STIGQter STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-91741r3_ruleThe SUSE operating system must be a vendor-supported release.
SV-91743r2_ruleVendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SV-91745r3_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).
SV-91747r3_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.
SV-91749r3_ruleThe SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.
SV-91751r5_ruleThe SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
SV-91753r2_ruleThe SUSE operating system must be able to lock the graphical user interface (GUI).
SV-91755r3_ruleThe SUSE operating system must utilize vlock to allow for session locking.
SV-91757r2_ruleThe SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).
SV-91759r1_ruleThe SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
SV-91761r2_ruleThe SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).
SV-91763r2_ruleThe SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
SV-91765r3_ruleThe SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SV-91767r3_ruleThe SUSE operating system must lock an account after three consecutive invalid logon attempts.
SV-91769r1_ruleThe SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
SV-91771r3_ruleThe SUSE operating system must enforce passwords that contain at least one upper-case character.
SV-91773r3_ruleThe SUSE operating system must enforce passwords that contain at least one lower-case character.
SV-91775r3_ruleThe SUSE operating system must enforce passwords that contain at least one numeric character.
SV-91777r3_ruleThe SUSE operating system must enforce passwords that contain at least one special character.
SV-91783r3_ruleThe SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.
SV-91789r2_ruleThe SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
SV-91795r2_ruleThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SV-91801r4_ruleThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
SV-91803r2_ruleThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SV-91805r3_ruleThe SUSE operating system must employ passwords with a minimum of 15 characters.
SV-91807r2_ruleThe SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (1 day).
SV-91809r1_ruleThe SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (1 day).
SV-91811r2_ruleThe SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
SV-91813r2_ruleThe SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
SV-91815r1_ruleThe SUSE operating system must employ a password history file.
SV-91817r4_ruleThe SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations.
SV-91819r3_ruleThe SUSE operating system must prevent the use of dictionary words for passwords.
SV-91821r2_ruleThe SUSE operating system must never automatically remove or disable emergency administrator accounts.
SV-91823r1_ruleThe SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
SV-91825r2_ruleThe SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
SV-91827r3_ruleThe SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
SV-91829r2_ruleThe SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
SV-91831r2_ruleThe SUSE operating system must display the date and time of the last successful account logon upon logon.
SV-91833r2_ruleThere must be no .shosts files on the SUSE operating system.
SV-91835r2_ruleThere must be no shosts.equiv files on the SUSE operating system.
SV-91837r2_ruleFIPS 140-2 mode must be enabled on the SUSE operating system.
SV-91839r4_ruleSUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
SV-91841r5_ruleSUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
SV-91843r3_ruleAll SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
SV-91845r3_ruleThe sticky bit must be set on all SUSE operating system world-writable directories.
SV-91847r4_ruleAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
SV-91849r3_ruleThe SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.
SV-91851r2_ruleThe SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SV-91853r1_ruleThe SUSE operating system file integrity tool must be configured to verify extended attributes.
SV-91855r1_ruleThe SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
SV-91857r2_ruleThe SUSE operating system tool zypper must have gpgcheck enabled.
SV-91859r2_ruleThe SUSE operating system must remove all outdated software components after updated versions have been installed.
SV-91861r2_ruleThe SUSE operating system must disable the USB mass storage kernel module.
SV-91863r2_ruleThe SUSE operating system must disable the file system automounter unless required.
SV-91865r3_ruleThe SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
SV-91867r4_ruleThe SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SV-91869r1_ruleThe SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
SV-91871r1_ruleThe SUSE operating system must not have unnecessary accounts.
SV-91873r2_ruleThe SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
SV-91875r2_ruleThe SUSE operating system root account must be the only account having unrestricted access to the system.
SV-91877r1_ruleTemporary passwords for SUSE operating system logons must require an immediate change to a permanent password.
SV-91879r4_ruleIf Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
SV-91881r3_ruleThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
SV-91883r3_ruleAll SUSE operating system files and directories must have a valid owner.
SV-91889r2_ruleAll SUSE operating system files and directories must have a valid group owner.
SV-91893r1_ruleAll SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SV-91895r1_ruleAll SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SV-91899r1_ruleAll SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SV-91903r3_ruleAll SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SV-91907r2_ruleAll SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
SV-91911r2_ruleAll SUSE operating system local initialization files must have mode 0740 or less permissive.
SV-91915r3_ruleAll SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SV-91921r1_ruleAll SUSE operating system local initialization files must not execute world-writable programs.
SV-91925r2_ruleSUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-91933r3_ruleSUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-91937r2_ruleSUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-91947r2_ruleSUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SV-91949r2_ruleAll SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SV-91953r2_ruleSUSE operating system kernel core dumps must be disabled unless needed.
SV-91957r3_ruleA separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SV-91961r2_ruleThe SUSE operating system must use a separate file system for /var.
SV-91967r2_ruleThe SUSE operating system must use a separate file system for the system audit data path.
SV-91969r1_ruleSUSE operating system commands and libraries must have the proper permissions to protect from unauthorized access.
SV-91971r1_ruleThe SUSE operating system must prevent unauthorized users from accessing system error messages.
SV-91981r2_ruleThe SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SV-91983r3_ruleThe SUSE operating system must have the auditing package installed.
SV-91985r1_ruleSUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
SV-91987r3_ruleThe SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
SV-91989r2_ruleThe SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
SV-91991r2_ruleThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
SV-91993r3_ruleThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
SV-91995r1_ruleThe SUSE operating system audit system must take appropriate action when the audit storage volume is full.
SV-91997r2_ruleThe audit-audispd-plugins must be installed on the SUSE operating system.
SV-91999r2_ruleThe SUSE operating system audit event multiplexor must be configured to use Kerberos.
SV-92001r1_ruleAudispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
SV-92003r3_ruleThe audit system must take appropriate action when the network cannot be used to off-load audit records.
SV-92005r1_ruleAudispd must take appropriate action when the SUSE operating system audit storage is full.
SV-92007r2_ruleThe SUSE operating system must protect audit rules from unauthorized modification.
SV-92009r2_ruleThe SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.
SV-92011r2_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
SV-92013r3_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
SV-92015r4_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
SV-92017r3_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
SV-92019r2_ruleThe SUSE operating system must generate audit records for all uses of the privileged functions.
SV-92021r3_ruleThe SUSE operating system must generate audit records for all uses of the su command.
SV-92023r4_ruleThe SUSE operating system must generate audit records for all uses of the sudo command.
SV-92027r3_ruleThe SUSE operating system must generate audit records for all uses of the chfn command.
SV-92029r4_ruleThe SUSE operating system must generate audit records for all uses of the mount command.
SV-92031r4_ruleThe SUSE operating system must generate audit records for all uses of the umount command.
SV-92033r3_ruleThe SUSE operating system must generate audit records for all uses of the ssh-agent command.
SV-92035r3_ruleThe SUSE operating system must generate audit records for all uses of the ssh-keysign command.
SV-92043r2_ruleThe SUSE operating system must generate audit records for all uses of the kmod command.
SV-92045r3_ruleThe SUSE operating system must generate audit records for all uses of the setxattr command.
SV-92047r3_ruleThe SUSE operating system must generate audit records for all uses of the fsetxattr command.
SV-92049r3_ruleThe SUSE operating system must generate audit records for all uses of the removexattr command.
SV-92051r3_ruleThe SUSE operating system must generate audit records for all uses of the lremovexattr command.
SV-92053r3_ruleThe SUSE operating system must generate audit records for all uses of the fremovexattr command.
SV-92055r3_ruleThe SUSE operating system must generate audit records for all uses of the chown command.
SV-92057r3_ruleThe SUSE operating system must generate audit records for all uses of the fchown command.
SV-92059r3_ruleThe SUSE operating system must generate audit records for all uses of the lchown command.
SV-92061r3_ruleThe SUSE operating system must generate audit records for all uses of the fchownat command.
SV-92063r3_ruleThe SUSE operating system must generate audit records for all uses of the chmod command.
SV-92065r3_ruleThe SUSE operating system must generate audit records for all uses of the fchmod command.
SV-92067r3_ruleThe SUSE operating system must generate audit records for all uses of the fchmodat command.
SV-92069r3_ruleThe SUSE operating system must generate audit records for all uses of the open command.
SV-92071r3_ruleThe SUSE operating system must generate audit records for all uses of the truncate command.
SV-92073r3_ruleThe SUSE operating system must generate audit records for all uses of the ftruncate command.
SV-92075r3_ruleThe SUSE operating system must generate audit records for all uses of the creat command.
SV-92077r3_ruleThe SUSE operating system must generate audit records for all uses of the openat command.
SV-92079r3_ruleThe SUSE operating system must generate audit records for all uses of the open_by_handle_at command.
SV-92081r3_ruleThe SUSE operating system must generate audit records for all uses of the passwd command.
SV-92083r3_ruleThe SUSE operating system must generate audit records for all uses of the gpasswd command.
SV-92085r3_ruleThe SUSE operating system must generate audit records for all uses of the newgrp command.
SV-92087r3_ruleThe SUSE operating system must generate audit records for a uses of the chsh command.
SV-92089r2_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
SV-92091r3_ruleThe SUSE operating system must generate audit records for all uses of the chmod command.
SV-92093r3_ruleThe SUSE operating system must generate audit records for all uses of the setfacl command.
SV-92095r3_ruleThe SUSE operating system must generate audit records for all uses of the chacl command.
SV-92097r3_ruleSuccessful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
SV-92099r3_ruleThe SUSE operating system must generate audit records for all uses of the rm command.
SV-92101r2_ruleThe SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
SV-92103r2_ruleThe SUSE operating system must generate audit records for all modifications to the lastlog file.
SV-92105r3_ruleThe SUSE operating system must generate audit records for all uses of the passmass command.
SV-92107r3_ruleThe SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
SV-92109r3_ruleThe SUSE operating system must generate audit records for all uses of the chage command.
SV-92111r3_ruleThe SUSE operating system must generate audit records for all uses of the usermod command.
SV-92113r3_ruleThe SUSE operating system must generate audit records for all uses of the crontab command.
SV-92115r3_ruleThe SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
SV-92117r3_ruleThe SUSE operating system must generate audit records for all uses of the delete_module command.
SV-92119r3_ruleThe SUSE operating system must generate audit records for all uses of the finit_module command.
SV-92121r3_ruleThe SUSE operating system must generate audit records for all uses of the init_module command.
SV-92123r2_ruleThe SUSE operating system must generate audit records for all modifications to the faillog file.
SV-92125r1_ruleThe SUSE operating system must not have the telnet-server package installed.
SV-92127r4_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SFTP/FTP.
SV-92129r1_ruleThe SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
SV-92131r1_ruleThe SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
SV-92133r3_ruleSuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
SV-92135r4_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
SV-92137r2_ruleAll networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
SV-92139r2_ruleThe SUSE operating system must log SSH connection attempts and failures to the server.
SV-92143r1_ruleThe SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SV-92145r2_ruleThe SUSE operating system must deny direct logons to the root account using remote access via SSH.
SV-92147r2_ruleThe SUSE operating system must not allow automatic logon via SSH.
SV-92151r2_ruleThe SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
SV-92153r2_ruleThe SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-92155r1_ruleThe SUSE operating system SSH daemon must be configured with a timeout interval.
SV-92157r1_ruleThe SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SV-92159r2_ruleThe SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SV-92161r2_ruleThe SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
SV-92163r2_ruleThe SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SV-92165r3_ruleThe SUSE operating system SSH daemon must use privilege separation.
SV-92167r3_ruleThe SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-92169r1_ruleThe SUSE operating system SSH daemon must encrypt forwarded remote X connections for interactive users.
SV-92171r2_ruleThe SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.
SV-92173r1_ruleThe SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-92175r3_ruleThe SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
SV-92177r1_ruleAddress space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
SV-92179r1_ruleThe SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
SV-92181r1_ruleThe SUSE operating system must be configured to use TCP syncookies.
SV-92183r1_ruleThe SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SV-92185r3_ruleThe SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SV-92187r2_ruleThe SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SV-92189r4_ruleThe SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SV-92191r5_ruleThe SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-92193r4_ruleThe SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-92195r4_ruleThe SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SV-92197r3_ruleThe SUSE operating system must not be performing packet forwarding unless the system is a router.
SV-92199r2_ruleThe SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SV-92201r1_ruleThe SUSE operating system wireless network adapters must be disabled unless approved and documented.
SV-92203r3_ruleThe SUSE operating system must have the packages required for multifactor authentication to be installed.
SV-92205r3_ruleThe SUSE operating system must implement certificate status checking for multifactor authentication.
SV-92207r3_ruleThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
SV-92209r1_ruleThe SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-96423r3_ruleAccounts on the SUSE operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.
SV-96499r2_ruleThe SUSE operating system must not be configured to allow blank or null passwords.
SV-96515r1_ruleThe SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
SV-96517r1_ruleThe SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SV-96519r1_ruleThe SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-102351r1_ruleThe SUSE operating system must have a host-based intrusion detection tool installed.
SV-106365r1_ruleThe SUSE operating system must not disable syscall auditing
SV-108091r1_ruleThe SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SV-108115r1_ruleThe SUSE operating system must not allow unattended logon via SSH.