Product:
BigFix Compliance
Title:
Updated CIS Checklist for SUSE Linux 12
Security Benchmark:
CIS Checklist for SUSE Linux 12 Benchmark, v3.2.1
Published Sites:
CIS Checklist for SUSE Linux 12, site version 9
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 0
Total Updated Fixlets: 36
Total Deleted Fixlets: 0
Total Fixlets in Site: 202
UPDATED:
Ensure SSH access is limited
Ensure SSH LogLevel is appropriate
Ensure SSH X11 forwarding is disabled
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH IgnoreRhosts is enabled
Ensure SSH HostbasedAuthentication is disabled
Ensure SSH root login is disabled
Ensure SSH PermitEmptyPasswords is disabled
Ensure SSH PermitUserEnvironment is disabled
Ensure only strong Ciphers are used
Ensure only strong MAC algorithms are used
Ensure only strong Key Exchange algorithms are used
Ensure SSH Idle Timeout Interval is configured
Ensure SSH LoginGraceTime is set to one minute or less
Ensure SSH warning banner is configured
Ensure SSH PAM is enabled
Ensure SSH AllowTcpForwarding is disabled
Ensure SSH MaxStartups is configured
Ensure SSH MaxSessions is limited
Ensure address space layout randomization (ASLR) is enabled
Disable IPv6
Ensure wireless interfaces are disabled
Ensure IP forwarding is disabled
Ensure packet redirect sending is disabled
Ensure source routed packets are not accepted
Ensure ICMP redirects are not accepted
Ensure secure ICMP redirects are not accepted
Ensure suspicious packets are logged
Ensure broadcast ICMP requests are ignored
Ensure bogus ICMP responses are ignored
Ensure Reverse Path Filtering is enabled
Ensure TCP SYN Cookies is enabled
Ensure IPv6 router advertisements are not accepted
Ensure permissions on /etc/ssh/sshd_config are configured
Ensure permissions on SSH private host key files are configured
Ensure permissions on SSH public host key files are configured
Additional details:
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 10 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
Compliance (Release Announcements)
This category is used by HCL to announce new releases for BigFix Compliance.
● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective.
Thank you!
– The BigFix Compliance team