Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 100 groups and 257 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 89 groups and 194 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 191 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 98 groups and 256 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- File Permissions and Masks
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 4 groups and 3 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 229 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 109 groups and 279 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 97 groups and 216 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 91 groups and 213 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 107 groups and 278 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000
@@ -73,7 +73,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 133 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 48 groups and 109 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Web Server
- Network Time Protocol
- SSH Server
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 44 groups and 115 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.60 - draft
- (as of 2022-02-28)
+ (as of 2037-04-02)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
ChecklistGroup
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 83 groups and 235 rules | Group
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12559,154 +12559,154 @@
2022-02-22T00:00:00
-
- Resolve information before writing to audit logs
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Install the OpenSSH Server Package
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Ensure nss-tools is installed
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-sudo_add_requiretty_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Disable SSH TCP Forwarding
+
+ Verify that Shared Library Directories Have Restrictive Permissions
- ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1
+ ocil:ssg-dir_permissions_library_dirs_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable SSH Support for Rhosts RSA Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Set Password Maximum Age
+
+ Force frequent session key renegotiation
- ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1
+ ocil:ssg-sshd_rekey_limit_action:testaction:1
-
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-sudo_remove_nopasswd_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Prevent Login to Accounts With Empty Password
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-no_empty_passwords_action:testaction:1
-
- Verify User Who Owns shadow File
+
+ Ensure rsyslog is Installed
- ocil:ssg-file_owner_etc_shadow_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Remove the OpenSSH Server Package
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-package_openssh-server_removed_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ System Audit Logs Must Be Owned By Root
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-file_ownership_var_log_audit_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+
+ Record Events that Modify the System's Discretionary Access Controls - lremovexattr
- ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable Kerberos by removing host keytab
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -12559,154 +12559,154 @@
2022-02-22T00:00:00
-
- Resolve information before writing to audit logs
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Install the OpenSSH Server Package
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Ensure nss-tools is installed
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-sudo_add_requiretty_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Disable SSH TCP Forwarding
+
+ Verify that Shared Library Directories Have Restrictive Permissions
- ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1
+ ocil:ssg-dir_permissions_library_dirs_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable SSH Support for Rhosts RSA Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Set Password Maximum Age
+
+ Force frequent session key renegotiation
- ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1
+ ocil:ssg-sshd_rekey_limit_action:testaction:1
-
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-sudo_remove_nopasswd_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Prevent Login to Accounts With Empty Password
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-no_empty_passwords_action:testaction:1
-
- Verify User Who Owns shadow File
+
+ Ensure rsyslog is Installed
- ocil:ssg-file_owner_etc_shadow_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Remove the OpenSSH Server Package
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-package_openssh-server_removed_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ System Audit Logs Must Be Owned By Root
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-file_ownership_var_log_audit_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+
+ Record Events that Modify the System's Discretionary Access Controls - lremovexattr
- ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable Kerberos by removing host keytab
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,154 +7,154 @@
2022-02-22T00:00:00
-
- Resolve information before writing to audit logs
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Install the OpenSSH Server Package
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Ensure nss-tools is installed
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_nss-tools_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-sudo_add_requiretty_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Ensure auditd Collects File Deletion Events by User - rename
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Disable SSH TCP Forwarding
+
+ Verify that Shared Library Directories Have Restrictive Permissions
- ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1
+ ocil:ssg-dir_permissions_library_dirs_action:testaction:1
-
- Ensure SELinux State is Enforcing
+
+ Disable SSH Support for Rhosts RSA Authentication
- ocil:ssg-selinux_state_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
-
- Verify Group Who Owns Backup group File
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Set Password Maximum Age
+
+ Force frequent session key renegotiation
- ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1
+ ocil:ssg-sshd_rekey_limit_action:testaction:1
-
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-sudo_remove_nopasswd_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Prevent Login to Accounts With Empty Password
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-no_empty_passwords_action:testaction:1
-
- Verify User Who Owns shadow File
+
+ Ensure rsyslog is Installed
- ocil:ssg-file_owner_etc_shadow_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Remove the OpenSSH Server Package
+
+ Ensure Log Files Are Owned By Appropriate Group
- ocil:ssg-package_openssh-server_removed_action:testaction:1
+ ocil:ssg-rsyslog_files_groupownership_action:testaction:1
-
- Ensure gnutls-utils is installed
+
+ System Audit Logs Must Be Owned By Root
- ocil:ssg-package_gnutls-utils_installed_action:testaction:1
+ ocil:ssg-file_ownership_var_log_audit_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+
+ Record Events that Modify the System's Discretionary Access Controls - lremovexattr
- ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable Kerberos by removing host keytab
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -53,9 +53,9 @@
-
+
-
+
@@ -68,6 +68,11 @@
+
+
+
+
+
@@ -78,19 +83,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -103,19 +98,24 @@
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -24381,802 +24381,802 @@
2022-02-22T00:00:00
-
- Verify Permissions and Ownership of Old Passwords File
+
+ Enable the OpenSSH Service
- ocil:ssg-file_etc_security_opasswd_action:testaction:1
+ ocil:ssg-service_sshd_enabled_action:testaction:1
-
- Modify the System GUI Login Banner
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-banner_etc_gdm_banner_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Set Password Hashing Algorithm in /etc/login.defs
+
+ Remove telnet Clients
- ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1
+ ocil:ssg-package_telnet_removed_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Check that vlock is installed to allow session locking
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-vlock_installed_action:testaction:1
-
- Uninstall talk Package
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-package_talk_removed_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Add nosuid Option to /home
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-mount_option_home_nosuid_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - insmod
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- OS commands and libraries must have the proper permissions to protect from unauthorized access
+
+ Disable Kernel Parameter for IPv6 Forwarding by default
- ocil:ssg-run_chkstat_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
-
- Install strongswan Package
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-package_strongswan_installed_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- Verify Permissions on cron.weekly
+
+ Configure GNOME3 DConf User Profile
- ocil:ssg-file_permissions_cron_weekly_action:testaction:1
+ ocil:ssg-enable_dconf_user_profile_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Install the OpenSSH Server Package
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Enable cron Service
+
+ Remove the X Windows Package Group
- ocil:ssg-service_crond_enabled_action:testaction:1
+ ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure zypper Removes Previous Package Versions
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-clean_components_post_updating_action:testaction:1
-
- Add nosuid Option to /home
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-mount_option_home_nosuid_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - su
- ocil:ssg-grub2_audit_argument_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1
-
- Remove telnet Clients
+
+ Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
- ocil:ssg-package_telnet_removed_action:testaction:1
+ ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Add nosuid Option to /tmp
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Remove Host-Based Authentication Files
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-no_host_based_files_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Record Attempts to Alter Logon and Logout Events - faillock
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000
@@ -24383,802 +24383,802 @@
2022-02-22T00:00:00
-
- Verify Permissions and Ownership of Old Passwords File
+
+ Enable the OpenSSH Service
- ocil:ssg-file_etc_security_opasswd_action:testaction:1
+ ocil:ssg-service_sshd_enabled_action:testaction:1
-
- Modify the System GUI Login Banner
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-banner_etc_gdm_banner_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Set Password Hashing Algorithm in /etc/login.defs
+
+ Remove telnet Clients
- ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1
+ ocil:ssg-package_telnet_removed_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Check that vlock is installed to allow session locking
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-vlock_installed_action:testaction:1
-
- Uninstall talk Package
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-package_talk_removed_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Add nosuid Option to /home
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-mount_option_home_nosuid_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - insmod
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- OS commands and libraries must have the proper permissions to protect from unauthorized access
+
+ Disable Kernel Parameter for IPv6 Forwarding by default
- ocil:ssg-run_chkstat_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
-
- Install strongswan Package
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-package_strongswan_installed_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- Verify Permissions on cron.weekly
+
+ Configure GNOME3 DConf User Profile
- ocil:ssg-file_permissions_cron_weekly_action:testaction:1
+ ocil:ssg-enable_dconf_user_profile_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Install the OpenSSH Server Package
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Enable cron Service
+
+ Remove the X Windows Package Group
- ocil:ssg-service_crond_enabled_action:testaction:1
+ ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure zypper Removes Previous Package Versions
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-clean_components_post_updating_action:testaction:1
-
- Add nosuid Option to /home
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-mount_option_home_nosuid_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - su
- ocil:ssg-grub2_audit_argument_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1
-
- Remove telnet Clients
+
+ Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
- ocil:ssg-package_telnet_removed_action:testaction:1
+ ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Add nosuid Option to /tmp
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Remove Host-Based Authentication Files
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-no_host_based_files_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Record Attempts to Alter Logon and Logout Events - faillock
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000
@@ -7,802 +7,802 @@
2022-02-22T00:00:00
-
- Verify Permissions and Ownership of Old Passwords File
+
+ Enable the OpenSSH Service
- ocil:ssg-file_etc_security_opasswd_action:testaction:1
+ ocil:ssg-service_sshd_enabled_action:testaction:1
-
- Modify the System GUI Login Banner
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-banner_etc_gdm_banner_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Set Password Hashing Algorithm in /etc/login.defs
+
+ Remove telnet Clients
- ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1
+ ocil:ssg-package_telnet_removed_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Check that vlock is installed to allow session locking
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-vlock_installed_action:testaction:1
-
- Uninstall talk Package
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-package_talk_removed_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Add nosuid Option to /home
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-mount_option_home_nosuid_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - insmod
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- OS commands and libraries must have the proper permissions to protect from unauthorized access
+
+ Disable Kernel Parameter for IPv6 Forwarding by default
- ocil:ssg-run_chkstat_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
-
- Install strongswan Package
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-package_strongswan_installed_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- Verify Permissions on cron.weekly
+
+ Configure GNOME3 DConf User Profile
- ocil:ssg-file_permissions_cron_weekly_action:testaction:1
+ ocil:ssg-enable_dconf_user_profile_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Install the OpenSSH Server Package
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Enable cron Service
+
+ Remove the X Windows Package Group
- ocil:ssg-service_crond_enabled_action:testaction:1
+ ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Ensure zypper Removes Previous Package Versions
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-clean_components_post_updating_action:testaction:1
-
- Add nosuid Option to /home
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
- ocil:ssg-mount_option_home_nosuid_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
-
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - su
- ocil:ssg-grub2_audit_argument_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1
-
- Remove telnet Clients
+
+ Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement
- ocil:ssg-package_telnet_removed_action:testaction:1
+ ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1
-
- Ensure All-Squashing Disabled On All Exports
+
+ Add nosuid Option to /tmp
- ocil:ssg-no_all_squash_exports_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Ensure auditd Collects Information on Exporting to Media (successful)
+
+ Remove Host-Based Authentication Files
- ocil:ssg-audit_rules_media_export_action:testaction:1
+ ocil:ssg-no_host_based_files_action:testaction:1
-
- Verify Group Who Owns Backup gshadow File
+
+ Record Attempts to Alter Logon and Logout Events - faillock
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,14 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
@@ -58,29 +53,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -88,24 +83,24 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -113,19 +108,24 @@
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000
@@ -28572,2062 +28572,2057 @@
2022-02-22T00:00:00
-
- Verify Permissions and Ownership of Old Passwords File
-
- ocil:ssg-file_etc_security_opasswd_action:testaction:1
-
-
-
- Configure SSH to use System Crypto Policy
+
+ Enable the OpenSSH Service
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-service_sshd_enabled_action:testaction:1
-
- Modify the System GUI Login Banner
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-banner_etc_gdm_banner_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Set Password Hashing Algorithm in /etc/login.defs
+
+ Remove telnet Clients
- ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1
+ ocil:ssg-package_telnet_removed_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Ensure No Daemons are Unconfined by SELinux
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-selinux_confinement_of_daemons_action:testaction:1
-
- Disable debug-shell SystemD Service
+
+ Check that vlock is installed to allow session locking
- ocil:ssg-service_debug-shell_disabled_action:testaction:1
+ ocil:ssg-vlock_installed_action:testaction:1
-
- Uninstall talk Package
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
- ocil:ssg-package_talk_removed_action:testaction:1
+ ocil:ssg-sudo_require_authentication_action:testaction:1
-
- Ensure /var Located On Separate Partition
+
+ Add nosuid Option to /home
- ocil:ssg-partition_for_var_action:testaction:1
+ ocil:ssg-mount_option_home_nosuid_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - insmod
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Verify that System Executables Have Restrictive Permissions
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-file_permissions_binary_dirs_action:testaction:1
-
- Disable snmpd Service
+
+ Disable Kernel Parameter for IPv6 Forwarding by default
- ocil:ssg-service_snmpd_disabled_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1
-
- Install strongswan Package
+
+ Verify permissions of log files
- ocil:ssg-package_strongswan_installed_action:testaction:1
+ ocil:ssg-permissions_local_var_log_action:testaction:1
-
- Record Attempts to Alter the localtime File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Ensure All Groups on the System Have Unique Group ID
+
+ Record Attempts to Alter Time Through clock_settime
- ocil:ssg-group_unique_id_action:testaction:1
+ ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
-
- Verify that Shared Library Directories Have Root Ownership
+
+ Verify File Hashes with RPM
- ocil:ssg-dir_ownership_library_dirs_action:testaction:1
+ ocil:ssg-rpm_verify_hashes_action:testaction:1
-
- Verify Permissions on cron.weekly
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-file_permissions_cron_weekly_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- A remote time server for Chrony is configured
+
+ Configure GNOME3 DConf User Profile
- ocil:ssg-chronyd_specify_remote_server_action:testaction:1
+ ocil:ssg-enable_dconf_user_profile_action:testaction:1
-
- Enable cron Service
+
+ Install the OpenSSH Server Package
- ocil:ssg-service_crond_enabled_action:testaction:1
+ ocil:ssg-package_openssh-server_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - setxattr
+
+ Remove the X Windows Package Group
- ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1
+ ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
-
- Add nosuid Option to /home
+
+ Ensure zypper Removes Previous Package Versions
- |
|
|
|
|
|
|
|
|
|
|
|
|
|
|