \n l_ufw_file=\"$([ -f /etc/default/ufw ] && \\ \n awk -F= '/^\\s*IPT_SYSCTL=/ {print $2}...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.protected_hardlinks", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "4ad0747fb8ada9bd1fe159f9cc1fb377", "name": "1.5.3 — Ensure fs.suid_dumpable is configured", "description": "Ensure fs.suid_dumpable is configured", "rational": "core dumps may contain sensitive in-memory data like password hashes or keys. An \nattacker could potentially exploit this to gain access to such data.", "remediation": "1. Review all files being used by systemd sysctl and comment out or remove all \n\nfs.suid_dumpable lines that are not fs.suid_dumpable=0. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"fs.suid_dumpable\" l_value=\"0\" \n l_grep=\"${l_option//./(\\\\.|\\\\/)}\" a_files=() \n l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \\ \n || readlink -e /usr/lib/systemd/systemd-sysctl)\" \n l_ufw_file=\"$([ -f /etc/default/ufw ] && \\ \n awk -F= '/^\\s*IPT_SYSCTL=/ {print $2}' /etc/default/uf...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n fs.suid_dumpable", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "97af7fb0454fe60bb624487ebf928436", "name": "1.5.4 — Ensure kernel.dmesg_restrict is configured", "description": "Ensure kernel.dmesg_restrict is configured", "rational": "Restricting access to the kernel message buffer limits access to only root. This prevents \nattackers from gaining additional system information as a non-privileged user.", "remediation": "1. Review all files being used by systemd sysctl and comment out or remove all \nkernel.dmesg_restrict lines that are not kernel.dmesg_restrict=1. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"kernel.dmesg_restrict\" l_value=\"1\" \n l_grep=\"${l_option//./(\\\\.|\\\\/)}\" a_files=() \n l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \\ \n || readlink -e /usr/lib/systemd/systemd-sysctl)\" \n l_ufw_file=\"$([ -f /etc/default/ufw ] && \\ \n awk -F= '/^\\s*IPT_SYSCTL=/ {print $2}' /...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.dmesg_restrict", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "10fd8bf417f476a44c1eca1c0a1d07fc", "name": "1.5.5 — Ensure kernel.kptr_restrict is configured", "description": "Ensure kernel.kptr_restrict is configured", "rational": "Masking the kernel symbols in /proc/kallsyms reduces the ability of an attacker using \nthem to learn more about what to attack on your system.", "remediation": "1. Review all files being used by systemd sysctl and comment out or remove all \nkernel.kptr_restrict lines that are not kernel.kptr_restrict=1 or \nkernel.kptr_restrict=2. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"kernel.kptr_restrict\" l_value=\"(1|2)\" \n l_grep=\"${l_option//./(\\\\.|\\\\/)}\" a_files=() \n l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \\ \n || readlink -e /usr/lib/systemd/systemd-sysctl)\" \n l_ufw_file=\"$([ -f /etc/default/ufw ] && \\ \n awk -F= '/^\\...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n kernel.kptr_restrict", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "072a550c1d766d6ac39b8f8ba29ab8f7", "name": "1.6.2 — Ensure system wide crypto policy is not legacy", "description": "Ensure system wide crypto policy is not legacy", "rational": "If the LEGACY system-wide crypto policy is selected, it includes support for TLS 1.0, TLS \n1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, \nwhile RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. \nThese legacy protocols and algorithms can make the system vulnerable to attacks, \nincluding those listed in RFC 7457", "remediation": "Run the following command to change the system-wide crypto policy \n# update-crypto-policies --set \nExample: \n# update-crypto-policies --set DEFAULT \nRun the following to make the updated system-wide crypto policy active \n# update-crypto-policies", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/crypto-policies/config", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^\\h*LEGACY\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "9b77c3943db9c9f650023580f23004d3", "name": "1.7.1 — Ensure /etc/motd is configured", "description": "Ensure /etc/motd is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the MOTD file with the appropriate contents according to your site policy, remove any \ninstances of \\m , \\r , \\s , \\v or references to the OS platform \n- OR - \n- IF - the motd is not used, this file can be removed. \nRun the following command to remove the motd file: \n# rm \nExample \n# rm /usr/lib/motd.d/welcome", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- \"(\\\\\\v|\\\\\\r|\\\\\\m|\\\\\\s|\\b$(grep ^ID= /etc/os-release | cut -d=", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "eb51afd5e478c04680062914b2d686fa", "name": "1.7.2 — Ensure /etc/issue is configured", "description": "Ensure /etc/issue is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the issue file with the appropriate contents according to your site policy, remove \nany instances of \\m , \\r , \\s , \\v or references to the OS platform \nExample: \n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue \nNote: \n\n• The issue file /usr/lib/issue.d/10-SUSE may be removed or overridden with \n\nthe appropriate contents according to your site policy. \n\n• Files in /etc/issue.d override files with the same name in /usr/lib/issue.d \nand /run/issu...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi \"(\\\\\\v|\\\\\\r|\\\\\\m|\\\\\\s|\\b$(grep '^ID=' /etc/os-release | cut -d= -", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "845f331fabf03e95b86029e417477aaf", "name": "1.7.3 — Ensure /etc/issue.net is configured", "description": "Ensure /etc/issue.net is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. Displaying OS and patch level \ninformation in login banners also has the side effect of providing detailed system \ninformation to attackers attempting to target speci...", "remediation": "Edit the /etc/issue.net file with the appropriate contents according to your site policy, \nremove any instances of \\m , \\r , \\s , \\v or references to the OS platform \nExample: \n# echo \"Authorized users only. All activity may be monitored and reported.\" > \n/etc/issue.net", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "cat /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "dc58e8941ef0f423ecda889ce740b138", "name": "1.7.5 — Ensure sshd warning Banner is configured", "description": "Ensure sshd warning Banner is configured", "rational": "Banners are used to warn connecting users of the particular site's policy regarding \nconnection. Presenting a warning message prior to the normal user login may assist the \nprosecution of trespassers on the computer system. \nNot having a properly configured SSH banner, or leaving it at the default value, can \nexpose an organization to legal and compliance risks by failing to provide users with...", "remediation": "Edit the file being called by the Banner argument with the appropriate contents \naccording to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to \nthe OS platform \nExample: \n# printf '%s\\n' \"Authorized users only. All activity may be monitored and \nreported.\" > \"$(sshd -T | awk '$1 == \"banner\" {print $2}')\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e \"$(sshd -T | awk '$1 == \"banner\" {print $2}')\" ] && cat \"$(sshd -T |", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "1a35332e45d0b547bc8107ab9870ea4e", "name": "1.7.6 — Ensure access to /etc/motd is configured", "description": "Ensure access to /etc/motd is configured", "rational": "- IF - the /etc/motd file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on the appropriate MOTD \nfile: \n# chown root:root \n# chmod u-x,go-wx \nExample \n# chown root:root $(readlink -e /etc/motd) \n# chmod u-x,go-wx $(readlink -e /etc/motd) \n- OR - \nRun the following command to remove the /etc/motd file: \n# rm /etc/motd \n\nInternal Only - General \n\nPage 244", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -e /etc/motd ] && stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0251027e40b6f74ad536a679bff984ac", "name": "1.7.7 — Ensure access to /etc/issue is configured", "description": "Ensure access to /etc/issue is configured", "rational": "- IF - the /etc/issue file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on the appropriate issue \nfile: \n# chown root:root \n# chmod u-x,go-wx \nExample \n# chown root:root $(readlink -e /etc/issue) \n# chmod u-x,go-wx $(readlink -e /etc/issue)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "111db090c2fb4ce3bb12253bd7f9796f", "name": "1.7.8 — Ensure access to /etc/issue.net is configured", "description": "Ensure access to /etc/issue.net is configured", "rational": "- IF - the /etc/issue.net file does not have the correct access configured, it could be \nmodified by unauthorized users with incorrect or misleading information.", "remediation": "Run the following commands to set mode, owner, and group on /etc/issue.net: \n# chown root:root $(readlink -e /etc/issue.net) \n# chmod u-x,go-wx $(readlink -e /etc/issue.net)", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/issue.net", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "046ca457759b4938d7bd193473fbd551", "name": "1.8.1 — Ensure GDM login banner is configured", "description": "Ensure GDM login banner is configured", "rational": "Warning messages inform users who are attempting to login to the system of their legal \nstatus regarding the system and must include the name of the organization that owns \nthe system and any monitoring policies that are in place. \nWithout locking down the system settings, user settings take precedence over the \nsystem settings.", "remediation": "1. Create or edit the file /etc/dconf/profile/user and add the following lines if \n\nthey do not exist: \n\nuser-db:user \nsystem-db:local \nExample: \n#!/usr/bin/env bash \n\n{ \n l_dir=\"/etc/dconf/profile/\" \n [ ! -d \"$l_dir\" ] && mkdir /etc/dconf/profile/ \n ! grep -Psq '^\\h*user-db:user\\b' \"$l_dir/user\" && \\ \n printf '%s\\n' \"\" \"user-db:user\" >> \"$l_dir/user\" \n ! grep -Psq '^\\h*system-db:local\\b' \"$l_dir/user\" && \\ \n sed -ri '/^\\s*user-db:user/a system-db:local' \"$l_dir/user\" \n} \n\n2. Ru...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings writable org.gnome.login-screen banner-message-enable", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "df467226edab4d243ed5c8dbaedb0ebd", "name": "1.8.2 — Ensure GDM disable-user-list is configured", "description": "Ensure GDM disable-user-list is configured", "rational": "Displaying the user list eliminates half of the Userid/Password equation that an \nunauthorized person would need to log on. \nWithout locking down the system settings, user settings take precedence over the \nsystem settings.", "remediation": "1. Create or edit the file /etc/dconf/profile/user and add the following lines if \n\nthey do not exist: \n\nuser-db:user \nsystem-db:local \nExample: \n#!/usr/bin/env bash \n\n{ \n l_dir=\"/etc/dconf/profile/\" \n [ ! -d \"$l_dir\" ] && mkdir /etc/dconf/profile/ \n ! grep -Psq '^\\h*user-db:user\\b' \"$l_dir/user\" && \\ \n printf '%s\\n' \"\" \"user-db:user\" >> \"$l_dir/user\" \n ! grep -Psq '^\\h*system-db:local\\b' \"$l_dir/user\" && \\ \n sed -ri '/^\\s*user-db:user/a system-db:local' \"$l_dir/user\" \n} \n\n2. Ru...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings writable org.gnome.login-screen disable-user-list", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0ffdafb0d3d2103a7fa0037d66d32efa", "name": "1.8.3 — Ensure GDM screen lock is configured", "description": "Ensure GDM screen lock is configured", "rational": "Setting a lock-out value reduces the window of opportunity for unauthorized user access \nto another user's session that has been left unattended. \nWithout locking down the system settings, user settings take precedence over the \nsystem settings. \nSatisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, SRG-OS-\n000480-GPOS-00227", "remediation": "1. Create or edit the file /etc/dconf/profile/user and add the following lines if \n\nthey do not exist: \n\nuser-db:user \nsystem-db:local \nExample: \n#!/usr/bin/env bash \n\n{ \n l_dir=\"/etc/dconf/profile/\" \n [ ! -d \"$l_dir\" ] && mkdir /etc/dconf/profile/ \n ! grep -Psq '^\\h*user-db:user\\b' \"$l_dir/user\" && \\ \n printf '%s\\n' \"\" \"user-db:user\" >> \"$l_dir/user\" \n ! grep -Psq '^\\h*system-db:local\\b' \"$l_dir/user\" && \\ \n sed -ri '/^\\s*user-db:user/a system-db:local' \"$l_dir/user\" \n} \n\n2. Ru...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings writable org.gnome.desktop.session idle-delay", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0df41a4277070a0ef5fd62545001b235", "name": "1.8.4 — Ensure GDM automount is configured", "description": "Ensure GDM automount is configured", "rational": "With automounting enabled anyone with physical access could attach a USB drive or \ndisc and have its contents available in system even if they lacked permissions to mount \nit themselves. \nWithout locking down the system settings, user settings take precedence over the \nsystem settings. \nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-\n000480-GPOS-00227", "remediation": "1. Create or edit the file /etc/dconf/profile/user and add the following lines if \n\nthey do not exist: \n\nuser-db:user \nsystem-db:local \nExample: \n#!/usr/bin/env bash \n\n{ \n l_dir=\"/etc/dconf/profile/\" \n [ ! -d \"$l_dir\" ] && mkdir /etc/dconf/profile/ \n ! grep -Psq '^\\h*user-db:user\\b' \"$l_dir/user\" && \\ \n printf '%s\\n' \"\" \"user-db:user\" >> \"$l_dir/user\" \n ! grep -Psq '^\\h*system-db:local\\b' \"$l_dir/user\" && \\ \n sed -ri '/^\\s*user-db:user/a system-db:local' \"$l_dir/user\" \n} \n\n2. Ru...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings writable org.gnome.desktop.media-handling automount", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "cad14dcfe166391700cd52854eaa3882", "name": "1.8.5 — Ensure GDM autorun-never is configured", "description": "Ensure GDM autorun-never is configured", "rational": "Malware on removable media may take advantage of Autorun features when the media \nis inserted into a system and execute. \nWithout locking down the system settings, user settings take precedence over the \nsystem settings. \nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-\n000480-GPOS-00227", "remediation": "1. Create or edit the file /etc/dconf/profile/user and add the following lines if \n\nthey do not exist: \n\nuser-db:user \nsystem-db:local \nExample: \n#!/usr/bin/env bash \n\n{ \n l_dir=\"/etc/dconf/profile/\" \n [ ! -d \"$l_dir\" ] && mkdir /etc/dconf/profile/ \n ! grep -Psq '^\\h*user-db:user\\b' \"$l_dir/user\" && \\ \n printf '%s\\n' \"\" \"user-db:user\" >> \"$l_dir/user\" \n ! grep -Psq '^\\h*system-db:local\\b' \"$l_dir/user\" && \\ \n sed -ri '/^\\s*user-db:user/a system-db:local' \"$l_dir/user\" \n} \n\n2. Ru...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "gsettings writable org.gnome.desktop.media-handling autorun-never", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e552cdde4e16aa150f5848030d022d9f", "name": "1.8.6 — Ensure XDMCP is not enabled", "description": "Ensure XDMCP is not enabled", "rational": "XDMCP is inherently insecure. \n\n• XDMCP is not a ciphered protocol. This may allow an attacker to capture \n\nkeystrokes entered by a user \n\n• XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to \nsteal the credentials of legitimate users by impersonating the XDMCP server.", "remediation": "Edit all files returned by the audit and remove or commend out the Enable=true line in \nthe [xdmcp] block: \nExample File: \n# GDM configuration storage \n# \n# See /usr/share/gdm/gdm.schemas for a list of available options. \n\n[daemon] \n# Uncomment the line below to force the login screen to use Xorg \n#WaylandEnable=false \n\n# Enabling automatic login \n# AutomaticLoginEnable = true \n# AutomaticLogin = user1 \n\n# Enabling timed login \n# TimedLoginEnable = true \n# TimedLogin = user1 \n# TimedLogi...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "16eb44a5013ee19ab9bfe2dc81a6ec22", "name": "2.1.1 — Ensure autofs services are not in use", "description": "Ensure autofs services are not in use", "rational": "With automounting enabled anyone with physical access could attach a USB drive or \ndisc and have its contents available in system even if they lacked permissions to mount \nit themselves.", "remediation": "Run the following commands to stop autofs.service and remove autofs package: \n# systemctl stop autofs.service \n# zypper remove autofs \n- OR - \n- IF - the autofs package is required as a dependency: \nRun the following commands to stop and mask autofs.service: \n# systemctl stop autofs.service \n# systemctl mask autofs.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "autofs", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "66c47e8314e8f5015b51c5060486a9dd", "name": "2.1.2 — Ensure avahi daemon services are not in use", "description": "Ensure avahi daemon services are not in use", "rational": "Automatic discovery of network services is not normally required for system \nfunctionality. It is recommended to remove this package to reduce the potential attack \nsurface.", "remediation": "Run the following commands to stop avahi-daemon.socket and avahi-\ndaemon.service, and remove the avahi package: \n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# zypper remove avahi \n- OR - \n- IF - the avahi package is required as a dependency: \nRun the following commands to stop and mask the avahi-daemon.socket and avahi-\ndaemon.service: \n# systemctl stop avahi-daemon.socket avahi-daemon.service \n# systemctl mask avahi-daemon.socket avahi-daemon.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "avahi", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "170ffbd560fc94dac289178f7ca7ec13", "name": "2.1.3 — Ensure dhcp server services are not in use", "description": "Ensure dhcp server services are not in use", "rational": "Unless a system is specifically set up to act as a DHCP server, it is recommended that \nthe kea package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop kea-dhcp-ddns.service, kea-dhcp4.service, \nand kea-dhcp6.service and remove the kea package: \n# systemctl stop kea-dhcp-ddns.service kea-dhcp4.service kea-dhcp6.service \n# zypper remove kea \n- OR - \n- IF - the kea package is required as a dependency: \nRun the following commands to stop and mask kea-dhcp-ddns.service, kea-\ndhcp4.service, and kea-dhcp6.service: \n# systemctl stop kea-dhcp-ddns.service kea-dhcp4.service kea-dhcp6.service \n# systemctl mask kea-dh...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "kea", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "ca262cc77380d9add382671f502dc2d0", "name": "2.1.4 — Ensure dns server services are not in use", "description": "Ensure dns server services are not in use", "rational": "Unless a system is specifically designated to act as a DNS server, it is recommended \nthat the package be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop named.service and remove bind package: \n# systemctl stop named.service \n# zypper remove bind \n- OR - \n- IF - the bind package is required as a dependency: \nRun the following commands to stop and mask named.service: \n# systemctl stop named.service \n# systemctl mask named.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "2d24ace8ec565ff576ad6e4b9dc8f9a8", "name": "2.1.5 — Ensure dnsmasq services are not in use", "description": "Ensure dnsmasq services are not in use", "rational": "Unless a system is specifically designated to act as a DNS caching, DNS forwarding \nand/or DHCP server, it is recommended that the package be removed to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop dnsmasq.service and remove dnsmasq package: \n# systemctl stop dnsmasq.service \n# zypper remove dnsmasq \n- OR - \n- IF - the dnsmasq package is required as a dependency: \nRun the following commands to stop and mask the dnsmasq.service: \n# systemctl stop dnsmasq.service \n# systemctl mask dnsmasq.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "dnsmasq", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "7595ad3ad57ac8f504841129d400f041", "name": "2.1.7 — Ensure ldap server services are not in use", "description": "Ensure ldap server services are not in use", "rational": "If the system will not need to act as an LDAP server, it is recommended that the \nsoftware be removed to reduce the potential attack surface.", "remediation": "Run the following command remove the openldap2_6 packages: \n# systemctl stop slapd.service \n# zypper remove openldap2_6 \n- OR - \n- IF - the slapd package is required as a dependency: \nRun the following commands to stop and mask slapd.service: \n# systemctl stop slapd.service \n# systemctl mask slapd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "openldap2", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "bda3cccd233410fcb55df05d6b1f538b", "name": "2.1.8 — Ensure ftp server services are not in use", "description": "Ensure ftp server services are not in use", "rational": "Unless there is a need to run the system as a FTP server, it is recommended that the \npackage be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop vsftpd.service and remove vsftpd package: \n# systemctl stop vsftpd.service \n# zypper remove vsftpd \n- OR - \n- IF - the vsftpd package is required as a dependency: \nRun the following commands to stop and mask the vsftpd.service: \n# systemctl stop vsftpd.service \n# systemctl mask vsftpd.service \nNote: Other ftp server packages may exist. If not required and authorized by local site \npolicy, they should also be removed. If the package is required for a dependen...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "vsftpd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "eb44e3b61ab09aa4753b96c60fe671dd", "name": "2.1.11 — Ensure print server services are not in use", "description": "Ensure print server services are not in use", "rational": "If the system does not need to print jobs or accept print jobs from other systems, it is \nrecommended that CUPS be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop cups.socket and cups.service, and remove the \ncups package: \n# systemctl stop cups.socket cups.service \n# zypper remove cups \n- OR - \n- IF - the cups package is required as a dependency: \nRun the following commands to stop and mask the cups.socket and cups.service: \n# systemctl stop cups.socket cups.service \n# systemctl mask cups.socket cups.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "cups", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "acaf4537595a79be9834b5ab315a983f", "name": "2.1.12 — Ensure rpcbind services are not in use", "description": "Ensure rpcbind services are not in use", "rational": "A small request (~82 bytes via UDP) sent to the Portmapper generates a large \nresponse (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If \nrpcbind is not required, it is recommended to remove rpcbind package to reduce the \npotential attack surface.", "remediation": "Run the following commands to stop rpcbind.socket and rpcbind.service, and \nremove the rpcbind package: \n# systemctl stop rpcbind.socket rpcbind.service \n# zypper remove rpcbind \n- OR - \n- IF - the rpcbind package is required as a dependency: \nRun the following commands to stop and mask the rpcbind.socket and \nrpcbind.service: \n# systemctl stop rpcbind.socket rpcbind.service \n# systemctl mask rpcbind.socket rpcbind.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rpcbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "276885d4e0a9b792c787bd5cf05b5567", "name": "2.1.13 — Ensure rsync services are not in use", "description": "Ensure rsync services are not in use", "rational": "Unless required, the rsync package should be removed to reduce the potential attack \nsurface. \nThe rsyncd.service presents a security risk as it uses unencrypted protocols for \ncommunication.", "remediation": "Run the following commands to stop rsyncd.socket and rsyncd.service, and \nremove the rsync package: \n# systemctl stop rsyncd.socket rsyncd.service \n# zypper remove rsync \n- OR - \n- IF - the rsync package is required as a dependency: \nRun the following commands to stop and mask the rsyncd.socket and \nrsyncd.service: \n# systemctl stop rsyncd.socket rsyncd.service \n# systemctl mask rsyncd.socket rsyncd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsync", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "b413b82a6320f440030dccec5d2d4948", "name": "2.1.14 — Ensure snmp services are not in use", "description": "Ensure snmp services are not in use", "rational": "The SNMP server can communicate using SNMPv1, which transmits data in the clear \nand does not require authentication to execute commands. SNMPv3 replaces the \nsimple/clear text password sharing used in SNMPv2 with more securely encoded \nparameters. If the the SNMP service is not required, the net-snmp package should be \nremoved to reduce the attack surface of the system. \nNote: If SNMP is requi...", "remediation": "Run the following commands to stop snmpd.service and remove net-snmp package: \n# systemctl stop snmpd.service \n# zypper remove net-snmp \n- OR - If the package is required for dependencies: \nRun the following commands to stop and mask the snmpd.service: \n# systemctl stop snmpd.service \n# systemctl mask snmpd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "net-snmp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "bc132259c64a82d34a031acc0ca26d61", "name": "2.1.15 — Ensure telnet server services are not in use", "description": "Ensure telnet server services are not in use", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow a user with access to sniff network traffic the ability to \nsteal credentials. The ssh package provides an encrypted session and stronger \nsecurity.", "remediation": "Run the following commands to stop telnet.socket and remove the telnet-server \npackage: \n# systemctl stop telnet.socket \n# zypper remove telnet-server \n- OR - \n- IF - a package is installed and is required for dependencies: \nRun the following commands to stop and mask telnet.socket: \n# systemctl stop telnet.socket \n# systemctl mask telnet.socket", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "3d0f252a3d94eab7588de94484dc3e1c", "name": "2.1.16 — Ensure tftp server services are not in use", "description": "Ensure tftp server services are not in use", "rational": "Unless there is a need to run the system as a TFTP server, it is recommended that the \npackage be removed to reduce the potential attack surface. \nTFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following commands to stop tftp.socket and tftp.service, and remove the \ntftp-server package: \n# systemctl stop tftp.socket tftp.service \n# zypper remove tftp-server \n- OR - \n- IF - the tftp-server package is required as a dependency: \nRun the following commands to stop and mask tftp.socket and tftp.service: \n# systemctl stop tftp.socket tftp.service \n# systemctl mask tftp.socket tftp.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp-server", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "b9682b00801d723ed8a8a5eb3e5d4fc2", "name": "2.1.18 — Ensure web server services are not in use", "description": "Ensure web server services are not in use", "rational": "Unless there is a local site approved requirement to run a web server service on the \nsystem, web server packages should be removed to reduce the potential attack surface.", "remediation": "Run the following commands to stop apache2.service and remove the apache2 \npackage: \n# systemctl stop apache2.service \n# zypper remove apache2 \nRun the following commands to stop nginx.service and remove the nginx package: \n# systemctl stop nginx.service \n# zypper remove nginx \n- OR - \n- IF - a package is installed and is required for dependencies: \nRun the following commands to stop and mask apache2.service, and \nnginx.service: \n# systemctl stop apache2.service nginx.service \n# systemctl mas...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "apache2", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "09fa8e78685e787f308c10646502b553", "name": "2.1.19 — Ensure xinetd services are not in use", "description": "Ensure xinetd services are not in use", "rational": "If there are no xinetd services required, it is recommended that the package be \nremoved to reduce the attack surface are of the system. \nNote: If an xinetd service or services are required, ensure that any xinetd service not \nrequired is stopped and masked", "remediation": "Run the following commands to stop xinetd.service, and remove the xinetd \npackage: \n# systemctl stop xinetd.service \n# zypper remove xinetd \n- OR - \n- IF - the xinetd package is required as a dependency: \nRun the following commands to stop and mask the xinetd.service: \n# systemctl stop xinetd.service \n# systemctl mask xinetd.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "xinetd", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "17aa7c384357f15abd2acd3f4268f11a", "name": "2.2.1 — Ensure ftp client is not installed", "description": "Ensure ftp client is not installed", "rational": "FTP does not protect the confidentiality of data or authentication credentials. It is \nrecommended SFTP be used if file transfer is required. Unless there is a need to run \nthe system as a FTP server (for example, to allow anonymous downloads), it is \nrecommended that the package be removed to reduce the potential attack surface.", "remediation": "Run the following command to remove ftp: \n# zypper remove ftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6f86b1cc1ee1de20d25a9a34369741d6", "name": "2.2.3 — Ensure nis client is not installed", "description": "Ensure nis client is not installed", "rational": "The NIS service is inherently an insecure system that has been vulnerable to DOS \nattacks, buffer overflows and has poor authentication for querying NIS maps. NIS \ngenerally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed.", "remediation": "Run the following command to remove the ypbind package: \n# zypper remove ypbind", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "ypbind", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "be4ccdc1125698fcd8e408a26c7a9084", "name": "2.2.4 — Ensure telnet client is not installed", "description": "Ensure telnet client is not installed", "rational": "The telnet protocol is insecure and unencrypted. The use of an unencrypted \ntransmission medium could allow an unauthorized user to steal credentials. The ssh \npackage provides an encrypted session and stronger security and is included in most \nLinux distributions.", "remediation": "Run the following command to remove the telnet package: \n# zypper remove telnet", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "telnet", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "1f979e59baf2e789da4ed026ba7d22cf", "name": "2.2.5 — Ensure tftp client is not installed", "description": "Ensure tftp client is not installed", "rational": "TFTP does not have built-in encryption, access control or authentication. This makes it \nvery easy for an attacker to exploit TFTP to gain access to files", "remediation": "Run the following command to remove tftp: \n# zypper remove tftp", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "tftp", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "a94890131c9fda04a1407932c885b7d0", "name": "2.3.1.1 — Ensure chrony is configured", "description": "Ensure chrony is configured", "rational": "If chrony is in use on the system proper configuration is vital to ensuring time \nsynchronization is working properly. \nNote: This recommendation only applies if chrony is in use on the system. If another \nmethod of time synchronization is in use on the system, this recommendation can be \nskipped.", "remediation": "Add or edit server or pool lines to /etc/chrony.conf as appropriate: \nserver \nAdd or edit the OPTIONS in /etc/sysconfig/chronyd to include '-u chrony': \nOPTIONS=\"-u chrony\" \nRun the following command to reload the chrony config: \n# systemctl reload-or-restart chronyd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/chrony.conf", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "^(server|pool)" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6f1d9258e82ab055f546befde9b9662f", "name": "2.3.1.2 — Ensure chrony is enabled and running", "description": "Ensure chrony is enabled and running", "rational": "chrony needs to be enabled and running in order to synchronize the system to a \ntimeserver. \nTime synchronization is important to support time sensitive security mechanisms and to \nensure log files have consistent time records across the enterprise to aid in forensic \ninvestigations \nNote: \n\n• \n\nIf systemd-timesyncd is being used, chrony should be removed and this \nsection skipped \n\n• Only one...", "remediation": "- IF - chrony is in use on the system, run the following commands: \nRun the following command to unmask chronyd.service: \n# systemctl unmask chronyd.service \nRun the following command to enable and start chronyd.service: \n# systemctl --now enable chronyd.service \n- OR - \nIf another time synchronization service is in use on the system, run the following \ncommand to remove chrony: \n# zypper remove chrony", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "chronyd", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "376a0d204dd387f933bc839f63567565", "name": "2.4.1.1 — Ensure cron daemon is enabled and active", "description": "Ensure cron daemon is enabled and active", "rational": "While there may not be user jobs that need to be run on the system, the system does \nhave maintenance jobs that may include security monitoring that have to run, and cron \nis used to execute them.", "remediation": "- IF - cron is installed on the system: \nRun the following commands to unmask, enable, and start cron: \n# systemctl unmask \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\" \n# systemctl --now enable \"$(systemctl list-unit-files | awk \n'$1~/^crond?\\.service/{print $1}')\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemctl list-unit-files | awk '$1~/^crond?\\.service/{print $2}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "bcece12c9eca8045dbf1ef7fbd484923", "name": "2.4.1.2 — Ensure access to /etc/crontab is configured", "description": "Ensure access to /etc/crontab is configured", "rational": "This file contains information on what system jobs are run by cron. Write access to \nthese files could provide unprivileged users with the ability to elevate their privileges. \nRead access to these files could provide users with the ability to gain insight on system \njobs that run on the system and could provide them a way to gain unauthorized \nprivileged access.", "remediation": "- IF - cron is installed on the system: \nRun the following commands to set ownership and permissions on /etc/crontab: \n# chown root:root /etc/crontab \n# chmod og-rwx /etc/crontab", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/crontab", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "3318a7f262c7b83fc5a4c659022c5e2b", "name": "2.4.1.4 — Ensure access to /etc/cron.daily is configured", "description": "Ensure access to /etc/cron.daily is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "- IF - cron is installed on the system: \nRun the following commands to set ownership and permissions on the \n/etc/cron.daily directory: \n# chown root:root /etc/cron.daily/ \n# chmod og-rwx /etc/cron.daily/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.daily/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "39ce39502c9fb563b82d6622b4e783e5", "name": "2.4.1.8 — Ensure access to /etc/cron.d is configured", "description": "Ensure access to /etc/cron.d is configured", "rational": "Granting write access to this directory for non-privileged users could provide them the \nmeans for gaining unauthorized elevated privileges. Granting read access to this \ndirectory could give an unprivileged user insight in how to gain elevated privileges or \ncircumvent auditing controls.", "remediation": "- IF - cron is installed on the system: \nRun the following commands to set ownership and permissions on the /etc/cron.d \ndirectory: \n# chown root:root /etc/cron.d/ \n# chmod og-rwx /etc/cron.d/", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/cron.d/", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "64d38d5a35fdbcb86213a5abcc85bc1c", "name": "2.4.1.9 — Ensure access to crontab is configured", "description": "Ensure access to crontab is configured", "rational": "On many systems, only the system administrator is authorized to schedule cron jobs. \nUsing the cron.allow file to control who can run cron jobs enforces this policy. It is \neasier to manage an allow list than a deny list. In a deny list, you could potentially add a \nuser ID to the system and forget to add it to the deny files.", "remediation": "- IF - cron is installed on the system: \nRun the following script to: \n\n• Create /etc/cron.allow if it doesn't exist \n• Change owner to user root \n• Change group owner to group root - OR - group crontab if it exists \n• Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash \n\n{ \n [ ! -e \"/etc/cron.allow\" ] && touch /etc/cron.allow \n chmod u-x,g-wx,o-rwx /etc/cron.allow \n if grep -Pq -- '^\\h*crontab\\:' /etc/group; then \n chown root:crontab /etc/cron.allow \n else \n ch...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/cron.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "864f950fe9dd854f4b88ca7ca5947fef", "name": "2.4.2.1 — Ensure access to at is configured", "description": "Ensure access to at is configured", "rational": "On many systems, only the system administrator is authorized to schedule at jobs. \nUsing the at.allow file to control who can run at jobs enforces this policy. It is easier \nto manage an allow list than a deny list. In a deny list, you could potentially add a user \nID to the system and forget to add it to the deny files. \n\nInternal Only - General \n\nPage 372", "remediation": "- IF - at is installed on the system: \nRun the following script to: \n\n• /etc/at.allow: \n\no Create the file if it doesn't exist \no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n• \n\n- IF - /etc/at.deny exists: \n\no Change owner or user root \no \n\nIf group daemon exists, change to group daemon, else change group to \nroot \n\no Change mode to 640 or more restrictive \n\n#!/usr/bin/env bash \n\n{...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.allow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e893542ff1974cfa296fbcd43a56882f", "name": "3.1.2 — Ensure wireless interfaces are not available", "description": "Ensure wireless interfaces are not available", "rational": "- IF - wireless is not to be used, wireless devices can be disabled to reduce the potential \nattack surface.", "remediation": "Run the following script to disable any wireless interfaces: \n#!/usr/bin/env bash \n\n{ \n module_fix() \n { \n if ! modprobe -n -v \"$l_mname\" | grep -P -- '^\\h*install \n\\/bin\\/(true|false)'; then \n echo -e \" - setting module: \\\"$l_mname\\\" to be un-loadable\" \n echo -e \"install $l_mname /bin/false\" >> \n/etc/modprobe.d/\"$l_mname\".conf \n fi \n if lsmod | grep \"$l_mname\" > /dev/null 2>&1; then \n echo -e \" - unloading module \\\"$l_mname\\\"\" \n modprobe -r...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "2aace0cfb5482f496b247f476a44d342", "name": "3.1.3 — Ensure bluetooth services are not in use", "description": "Ensure bluetooth services are not in use", "rational": "An attacker may be able to find a way to access or corrupt your data. One example of \nthis type of activity is bluesnarfing, which refers to attackers using a Bluetooth \nconnection to steal information off of your Bluetooth device. Also, viruses or other \nmalicious code can take advantage of Bluetooth technology to infect other devices. If \nyou are infected, your data may be corrupted, compromi...", "remediation": "Run the following commands to stop bluetooth.service, and remove the bluez \npackage: \n# systemctl stop bluetooth.service \n# zypper remove bluez \n- OR - \n- IF - the bluez package is required as a dependency: \nRun the following commands to stop and mask bluetooth.service: \n# systemctl stop bluetooth.service \n# systemctl mask bluetooth.service \nNote: A reboot may be required", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "bluez", "selement": "NOT EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6ba00772ecefb7470befeb072ea51e70", "name": "3.2.1 — Ensure atm kernel module is not available", "description": "Ensure atm kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the atm kernel module. \n\n1. Run the following commands to unload the atm kernel module: \n\n# modprobe -r atm 2>/dev/null \n# rmmod can 2>/dev/null \n\n2. Perform the following to disable the atm kernel module: \n\nCreate a file ending in .conf with install can /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '\\n%s\\n' \"install atm /bin/false\" >> /etc/modprobe.d/60-atm.conf \nCreate a file ending in .conf with blacklist atm in the /etc/modprobe.d/ directory \nExamp...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^atm ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "8e88e15b304a7654414c486c17fc43b1", "name": "3.2.2 — Ensure can kernel module is not available", "description": "Ensure can kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the can kernel module. \n\n1. Run the following commands to unload the can kernel module: \n\n# modprobe -r can 2>/dev/null \n# rmmod can 2>/dev/null \n\n2. Perform the following to disable the can kernel module: \n\nCreate a file ending in .conf with install can /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '\\n%s\\n' \"install can /bin/false\" >> /etc/modprobe.d/60-can.conf \nCreate a file ending in .conf with blacklist can in the /etc/modprobe.d/ directory \nExamp...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^can ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "f0bd7975cdc32c6d62b824464fa638ec", "name": "3.2.3 — Ensure dccp kernel module is not available", "description": "Ensure dccp kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the dccp kernel module. \n\n1. Run the following commands to unload the dccp kernel module: \n\n# modprobe -r dccp 2>/dev/null \n# rmmod dccp 2>/dev/null \n\n2. Perform the following to disable the dccp kernel module: \n\nCreate a file ending in .conf with install dccp /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install dccp /bin/false\" >> /etc/modprobe.d/60-dccp.conf \nCreate a file ending in .conf with blacklist dccp in the /etc/modprobe.d/ directo...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^dccp ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6bec6891d220d85aaf6118b869692e43", "name": "3.2.4 — Ensure tipc kernel module is not available", "description": "Ensure tipc kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the tipc kernel module. \n\n1. Run the following commands to unload the tipc kernel module: \n\n# modprobe -r tipc 2>/dev/null \n# rmmod tipc 2>/dev/null \n\n2. Perform the following to disable the tipc kernel module: \n\nCreate a file ending in .conf with install tipc /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install tipc /bin/false\" >> /etc/modprobe.d/60-tipc.conf \nCreate a file ending in .conf with blacklist tipc in the /etc/modprobe.d/ directo...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^tipc ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6bce44e44eb29f3b245f81b51bd2e78a", "name": "3.2.5 — Ensure rds kernel module is not available", "description": "Ensure rds kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the rds kernel module. \n\n1. Run the following commands to unload the rds kernel module: \n\n# modprobe -r rds 2>/dev/null \n# rmmod rds 2>/dev/null \n\n2. Perform the following to disable the rds kernel module: \n\nCreate a file ending in .conf with install rds /bin/false in the /etc/modprobe.d/ \ndirectory \nExample: \n# printf '\\n%s\\n' \"install rds /bin/false\" >> /etc/modprobe.d/60-rds.conf \nCreate a file ending in .conf with blacklist rds in the /etc/modprobe.d/ directory \nExamp...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^rds ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "cfc245d718d725480a53eb56aaf4136c", "name": "3.2.6 — Ensure sctp kernel module is not available", "description": "Ensure sctp kernel module is not available", "rational": "Removing support for unneeded protocols reduces the local attack surface of the \nsystem. If this protocol is not needed, disable it.", "remediation": "Unload and disable the sctp kernel module. \n\n1. Run the following commands to unload the sctp kernel module: \n\n# modprobe -r sctp 2>/dev/null \n# rmmod sctp 2>/dev/null \n\n2. Perform the following to disable the sctp kernel module: \n\nCreate a file ending in .conf with install sctp /bin/false in the \n/etc/modprobe.d/ directory \nExample: \n# printf '\\n%s\\n' \"install sctp /bin/false\" >> /etc/modprobe.d/60-sctp.conf \nCreate a file ending in .conf with blacklist sctp in the /etc/modprobe.d/ directo...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "lsmod | grep -c '^sctp ' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "67eb99dd17974440d1b6db0743a46b99", "name": "3.3.1.1 — Ensure net.ipv4.ip_forward is configured", "description": "Ensure net.ipv4.ip_forward is configured", "rational": "Routing protocol daemons are typically used on routers to exchange network topology \ninformation with other routers. If this software is used when not required, system \nnetwork information may be unnecessarily transmitted across the network. \nSetting net.ipv4.ip_forward to 0 ensures that a system with multiple interfaces (for \nexample, a hard proxy), will not be able to forward IPv4 packets.", "remediation": "1. Review all files being used by systemd-sysctl and comment out or remove all \n\nnet.ipv4.ip_forward lines that are not net.ipv4.ip_forward=0. \n\nExample script: \n#!/usr/bin/env bash \n\n{ \n l_option=\"net.ipv4.ip_forward\" l_value=\"0\" \n l_grep=\"${l_option//./(\\\\.|\\\\/)}\" a_files=() \n l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \\ \n || readlink -e /usr/lib/systemd/systemd-sysctl)\" \n l_ufw_file=\"$([ -f /etc/default/ufw ] && \\ \n awk -F= '/^\\s*IPT_SYSCTL=/ {print $2}' /etc/d...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sysctl -n net.ipv4.ip_forward", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "2bbf71366fdb9a8b1def4f9bd9a112e7", "name": "4.1.1 — Ensure firewalld is installed", "description": "Ensure firewalld is installed", "rational": "firewalld is a dynamic, user friendly, firewall manager that can protect against threats \noriginating from within a corporate network to include malicious mobile code and poorly \nconfigured software on a host.", "remediation": "Run the following command to install firewalld \n# zypper install firewalld", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "firewalld", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "4c0290a38f8d0c192b142bf4feb1220a", "name": "4.1.2 — Ensure firewalld backend is configured", "description": "Ensure firewalld backend is configured", "rational": "IPTables are deprecated.", "remediation": "Edit the file /etc/firewalld/firewalld.conf and add or modify the following line: \nFirewallBackend=nftables", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- 'FirewallBackend\\h*=\\h*nftables\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "9cf0903d56129e84de5d9043e1b0bbae", "name": "4.1.3 — Ensure firewalld.service is configured", "description": "Ensure firewalld.service is configured", "rational": "firewalld.service must be active to enforce rules configured through FirewallD. \nfirewalld.service must be enabled to start automatically after a system reboot.", "remediation": "Run the following commands to unmask, enable, and start firewalld.service: \n# systemctl unmask firewalld.service \n# systemctl --now enable firewalld.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "firewalld", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "cc319c9adcab35d7a2bcc0691513d604", "name": "5.1.4 — Ensure sshd access is configured", "description": "Ensure sshd access is configured", "rational": "Restricting which users can remotely access the system via SSH will help ensure that \nonly authorized users access the system.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set one or \nmore of the parameters above any Include and Match set statements as follows: \nAllowUsers \n - AND/OR - \nAllowGroups \n\nNote: It is easier to manage an allow list than a deny list. In a deny list, \nyou could potentially add a user or group and forget to add it to the deny \nlist.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^\\h*(allow|deny)(users|groups)\\h+\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "8b1f205f342dd2922e187cdeeadb589f", "name": "5.1.5 — Ensure sshd Banner is configured", "description": "Ensure sshd Banner is configured", "rational": "Banners are used to warn connecting users of the particular site's policy regarding \nconnection. Presenting a warning message prior to the normal user login may assist the \nprosecution of trespassers on the computer system. \nNot having a properly configured SSH banner, or leaving it at the default value, can \nexpose an organization to legal and compliance risks by failing to provide users with...", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nBanner parameter above any Include and Match entries as follows: \nBanner /etc/issue.net", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- '^banner\\h+\\/\\H+'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e2d3a066efd6a9d2aaf0c2c330134539", "name": "5.1.6 — Ensure sshd Ciphers are configured", "description": "Ensure sshd Ciphers are configured", "rational": "Weak ciphers that are used for authentication to the cryptographic module cannot be \nrelied upon to provide confidentiality or integrity, and system data may be compromised.", "remediation": "- IF - CVE-2023-48795 has been addressed, and it meets local site policy, \nchacha20-poly1305 may be removed from the list of excluded ciphers. \n\nCreate or edit a file in /etc/crypto-policies/policies/modules/ ending in .pmod \nand add or modify the the following line: \ncipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-\nPOLY1305 \nExample: \n# printf '%s\\n' \"# This is a subpolicy to disable weak ciphers\" \"# for the \nSSH protocol (libssh and OpenSSH)\" \"cipher@SSH = -3DES-CBC...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "7cf3e256edc51d4fc57903b506eaa3b8", "name": "5.1.9 — Ensure sshd GSSAPIAuthentication is disabled", "description": "Ensure sshd GSSAPIAuthentication is disabled", "rational": "Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote \nhosts, and should be disabled to reduce the attack surface of the system", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nGSSAPIAuthentication parameter to no above any Include and Match entries as \nfollows: \nGSSAPIAuthentication no \n\nInternal Only - General \n\nPage 581", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep gssapiauthentication", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "5e8239edbb1b3dba90b3f2572a5fbfa5", "name": "5.1.11 — Ensure sshd IgnoreRhosts is enabled", "description": "Ensure sshd IgnoreRhosts is enabled", "rational": "Setting this parameter forces users to enter a password when authenticating with SSH.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nIgnoreRhosts parameter to yes above any Include entry as follows: \nIgnoreRhosts yes", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep ignorerhosts", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "2cfa460722dbd4589fbfa2bf6c3e6c7b", "name": "5.1.12 — Ensure sshd KexAlgorithms is configured", "description": "Ensure sshd KexAlgorithms is configured", "rational": "Key exchange methods that are considered weak should be removed. A key exchange \nmethod may be weak because too few bits are used, or the hashing algorithm is \nconsidered too weak. Using weak algorithms could expose connections to man-in-the-\nmiddle attacks", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory and add/modify \nthe KexAlgorithms line to contain a comma separated list of the site unapproved \n(weak) KexAlgorithms preceded with a - above any Include entries: \nExample: \nKexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-\nhellman-group-exchange-sha1 \n\nNote: First occurrence of an option takes precedence. If Include locations \nare enabled, used, and order of precedence is understood in your \nenv...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- 'kexalgorithms\\h+([^#\\n\\r]+,)?(diffie-hellman-group1-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "c89bbb28966f8f03369da0078480d938", "name": "5.1.13 — Ensure sshd LoginGraceTime is configured", "description": "Ensure sshd LoginGraceTime is configured", "rational": "Setting the LoginGraceTime parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. It will also limit the number of \nconcurrent unauthenticated connections While the recommended setting is 60 seconds \n(1 Minute), set the number based on site policy.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nLoginGraceTime parameter to 60 seconds or less above any Include entry as follows: \nLoginGraceTime 60", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep logingracetime", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "fd82583128e9b400c60b68bd18cbcb99", "name": "5.1.14 — Ensure sshd LogLevel is configured", "description": "Ensure sshd LogLevel is configured", "rational": "The INFO level is the basic level that only records login activity of SSH users. In many \nsituations, such as Incident Response, it is important to determine when a particular \nuser was active on a system. The logout record can eliminate those users who \ndisconnected, which helps narrow the field. \nThe VERBOSE level specifies that login and logout activity as well as the key fingerprint \nfor an...", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nLogLevel parameter to VERBOSE or INFO above any Include and Match entries as \nfollows: \nLogLevel VERBOSE \n - OR - \nLogLevel INFO", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep loglevel", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "c8f9a06c3a157bce590d4161819dff8a", "name": "5.1.15 — Ensure sshd MACs are configured", "description": "Ensure sshd MACs are configured", "rational": "MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase \nexploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal \nof attention as a weak spot that can be exploited with expanded computing power. An \nattacker that breaks the algorithm could take advantage of a MiTM position to decrypt \nthe SSH tunnel and capture credentials and information.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory and add/modify \nthe MACs line to contain a comma separated list of the site unapproved (weak) MACs \npreceded with a - above any Include entries: \nExample: \nMACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-\n64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-\nripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-\netm@openssh.com,umac-128-etm@openssh.com \n- IF - CVE-2023-48795 has not...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep -Pi -- 'macs\\h+([^#\\n\\r]+,)?(hmac-md5|hmac-md5-96|hmac-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d016ba9f14648e649aebf8732869d404", "name": "5.1.16 — Ensure sshd MaxAuthTries is configured", "description": "Ensure sshd MaxAuthTries is configured", "rational": "Setting the MaxAuthTries parameter to a low number will minimize the risk of \nsuccessful brute force attacks to the SSH server. While the recommended setting is 4, \nset the number based on site policy.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nMaxAuthTries parameter to 4 or less above any Include and Match entries as follows: \nMaxAuthTries 4", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep maxauthtries", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0911e73f58aa4e0b315a46ddce6af69c", "name": "5.1.17 — Ensure sshd MaxStartups is configured", "description": "Ensure sshd MaxStartups is configured", "rational": "To protect a system from denial of service due to a large number of pending \nauthentication connection attempts, use the rate limiting function of MaxStartups to \nprotect availability of sshd logins and prevent overwhelming the daemon.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nMaxStartups parameter to 10:30:60 or more restrictive above any Include entries as \nfollows: \nMaxStartups 10:30:60", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | awk '$1 ~ /^\\s*maxstartups/{split($2, a, \":\");{if(a[1] > 10 ||", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "bee264257544416d0b9c64fb626b70c1", "name": "5.1.18 — Ensure sshd MaxSessions is configured", "description": "Ensure sshd MaxSessions is configured", "rational": "To protect a system from denial of service due to a large number of concurrent \nsessions, use the rate limiting function of MaxSessions to protect availability of sshd \nlogins and prevent overwhelming the daemon.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nMaxSessions parameter to 10 or less above any Include and Match entries as follows: \nMaxSessions 10", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep maxsessions", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "c4de21c5cc00fa10433a7f16a3185739", "name": "5.1.20 — Ensure sshd PermitRootLogin is disabled", "description": "Ensure sshd PermitRootLogin is disabled", "rational": "Disallowing root logins over SSH requires system admins to authenticate using their \nown individual account, then escalating to root. This limits opportunity for non-\nrepudiation and provides a clear audit trail in the event of a security incident.", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nPermitRootLogin parameter to no above any Include and Match entries as follows: \nPermitRootLogin no", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep permitrootlogin", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "09622f0b138120a6ebb95b16fa843d71", "name": "5.1.22 — Ensure sshd UsePAM is enabled", "description": "Ensure sshd UsePAM is enabled", "rational": "When usePAM is set to yes, PAM runs through account and session types properly. This \nis important if you want to restrict access to services based off of IP, time or other \nfactors of the account. Additionally, you can make sure users inherit certain \nenvironment variables on login or disallow access to the server", "remediation": "Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the \nUsePAM parameter to yes above any Include entries as follows: \nUsePAM yes", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "sshd -T | grep usepam", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "f5715ccc5b55261c01a764627450543c", "name": "5.2.1 — Ensure sudo is installed", "description": "Ensure sudo is installed", "rational": "sudo supports a plug-in architecture for security policies and input/output logging. Third \nparties can develop and distribute their own policy and I/O logging plug-ins to work \nseamlessly with the sudo front end. The default security policy is sudoers, which is \nconfigured via the file /usr/etc/sudoers and any entries in /etc/sudoers.d. \nThe security policy determines what privileges, if any,...", "remediation": "Run the following command to install sudo: \n# zypper install sudo", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "sudo", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "8ec6aa5af6831f7ba0ed9e836f5442dc", "name": "5.2.2 — Ensure sudo commands use pty", "description": "Ensure sudo commands use pty", "rational": "Attackers can run a malicious program using sudo which would fork a background \nprocess that remains even when the main program has finished executing.", "remediation": "Edit the file /etc/sudoers with visudo or a file in /etc/sudoers.d/ with visudo -f \n and add the following line: \nDefaults use_pty \nEdit the file /etc/sudoers with visudo and any files in /etc/sudoers.d/ with visudo \n-f and remove any occurrence of !use_pty \n\nInternal Only - General \n\nPage 619", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPi -- '^\\h*Defaults\\h+([^#\\n\\r]+,\\h*)?use_pty\\b' /etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e0a0ef85c83969139cf11bbed6027f75", "name": "5.2.3 — Ensure sudo log file exists", "description": "Ensure sudo log file exists", "rational": "Defining a dedicated log file for sudo simplifies auditing of sudo commands and creation \nof auditd rules for sudo.", "remediation": "Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: \nDefaults logfile=\"\" \nExample: \nDefaults logfile=\"/var/log/sudo.log\" \n\nInternal Only - General \n\nPage 621", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -rPsi", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "54a7f3fcbc74cfcedab6b87c03d293b8", "name": "5.2.6 — Ensure sudo timestamp_timeout is configured", "description": "Ensure sudo timestamp_timeout is configured", "rational": "A timeout value reduces the window of opportunity for unauthorized privileged sudo \naccess.", "remediation": "Create or modify the administrator customization file in the /etc/sudoers.d/ directory \nusing visudo -f and modify the entry timestamp_timeout= to 15 \nminutes or less as per your site policy: \nExample \nDefaults timestamp_timeout=5 \nNote: \n\n• The timestamp_timeout value is in minutes. \n• \n\nIf the timestamp_timeout is set to zero, you are prompted for the root password \nfor every execution of a sudo command.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -roP \"timestamp_timeout=\\K[0-9]*\" /etc/sudoers* /usr/etc/sudoers*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d9dd73e0a2deabe9b6251c6a9d492772", "name": "5.2.7 — Ensure access to the su command is restricted", "description": "Ensure access to the su command is restricted", "rational": "Restricting the use of su , and using sudo in its place, provides system administrators \nbetter control of the escalation of user privileges to execute privileged commands. The \nsudo utility also provides a better logging and audit mechanism, as it can log each \ncommand executed via sudo , whereas su can only record that a user executed the su \nprogram.", "remediation": "Create an empty group that will be specified for use of the su command. The group \nshould be named according to site policy. \nExample: \n# groupadd sugroup \nEdit the custom /etc/pam.d/su configuration file specifying the empty group: \nauth required pam_wheel.so use_uid group=sugroup \nNote: If the administrator customization configuration file /etc/pam.d/su does not \nexist, then copy the vendor default /usr/lib/pam.d/su file to an administrator \ncustomization configuration file /etc/pam.d/su", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/group", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "b7310746456e65f9e87dcaec764b10b0", "name": "5.3.1.1 — Ensure latest version of pam is installed", "description": "Ensure latest version of pam is installed", "rational": "To ensure the system has full functionality and access to the options covered by this \nBenchmark the latest version of pam should be installed.", "remediation": "Run the following command to update to the latest version of PAM: \n# zypper update pam", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "pam", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "c084d675218ded49593421894383752d", "name": "5.3.2.1.2 — Ensure password unlock time is configured", "description": "Ensure password unlock time is configured", "rational": "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute \nforce password attacks against your systems.", "remediation": "Create or edit the administrator customization file /etc/security/faillock.conf and \nupdate or add the following line: \nunlock_time = 900 \nunlock_time should be 0 (never), or 900 seconds or greater and follows local site \npolicy. \nExample \n# printf '%s\\n' \"\" \"unlock_time = 900\" >> /etc/security/faillock.conf", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- 'unlock_time\\h*=\\h*(0|9[0-9][0-9]|[1-9][0-9]{3,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e884bdf5a29cfb8202e220098b692db4", "name": "5.3.2.2.3 — Ensure password length is configured", "description": "Ensure password length is configured", "rational": "Strong passwords protect systems from being hacked through brute force methods.", "remediation": "Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ \ndirectory and add or modify the following line to set password length of 14 or more \ncharacters. Ensure that password length conforms to local site policy: \nminlen=14 \nExample: \n#!/usr/bin/env bash \n\n{ \n sed -ri 's/^\\s*minlen\\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null \n [ ! -d /etc/security/pwquality.conf.d/ ] && mkdir \n/etc/security/pwquality.conf.d/ \n printf '\\n%s' \"minlen = 14\" > /etc/security/pwq...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*minlen\\h*=\\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "98cc8b31fc937af37e50998e6d4cd681", "name": "5.3.2.2.4 — Ensure password complexity is configured", "description": "Ensure password complexity is configured", "rational": "Strong passwords protect systems from being hacked through brute force methods. \n\nInternal Only - General \n\nPage 649", "remediation": "Note: CIS password complexity requirements may differ from other frameworks \nor policies, adherence to site-specific policy is imperative. \nCreate or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ \ndirectory and add or modify the following line to set \n\n• minclass = 4 \n\n--AND/OR-- \n\n• dcredit = -_N_ \n• ucredit = -_N_ \n• ocredit = -_N_ \n• lcredit = -_N_ \n\nExample 1 - Set minclass = 4: \n#!/usr/bin/env bash \n\n{ \n sed -ri 's/^\\s*minclass\\s*=/# &/' /etc/security/pwqual...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*(minclass|[dulo]credit)\\b'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "93853ff249f7f34e4b74082737bc1ed2", "name": "5.3.2.4.1 — Ensure pam_unix does not include nullok", "description": "Ensure pam_unix does not include nullok", "rational": "Using a strong password is essential to helping protect personal and sensitive \ninformation from unauthorized access", "remediation": "Run the following command to delete the nullok argument from the pam_unix.so \nmodule: \n# pam-config -d --unix-nullok", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "pam-config --query --unix --unix-nullok", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "a4e8f9dd7e4edcb89b8a1c5d9dddff22", "name": "5.3.2.4.4 — Ensure pam_unix includes use_authtok", "description": "Ensure pam_unix includes use_authtok", "rational": "use_authtok allows multiple pam modules to confirm a new password before it is \naccepted.", "remediation": "Edit or create the line use_authtok on the password stack's pam_unix.so module \nlines: \nExample /etc/pam.d/common-password file: \npassword required pam_unix.so use_authtok shadow sha512", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -P --", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "619844d1313b8cacab3743d1cdf14d6a", "name": "5.4.1.1 — Ensure password expiration is configured", "description": "Ensure password expiration is configured", "rational": "The window of opportunity for an attacker to leverage compromised credentials or \nsuccessfully compromise credentials via an online brute force attack is limited by the \nage of the password. Therefore, reducing the maximum age of a password also reduces \nan attacker's window of opportunity. \nWe recommend a yearly password change. This is primarily because for all their good \nintentions users wi...", "remediation": "Create or modify the administrator customization file /etc/login.defs setting \nPASS_MAX_DAYS to a value greater than 0 that follows local site policy: \nExample: \nPASS_MAX_DAYS 365 \nRun the following command to modify user parameters for all users with a password set \nto a maximum age no greater than 365 or less than 1 that follows local site policy: \n# chage --maxdays \nExample: \n# awk -F: '($2~/^\\$.+\\$/) {if($5 > 365 || $5 < 1)system (\"chage --maxdays 365 \n\" $1)}' /etc/shadow \nWarn...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*PASS_MAX_DAYS\\h+(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[1-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "204effa69b1eef8f5ffef69c0ea1d6e3", "name": "5.4.1.5 — Ensure inactive password lock is configured", "description": "Ensure inactive password lock is configured", "rational": "Inactive accounts pose a threat to system security since the users are not logging in to \nnotice failed login attempts or other anomalies.", "remediation": "Run the following command to set the default password inactivity period to 45 days or \nless that meets local site policy: \n# useradd -D -f \nExample: \n# useradd -D -f 45 \nRun the following command to modify user parameters for all users with a password set \nto a inactive age of 45 days or less that follows local site policy: \n# chage --inactive \nExample: \n# awk -F: '($2~/^\\$.+\\$/) {if($7 > 45 || $7 < 0)system (\"chage --inactive 45 \n\" $1)}' /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "useradd -D | grep INACTIVE", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e84421551c2987ffca5f4764e56f0c3e", "name": "5.4.2.1 — Ensure root is the only UID 0 account", "description": "Ensure root is the only UID 0 account", "rational": "This access must be limited to only the default root account and only from the system \nconsole. Administrative access must be through an unprivileged account using an \napproved mechanism as noted in Item 5.6 Ensure access to the su command is \nrestricted.", "remediation": "Run the following command to change the root account UID to 0: \n# usermod -u 0 root \nModify any users other than root with UID 0 and assign them a new UID.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($3 == 0) { print $1 }' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "f15e0abefb34e09950a35a3377d286e9", "name": "5.4.2.2 — Ensure root is the only GID 0 account", "description": "Ensure root is the only GID 0 account", "rational": "Using GID 0 for the root account helps prevent root -owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root user's GID to 0: \n# usermod -g 0 root \nRun the following command to set the root group's GID to 0: \n# groupmod -g 0 root \nRemove any users other than the root user with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "8ed8488828b075b1c0b45989a51ae1e3", "name": "5.4.2.3 — Ensure group root is the only GID 0 group", "description": "Ensure group root is the only GID 0 group", "rational": "Using GID 0 for the root group helps prevent root group owned files from accidentally \nbecoming accessible to non-privileged users.", "remediation": "Run the following command to set the root group's GID to 0: \n# groupmod -g 0 root \nRemove any groups other than the root group with GID 0 or assign them a new GID if \nappropriate.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '$3==\"0\"{print $1\":\"$3}' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "619877497600150f36ae70831b8a2d7a", "name": "5.4.2.4 — Ensure root account access is controlled", "description": "Ensure root account access is controlled", "rational": "Access to root should be secured at all times.", "remediation": "Run the following command to set a password for the root user: \n# passwd root \n- OR - \nRun the following command to lock the root user account: \n# usermod -L root \n\nInternal Only - General \n\nPage 697", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "passwd -S root | awk '$2 ~ /^(P|L)/ {print \"User: \\\"\" $1 \"\\\" Password is", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "8a7397fcca98406ee26a2c7e87e2080a", "name": "5.4.2.5 — Ensure root path integrity", "description": "Ensure root path integrity", "rational": "Including the current working directory (.) or other writable directory in root's \nexecutable path makes it likely that an attacker can gain superuser access by forcing an \nadministrator operating as root to execute a Trojan horse program.", "remediation": "Correct or justify any: \n\n• Locations that are not directories \n• Empty directories (::) \n• Trailing (:) \n• Current working directory (.) \n• Non root owned directories \n• Directories that less restrictive than mode 0755", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e706be560894f921d9996bb6de28cfe3", "name": "5.4.2.6 — Ensure root user umask is configured", "description": "Ensure root user umask is configured", "rational": "Setting a secure value for umask ensures that users make a conscious choice about \ntheir file permissions. A permissive umask value could result in directories or files with \nexcessive permissions that can be read and/or written to by unauthorized users.", "remediation": "Edit /root/.bash_profile and /root/.bashrc and either: \n\n• \n\nremove, comment out, or update any line with umask. \n\n- OR - \n\n• update any line that includes umask to a value of 0027 or more restrictive. \n\nExample: \numask 027 \nNote: the Recommendation \"Ensure default user umask is configured\" includes \nguidance to set the default umask", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -Psi -- '^\\h*umask\\h+((\\d{1,2}(\\d[^7]|[^2-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "65ec539499d9ad009a6b18b195fe8868", "name": "5.4.3.1 — Ensure nologin is not listed in /etc/shells", "description": "Ensure nologin is not listed in /etc/shells", "rational": "A user can use chsh to change their configured shell. \nIf a user has a shell configured that isn't in in /etc/shells, then the system assumes \nthat they're somehow restricted. In the case of chsh it means that the user cannot \nchange that value. \nOther programs might query that list and apply similar restrictions. \nBy putting nologin in /etc/shells, any user that has nologin as its shell is \nco...", "remediation": "Edit /etc/shells and remove any lines that include nologin", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "FILE", "input": "/etc/shells", "selement": "CONTENT", "condition": "NOT CONTAINS", "sinput": "^\\h*([^#\\n\\r]+)?\\/nologin\\b" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "098e2149b3b5fb713c59b9b6224d6e81", "name": "6.1.1.1 — Ensure journald service is active", "description": "Ensure journald service is active", "rational": "If the systemd-journald service is not enabled to start on boot, the system will not \ncapture logging events.", "remediation": "Run the following commands to unmask and start systemd-journald.service \n# systemctl unmask systemd-journald.service \n# systemctl start systemd-journald.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "systemd-journald", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "03f174e53be6aef8c3540f2005503e75", "name": "6.1.1.3 — Ensure journald Compress is configured", "description": "Ensure journald Compress is configured", "rational": "Uncompressed large files may unexpectedly fill a filesystem leading to resource \nunavailability. Compressing logs prior to write can prevent sudden, unexpected \nfilesystem impacts. \nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "Set the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \nCompress=yes \nExample: \n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir \n/etc/systemd/journald.conf.d/ \n if grep -Psq -- '^\\h*\\[Journal\\]' /etc/systemd/journald.conf.d/60-\njournald.conf; then \n printf '%s\\n' \"Compress=yes\" >> /etc/systemd/journald.conf.d/60-\njournald.conf \n else \n printf '%s\\n' \"[Journal]\" \"...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemd-analyze cat-config systemd/journald.conf systemd/journald.conf.d/*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "aea54665ed14def81703edea463aee3c", "name": "6.1.1.4 — Ensure journald Storage is configured", "description": "Ensure journald Storage is configured", "rational": "Writing log data to disk will provide the ability to forensically reconstruct events which \nmay have impacted the operations or security of a system even after a system crash or \nreboot. \nNote: This recommendation only applies if journald is the chosen method for \nclient side logging. Do not apply this recommendation if rsyslog is used.", "remediation": "Set the following parameter in the [Journal] section in \n/etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending \nin .conf: \nStorage=persistent \nExample: \n#!/usr/bin/env bash \n\n{ \n [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir \n/etc/systemd/journald.conf.d/ \n if grep -Psq -- '^\\h*\\[Journal\\]' /etc/systemd/journald.conf.d/60-\njournald.conf; then \n printf '%s\\n' \"Storage=persistent\" >> /etc/systemd/journald.conf.d/60-\njournald.conf \n else \n printf '%s\\n' \"...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "systemd-analyze cat-config systemd/journald.conf systemd/journald.conf.d/*", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "fcfe36f8f0e1fb82ee8415e539698378", "name": "6.1.2.1 — Ensure rsyslog is installed", "description": "Ensure rsyslog is installed", "rational": "The security enhancements of rsyslog such as connection-oriented (i.e. TCP) \ntransmission of logs, the option to log to database formats, and the encryption of log \ndata en route to a central logging server) justify installing and configuring the package.", "remediation": "Run the following command to install rsyslog: \n# zypper install rsyslog", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "rsyslog", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "3fb4b951004e71dc76a50304bc738437", "name": "6.1.2.2 — Ensure rsyslog service is enabled and active", "description": "Ensure rsyslog service is enabled and active", "rational": "If the rsyslog service is not enabled to start on boot, the system will not capture \nlogging events.", "remediation": "- IF - rsyslog is being used for logging on the system: \nRun the following commands to unmask, enable, and start rsyslog.service: \n# systemctl unmask rsyslog.service \n# systemctl enable rsyslog.service \n# systemctl start rsyslog.service", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "rsyslog", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "96c40d6e618ac59b97a0f04fb93b89bb", "name": "6.3.1 — Ensure AIDE is installed", "description": "Ensure AIDE is installed", "rational": "By monitoring the filesystem state compromised files can be detected to prevent or limit \nthe exposure of accidental or malicious misconfigurations or modified binaries.", "remediation": "Run the following command to install aide: \n# zypper install aide \nConfigure aide as appropriate for your environment. Consult the aide documentation \nfor options. \nInitialize aide: \nRun the following commands: \n# aide -i \n# mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PACKAGE", "input": "aide", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "e10788418ec3756d6dce370eea6fb346", "name": "6.3.2 — Ensure filesystem integrity is regularly checked", "description": "Ensure filesystem integrity is regularly checked", "rational": "Periodic file checking allows the system administrator to determine on a regular basis if \ncritical files have been changed in an unauthorized fashion.", "remediation": "- IF - cron will be used to schedule and run aide check \nRun the following command: \n# crontab -u root -e \nAdd the following line to the crontab: \n0 5 * * * /usr/bin/aide --check \n- OR - \n- IF - aidecheck.service and aidecheck.timer will be used to schedule and run aide \ncheck: \nCreate or edit the file /etc/systemd/system/aidecheck.service and add the \nfollowing lines: \n[Unit] \nDescription=Aide Check \n\n[Service] \nType=simple \nExecStart=/usr/bin/aide --check \n\n[Install] \nWantedBy=multi-user.ta...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "SERVICE", "input": "aidecheck", "selement": "ENABLED", "condition": null, "sinput": null } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "7aec342de5181af1cac9abe0b72d4aac", "name": "7.1.1 — Ensure access to /etc/passwd is configured", "description": "Ensure access to /etc/passwd is configured", "rational": "It is critical to ensure that the /etc/passwd file is protected from unauthorized write \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd: \n# chmod u-x,go-wx /etc/passwd \n# chown root:root /etc/passwd", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/passwd", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "4ed57cf04ea7401dc019cfd4c0a25c92", "name": "7.1.2 — Ensure access to /etc/passwd- is configured", "description": "Ensure access to /etc/passwd- is configured", "rational": "It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd-: \n# chmod u-x,go-wx /etc/passwd- \n# chown root:root /etc/passwd-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/passwd-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "0f9f9bdd76b040765316c222a53250f6", "name": "7.1.3 — Ensure access to /etc/group is configured", "description": "Ensure access to /etc/group is configured", "rational": "The /etc/group file needs to be protected from unauthorized changes by non-\nprivileged users, but needs to be readable as this information is used with many non-\nprivileged programs.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group: \n# chmod u-x,go-wx /etc/group \n# chown root:root /etc/group", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "5ef3541b75789759bcbf870e9eb0ec52", "name": "7.1.4 — Ensure access to /etc/group- is configured", "description": "Ensure access to /etc/group- is configured", "rational": "It is critical to ensure that the /etc/group- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group-: \n# chmod u-x,go-wx /etc/group- \n# chown root:root /etc/group-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "95c1521c56fad8da5c46f8cff5b0bd27", "name": "7.1.5 — Ensure access to /etc/shadow is configured", "description": "Ensure access to /etc/shadow is configured", "rational": "If attackers can gain read access to the /etc/shadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/shadow file (such as expiration) could also be \nuseful to subvert the user accounts.", "remediation": "Run one of the following commands to set ownership of /etc/shadow to root and \ngroup to either root or shadow: \n# chown root:shadow /etc/shadow \n -OR- \n# chown root:root /etc/shadow \nRun the following command to remove excess permissions form /etc/shadow: \n# chmod u-x,g-wx,o-rwx /etc/shadow", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "6cb3882181f2e3a726d0d7a246fa8869", "name": "7.1.6 — Ensure access to /etc/shadow- is configured", "description": "Ensure access to /etc/shadow- is configured", "rational": "It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run one of the following commands to set ownership of /etc/shadow- to root and \ngroup to either root or shadow: \n# chown root:shadow /etc/shadow- \n -OR- \n# chown root:root /etc/shadow- \nRun the following command to remove excess permissions form /etc/shadow-: \n# chmod u-x,g-wx,o-rwx /etc/shadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d68d204d3a3f5436453f8e9afef681bb", "name": "7.1.7 — Ensure access to /etc/gshadow is configured", "description": "Ensure access to /etc/gshadow is configured", "rational": "If attackers can gain read access to the /etc/gshadow file, they can easily run a \npassword cracking program against the hashed password to break it. Other security \ninformation that is stored in the /etc/gshadow file (such as group administrators) could \nalso be useful to subvert the group.", "remediation": "- IF - /etc/gshadow does not exist run the following command to create /etc/gshadow \nif needed: \n# touch /etc/gshadow \nNote: Review recommendation Ensure no passwords are stored in /etc/group \nRun one of the following commands to set ownership of /etc/gshadow to root and \ngroup to either root or shadow: \n# chown root:shadow /etc/gshadow \n -OR- \n# chown root:root /etc/gshadow \nRun the following command to remove excess permissions form /etc/gshadow: \n# chmod u-x,g-wx,o-rwx /etc/gshadow \n\nInte...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "bad65316ab13d5da1120decb00bd4a97", "name": "7.1.8 — Ensure access to /etc/gshadow- is configured", "description": "Ensure access to /etc/gshadow- is configured", "rational": "It is critical to ensure that the /etc/gshadow- file is protected from unauthorized \naccess. Although it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run one of the following commands to set ownership of /etc/gshadow- to root and \ngroup to either root or shadow: \n# chown root:shadow /etc/gshadow- \n -OR- \n# chown root:root /etc/gshadow- \nRun the following command to remove excess permissions form /etc/gshadow-: \n# chmod u-x,g-wx,o-rwx /etc/gshadow-", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow-", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "875811a335695b33b6ac7851db8d416c", "name": "7.1.9 — Ensure access to /etc/shells is configured", "description": "Ensure access to /etc/shells is configured", "rational": "It is critical to ensure that the /etc/shells file is protected from unauthorized access. \nAlthough it is protected by default, the file permissions could be changed either \ninadvertently or through malicious actions.", "remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/shells: \n# chmod u-x,go-wx /etc/shells \n# chown root:root /etc/shells", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shells", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "ab3706e8ac79dbdd8978b3b960192bed", "name": "7.2.4 — Ensure no duplicate UIDs exist", "description": "Ensure no duplicate UIDs exist", "rational": "Users must be assigned unique UIDs for accountability and to ensure appropriate \naccess protections. \nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-\n000042-GPOS-00020", "remediation": "Based on the results of the audit script, establish unique UIDs and review all files owned \nby the shared UIDs to determine which UID they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "acaa0e998fb48d46894128f66c0576e3", "name": "7.2.5 — Ensure no duplicate GIDs exist", "description": "Ensure no duplicate GIDs exist", "rational": "User groups must be assigned unique GIDs for accountability and to ensure appropriate \naccess protections.", "remediation": "Based on the results of the audit script, establish unique GIDs and review all files \nowned by the shared GID to determine which group they are supposed to belong to.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "816ef8cf3de6546fc325f0e72b12b41b", "name": "7.2.6 — Ensure no duplicate user names exist", "description": "Ensure no duplicate user names exist", "rational": "If a user is assigned a duplicate user name, it will create and have access to files with \nthe first UID for that username in /etc/passwd . For example, if \"test4\" has a UID of \n1000 and a subsequent \"test4\" entry has a UID of 2000, logging in as \"test4\" will use \nUID 1000. Effectively, the UID is shared, which is a security problem.", "remediation": "Based on the results of the audit script, establish unique user names for the users. File \nownerships will automatically reflect the change as long as the users have unique UIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "d7e3efd1cc89300fa82d90605da83636", "name": "7.2.7 — Ensure no duplicate group names exist", "description": "Ensure no duplicate group names exist", "rational": "If a group is assigned a duplicate group name, it will create and have access to files \nwith the first GID for that group in /etc/group . Effectively, the GID is shared, which is \na security problem.", "remediation": "Based on the results of the audit script, establish unique names for the user groups. File \ngroup ownerships will automatically reflect the change as long as the groups have \nunique GIDs.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "!/usr/bin/env bash", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] }, { "external_id": "58c3d1b26280f1a7dc7a98127a7697e2", "name": "7.2.10 — Ensure no passwords are stored in /etc/group", "description": "Ensure no passwords are stored in /etc/group", "rational": "The /etc/group file is world-readable to allow group membership resolution. If \npassword hashes are stored in this file instead of /etc/gshadow, they become \naccessible to all local users, increasing the risk of credential exposure and privilege \nescalation. Ensuring group passwords are stored only in /etc/gshadow protects \nsensitive authentication data.", "remediation": "1. Review the groups that contain passwords and determine if group passwords are \n\nneeded. \n\n2. Remove the group password using the following command: \n\n# gpasswd --remove-password \n\n3. - IF - /etc/gshadow does not exist create it using the following command: \n\n# touch /etc/gshadow \n\n4. - IF - group passwords are needed recreate them per site policy using the \n\ngpasswd command", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "awk -F: '($2 != \"x\" && $2 != \"!\" && $2 != \"\") { print $1 }' /etc/group", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "SUSE" } ] } ] }