Product:
BigFix Compliance
Title:
Updated CIS Checklist for SUSE Linux 15
Security Benchmark:
CIS Checklist for SUSE Linux 15 Benchmark, v2.0.1
Published Sites:
CIS Checklist for SUSE Linux 15, site version 9
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 100
Total Updated Fixlets: 22
Total Deleted Fixlets: 0
Total Fixlets in Site: 276
New Items:
Ensure nosuid option set on /home partition
Ensure nodev option set on /var partition
Ensure nosuid option set on var partition
Ensure nodev option set on varlog partition
Ensure nosuid option set on varlog partition
Ensure noexec option set on varlog partition
Ensure nodev option set on varlogaudit partition
Ensure nosuid option set on varlogaudit partition
Ensure noexec option set on varlogaudit partition
Ensure repo gpgcheck is globally activated
Ensure crypto-policies-scripts package is installed
Ensure system wide crypto policy is not set to legacy
Ensure system wide crypto policy is not set in sshd configuration
Ensure system wide crypto policy disables sha1 hash and signature support
Ensure system wide crypto policy disables macs less than 128 bits
Ensure system wide crypto policy disables cbc for ssh
Ensure system wide crypto policy disables chacha20-poly1305 for ssh
Ensure GDM login banner is configured
Ensure GDM disable-user-list option is enabled
Ensure GDM screen locks when the user is idle
Ensure GDM automatic mounting of removable media is disabled
Ensure GDM disabling automatic mounting of removable media is not overridden
Ensure GDM autorun-never is enabled
Ensure GDM autorun-never is not overridden
Ensure XDMCP is not enabled
Ensure dns server services are not in use
Ensure dnsmasq services are not in use
Ensure message access server services are not in use
Ensure tftp server services are not in use
Ensure ftp client is not installed
Ensure tftp client is not installed
Ensure systemd-timesyncd configured with authorized timeserver
Ensure systemd-timesyncd is enabled and running
Ensure chrony is enabled and running
Ensure IPv6 status is identified
Ensure bluetooth services are not in use
Ensure rds kernel module is not available
Ensure sctp kernel module is not available
Ensure a single firewall configuration utility is in use
Ensure sshd Banner is configured
Ensure sshd DisableForwarding is enabled
Ensure sshd GSSAPIAuthentication is disabled
Ensure users must provide password for escalation
Ensure re-authentication for privilege escalation is not disabled globally
Ensure sudo authentication timeout is configured correctly
Ensure latest version of pam is installed
Ensure password failed attempts lockout is configured
Ensure password failed attempts lockout includes root account
Ensure password dictionary check is enabled
Ensure password number of changed characters is configured
Ensure password length is configured
Ensure password complexity is configured
Ensure password same consecutive characters is configured
Ensure password maximum sequential characters is configured
Ensure password quality is enforced for the root user
Ensure password history remember is configured
Ensure password history is enforced for the root user
Ensure pam pwhistory includes use authtok
Ensure pam unix does not include nullok
Ensure pam unix does not include remember
Ensure pam unix includes a strong password hashing algorithm
Ensure pam unix includes use authtok
Ensure group root is the only GID 0 group
Ensure root account access is controlled
Ensure root user umask is configured
Ensure accounts without a valid login shell are locked
Ensure nologin is not listed in etcshells
Ensure cryptographic mechanisms are used to protect the integrity of audit tools
Ensure journald service is enabled and active
Ensure journald log file rotation is configured
Ensure only one logging system is in use
Ensure systemd-journal-remote is installed
Ensure systemd-journal-upload authentication is configured
Ensure systemd-journal-upload is enabled and active
Ensure systemd-journal-remote service is not in use
Ensure rsyslog is not configured to receive logs from a remote client
Ensure access to all logfiles has been configured
Ensure actions as another user are always logged
Ensure events that modify the sudo log file are collected
Ensure successful and unsuccessful attempts to use the chcon command are collected
Ensure successful and unsuccessful attempts to use the setfacl command are collected
Ensure successful and unsuccessful attempts to use the chacl command are collected
Ensure successful and unsuccessful attempts to use the usermod command are collected
Ensure kernel module loading unloading and modification is collected
Ensure the running and on disk configuration is the same
Ensure the audit log file directory mode is configured
Ensure audit log files mode is configured
Ensure audit log files owner is configured
Ensure audit log files group owner is configured
Ensure audit configuration files mode is configured
Ensure audit configuration files owner is configured
Ensure audit configuration files group owner is configured
Ensure audit tools mode is configured
Ensure audit tools owner is configured
Ensure audit tools group owner is configured
Ensure access to /etc/gshadow is configured
Ensure access to /etc/gshadow- is configured
Ensure access to etcshells is configured
Ensure access to etcsecurityopasswd is configured
Ensure local interactive user home directories are configured
Modified Items:
Ensure cramfs kernel module is not available
Ensure freevxfs kernel module is not available
Ensure hfs kernel module is not available
Ensure hfsplus kernel module is not available
Ensure jffs2 kernel module is not available
Ensure squashfs kernel module is not available
Ensure udf kernel module is not available
Ensure ldap server services are not in use
Ensure rsync services are not in use
Ensure X window server services are not in use
Ensure ldap client is not installed
Ensure a single time synchronization daemon is in use
Ensure dccp kernel module is not available
Ensure tipc kernel module is not available
Ensure sshd PermitUserEnvironment is disabled
Ensure root is the only UID 0 account
Ensure audit tools group owner is configured
Ensure access to /etc/shadow is configured
Ensure access to /etc/shadow- is configured
Ensure no duplicate UIDs exist
Ensure no duplicate user names exist
Ensure local interactive user home directories are configured
Additional details:
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 9.5 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
This category is used by HCL to announce new releases for BigFix Compliance.
● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective.
Thank you!
– The BigFix Compliance team