SUSE Linux Enterprise 12 STIG V2R11

View as one page
STIG ID Title
SLES-12-010000 The SUSE operating system must be a vendor-supported release.
SLES-12-010010 Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-12-010020 The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface.
SLES-12-010030 The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.
SLES-12-010040 The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.
SLES-12-010050 The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
SLES-12-010060 The SUSE operating system must be able to lock the graphical user interface (GUI).
SLES-12-010070 The SUSE operating system must utilize vlock to allow for session locking.
SLES-12-010080 The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface.
SLES-12-010090 The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
SLES-12-010100 The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.
SLES-12-010110 The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
SLES-12-010120 The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SLES-12-010130 The SUSE operating system must lock an account after three consecutive invalid access attempts.
SLES-12-010140 The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
SLES-12-010150 The SUSE operating system must enforce passwords that contain at least one upper-case character.
SLES-12-010160 The SUSE operating system must enforce passwords that contain at least one lower-case character.
SLES-12-010170 The SUSE operating system must enforce passwords that contain at least one numeric character.
SLES-12-010180 The SUSE operating system must enforce passwords that contain at least one special character.
SLES-12-010190 The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.
SLES-12-010210 The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
SLES-12-010220 The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SLES-12-010230 The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
SLES-12-010231 The SUSE operating system must not be configured to allow blank or null passwords.
SLES-12-010240 The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SLES-12-010250 The SUSE operating system must employ passwords with a minimum of 15 characters.
SLES-12-010260 The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
SLES-12-010270 The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
SLES-12-010280 The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
SLES-12-010290 The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
SLES-12-010300 The SUSE operating system must employ a password history file.
SLES-12-010310 The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations.
SLES-12-010320 The SUSE operating system must prevent the use of dictionary words for passwords.
SLES-12-010330 The SUSE operating system must never automatically remove or disable emergency administrator accounts.
SLES-12-010340 The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
SLES-12-010360 The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
SLES-12-010370 The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
SLES-12-010380 The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
SLES-12-010390 The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-12-010400 There must be no .shosts files on the SUSE operating system.
SLES-12-010410 There must be no shosts.equiv files on the SUSE operating system.
SLES-12-010420 FIPS 140-2 mode must be enabled on the SUSE operating system.
SLES-12-010430 SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
SLES-12-010440 SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
SLES-12-010450 All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
SLES-12-010460 The sticky bit must be set on all SUSE operating system world-writable directories.
SLES-12-010500 Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
SLES-12-010510 The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.
SLES-12-010520 The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-12-010530 The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-12-010540 The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
SLES-12-010550 The SUSE operating system tool zypper must have gpgcheck enabled.
SLES-12-010570 The SUSE operating system must remove all outdated software components after updated versions have been installed.
SLES-12-010580 The SUSE operating system must disable the USB mass storage kernel module.
SLES-12-010590 The SUSE operating system must disable the file system automounter unless required.
SLES-12-010600 The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
SLES-12-010610 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-12-010611 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-12-010620 The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
SLES-12-010630 The SUSE operating system must not have unnecessary accounts.
SLES-12-010640 The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
SLES-12-010650 The SUSE operating system root account must be the only account having unrestricted access to the system.
SLES-12-010670 If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
SLES-12-010680 The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
SLES-12-010690 All SUSE operating system files and directories must have a valid owner.
SLES-12-010700 All SUSE operating system files and directories must have a valid group owner.
SLES-12-010710 All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-12-010720 All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-12-010730 All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-12-010740 All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-12-010750 All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
SLES-12-010760 All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-12-010770 All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-12-010780 All SUSE operating system local initialization files must not execute world-writable programs.
SLES-12-010790 SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010800 SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010810 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010820 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-12-010830 All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-12-010840 SUSE operating system kernel core dumps must be disabled unless needed.
SLES-12-010850 A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-12-010860 The SUSE operating system must use a separate file system for /var.
SLES-12-010870 The SUSE operating system must use a separate file system for the system audit data path.
SLES-12-010890 The SUSE operating system must prevent unauthorized users from accessing system error messages.
SLES-12-010910 The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-12-020000 The SUSE operating system must have the auditing package installed.
SLES-12-020010 SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
SLES-12-020020 The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
SLES-12-020030 The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
SLES-12-020040 The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
SLES-12-020050 The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
SLES-12-020060 The SUSE operating system audit system must take appropriate action when the audit storage volume is full.
SLES-12-020070 The audit-audispd-plugins must be installed on the SUSE operating system.
SLES-12-020080 The SUSE operating system audit event multiplexor must be configured to use Kerberos.
SLES-12-020090 Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
SLES-12-020100 The audit system must take appropriate action when the network cannot be used to off-load audit records.
SLES-12-020110 Audispd must take appropriate action when the SUSE operating system audit storage is full.
SLES-12-020120 The SUSE operating system must protect audit rules from unauthorized modification.
SLES-12-020130 The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.
SLES-12-020199 The SUSE operating system must not disable syscall auditing.
SLES-12-020200 The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
SLES-12-020210 The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
SLES-12-020220 The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
SLES-12-020230 The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
SLES-12-020240 The SUSE operating system must generate audit records for all uses of the privileged functions.
SLES-12-020250 The SUSE operating system must generate audit records for all uses of the su command.
SLES-12-020260 The SUSE operating system must generate audit records for all uses of the sudo command.
SLES-12-020280 The SUSE operating system must generate audit records for all uses of the chfn command.
SLES-12-020290 The SUSE operating system must generate audit records for all uses of the mount command.
SLES-12-020300 The SUSE operating system must generate audit records for all uses of the umount command.
SLES-12-020310 The SUSE operating system must generate audit records for all uses of the ssh-agent command.
SLES-12-020320 The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
SLES-12-020360 The SUSE operating system must generate audit records for all uses of the kmod command.
SLES-12-020370 The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.
SLES-12-020420 The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.
SLES-12-020460 The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
SLES-12-020490 The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
SLES-12-020550 The SUSE operating system must generate audit records for all uses of the passwd command.
SLES-12-020560 The SUSE operating system must generate audit records for all uses of the gpasswd command.
SLES-12-020570 The SUSE operating system must generate audit records for all uses of the newgrp command.
SLES-12-020580 The SUSE operating system must generate audit records for a uses of the chsh command.
SLES-12-020590 The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
SLES-12-020600 The SUSE operating system must generate audit records for all uses of the chmod command.
SLES-12-020610 The SUSE operating system must generate audit records for all uses of the setfacl command.
SLES-12-020620 The SUSE operating system must generate audit records for all uses of the chacl command.
SLES-12-020630 Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
SLES-12-020640 The SUSE operating system must generate audit records for all uses of the rm command.
SLES-12-020650 The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
SLES-12-020660 The SUSE operating system must generate audit records for all modifications to the lastlog file.
SLES-12-020670 The SUSE operating system must generate audit records for all uses of the passmass command.
SLES-12-020680 The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
SLES-12-020690 The SUSE operating system must generate audit records for all uses of the chage command.
SLES-12-020700 The SUSE operating system must generate audit records for all uses of the usermod command.
SLES-12-020710 The SUSE operating system must generate audit records for all uses of the crontab command.
SLES-12-020720 The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
SLES-12-020730 The SUSE operating system must generate audit records for all uses of the delete_module command.
SLES-12-020740 The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.
SLES-12-020760 The SUSE operating system must generate audit records for all modifications to the faillog file.
SLES-12-030000 The SUSE operating system must not have the telnet-server package installed.
SLES-12-030020 The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
SLES-12-030030 The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
SLES-12-030040 SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
SLES-12-030050 The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
SLES-12-030100 All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
SLES-12-030110 The SUSE operating system must log SSH connection attempts and failures to the server.
SLES-12-030130 The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-12-030140 The SUSE operating system must deny direct logons to the root account using remote access via SSH.
SLES-12-030150 The SUSE operating system must not allow automatic logon via SSH.
SLES-12-030151 The SUSE operating system must not allow users to override SSH environment variables.
SLES-12-030170 The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
SLES-12-030180 The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SLES-12-030190 The SUSE operating system SSH daemon must be configured with a timeout interval.
SLES-12-030191 The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
SLES-12-030200 The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-12-030210 The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-12-030220 The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-12-030230 The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-12-030240 The SUSE operating system SSH daemon must use privilege separation.
SLES-12-030250 The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SLES-12-030260 The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-12-030300 The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.
SLES-12-030310 The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SLES-12-030320 The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
SLES-12-030330 Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
SLES-12-030340 The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
SLES-12-030350 The SUSE operating system must be configured to use TCP syncookies.
SLES-12-030360 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-12-030361 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-12-030370 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-12-030380 The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SLES-12-030390 The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030400 The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030401 The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030410 The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030420 The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-12-030430 The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-12-030440 The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-12-030450 The SUSE operating system wireless network adapters must be disabled unless approved and documented.
SLES-12-030500 The SUSE operating system must have the packages required for multifactor authentication to be installed.
SLES-12-030510 The SUSE operating system must implement certificate status checking for multifactor authentication.
SLES-12-030520 The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
SLES-12-030530 The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SLES-12-010599 The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool.
SLES-12-030611 The SUSE operating system must use a virus scan program.
SLES-12-030261 The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
SLES-12-010111 The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-12-010112 The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-12-010113 The SUSE operating system must require re-authentication when using the "sudo" command.
SLES-12-010631 The SUSE operating system must not have unnecessary account capabilities.
SLES-12-010871 The SUSE operating system library files must have mode 0755 or less permissive.
SLES-12-010872 The SUSE operating system library directories must have mode 0755 or less permissive.
SLES-12-010873 The SUSE operating system library files must be owned by root.
SLES-12-010874 The SUSE operating system library directories must be owned by root.
SLES-12-010875 The SUSE operating system library files must be group-owned by root.
SLES-12-010876 The SUSE operating system library directories must be group-owned by root.
SLES-12-010877 The SUSE operating system must have system commands set to a mode of 755 or less permissive.
SLES-12-010878 The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
SLES-12-010879 The SUSE operating system must have system commands owned by root.
SLES-12-010881 The SUSE operating system must have directories that contain system commands owned by root.
SLES-12-010882 The SUSE operating system must have system commands group-owned by root or a system account.
SLES-12-010883 The SUSE operating system must have directories that contain system commands group-owned by root.
SLES-12-030011 The SUSE operating system must not have the vsftpd package installed if not required for operational support.
SLES-12-030362 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-12-030363 The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030364 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-12-030365 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-12-010109 The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-12-010114 The SUSE operating system must not be configured to bypass password requirements for privilege escalation.
SLES-12-010221 The SUSE operating system must not have accounts configured with blank or null passwords.
SLES-12-020411 The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.
SLES-12-030270 The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.
SLES-12-010375 The SUSE operating system must restrict access to the kernel message buffer.
SLES-12-010499 The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.
SLES-12-010331 The SUSE operating system must automatically expire temporary accounts within 72 hours.
SLES-12-010498 The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.