CIS SUSE Linux Enterprise 15 Server L1 v1.1.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS SUSE Linux Enterprise 15 Server L1 v1.1.1

Updated: 2/18/2025

Authority: CIS

Plugin: Unix

Revision: 1.32

Estimated Item Count: 196

File Details

Filename: CIS_SUSE_Linux_Enterprise_15_Server_v1.1.1_L1.audit

Size: 522 kB

MD5: f425e77aa204c3cae98bb8260b4a7d83

SHA256: c294ee315b41867fe335d29e99e30fd0d064d88fd01af2ff87847f41bdfcce7a

Audit Changelog


Revision 1.32 Feb 18, 2025 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.31 Jan 6, 2025 Informational Update 1.1.2 Ensure /tmp is configured 5.4.1.1 Ensure password hashing algorithm is SHA-512 5.4.2 Ensure system accounts are secured Miscellaneous Metadata updated.
Revision 1.30 Nov 6, 2024 Functional Update 1.1.22 Ensure sticky bit is set on all world-writable directories 6.1.10 Ensure no ungrouped files or directories exist 6.1.11 Audit SUID executables 6.1.12 Audit SGID executables 6.1.8 Ensure no world writable files exist 6.1.9 Ensure no unowned files or directories exist
Revision 1.29 Aug 26, 2024 Functional Update 5.4.4 Ensure default user shell timeout is configured Miscellaneous References updated.
Revision 1.28 Jul 19, 2024 Functional Update 5.4.2 Ensure system accounts are secured
Revision 1.27 Jun 17, 2024 Miscellaneous Metadata updated.
Revision 1.26 Jun 14, 2024 Functional Update 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure package manager repositories are configured 1.8.1.2 Ensure local login warning banner is configured properly 1.8.1.3 Ensure remote login warning banner is configured properly 2.2.16 Ensure mail transfer agent is configured for local-only mode 3.5.3.2.4 Ensure firewall rules exist for all open ports 4.2.1.3 Ensure rsyslog default file permissions configured 4.2.2.2 Ensure journald is configured to compress large log files 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk 6.2.4 Ensure root PATH Integrity
Revision 1.25 Jun 6, 2024 Functional Update 1.1.1.2 Ensure mounting of udf filesystems is disabled 1.1.12 Ensure noexec option set on /var/tmp partition 1.1.13 Ensure nodev option set on /var/tmp partition 1.1.14 Ensure nosuid option set on /var/tmp partition 1.1.18 Ensure nodev option set on /home partition 1.1.19 Ensure noexec option set on removable media partitions 1.1.2 Ensure /tmp is configured 1.1.20 Ensure nodev option set on removable media partitions 1.1.21 Ensure nosuid option set on removable media partitions 1.1.22 Ensure sticky bit is set on all world-writable directories 1.1.23 Disable Automounting 1.1.3 Ensure noexec option set on /tmp partition 1.1.4 Ensure nodev option set on /tmp partition 1.1.5 Ensure nosuid option set on /tmp partition 1.1.7 Ensure noexec option set on /dev/shm partition 1.1.8 Ensure nodev option set on /dev/shm partition 1.1.9 Ensure nosuid option set on /dev/shm partition 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure package manager repositories are configured 1.2.3 Ensure gpgcheck is globally activated 1.3.1 Ensure sudo is installed 1.3.2 Ensure sudo commands use pty 1.3.3 Ensure sudo log file exists 1.4.1 Ensure AIDE is installed 1.5.2 Ensure permissions on bootloader config are configured 1.6.2 Ensure XD/NX support is enabled 1.6.4 Ensure prelink is disabled 1.8.1.4 Ensure permissions on /etc/motd are configured 1.8.1.5 Ensure permissions on /etc/issue are configured 1.8.1.6 Ensure permissions on /etc/issue.net are configured 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure xinetd is not installed 2.2.1.1 Ensure time synchronization is in use 2.2.1.2 Ensure systemd-timesyncd is configured 2.2.10 Ensure FTP Server is not installed 2.2.11 Ensure HTTP server is not installed 2.2.12 Ensure IMAP and POP3 server is not installed 2.2.13 Ensure Samba is not installed 2.2.14 Ensure HTTP Proxy Server is not installed 2.2.15 Ensure net-snmp is not installed 2.2.16 Ensure mail transfer agent is configured for local-only mode 2.2.17 Ensure rsync is not installed or the rsyncd service is masked 2.2.18 Ensure NIS server is not installed 2.2.19 Ensure telnet-server is not installed 2.2.2 Ensure X11 Server components are not installed 2.2.4 Ensure CUPS is not installed 2.2.5 Ensure DHCP Server is not installed 2.2.6 Ensure LDAP server is not installed 2.2.9 Ensure DNS Server is not installed 2.3.1 Ensure NIS Client is not installed 2.3.2 Ensure rsh client is not installed 2.3.3 Ensure talk client is not installed 2.3.4 Ensure telnet client is not installed 2.3.5 Ensure LDAP client is not installed 3.5.1.4 Ensure default zone is set 3.5.1.5 Ensure network interfaces are assigned to appropriate zone 3.5.1.6 Ensure unnecessary services and ports are not accepted 3.5.2.1 Ensure nftables is installed 3.5.2.10 Ensure nftables rules are permanent 3.5.2.3 Ensure iptables are flushed 3.5.2.4 Ensure a table exists 3.5.2.9 Ensure nftables service is enabled 3.5.3.1.1 Ensure iptables package is installed 3.5.3.1.2 Ensure nftables is not installed 3.5.3.2.1 Ensure default deny firewall policy 3.5.3.2.3 Ensure outbound and established connections are configured 3.5.3.2.4 Ensure firewall rules exist for all open ports 3.5.3.3.1 Ensure IPv6 default deny firewall policy 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports 4.2.1.1 Ensure rsyslog is installed 4.2.1.4 Ensure logging is configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.2.1 Ensure journald is configured to send logs to rsyslog 4.2.2.2 Ensure journald is configured to compress large log files 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk 4.2.3 Ensure permissions on all logfiles are configured 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.4 Ensure permissions on /etc/cron.daily are configured 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5.1.7 Ensure permissions on /etc/cron.d are configured 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.10 Ensure SSH root login is disabled 5.2.11 Ensure SSH PermitEmptyPasswords is disabled 5.2.12 Ensure SSH PermitUserEnvironment is disabled 5.2.13 Ensure only strong Ciphers are used 5.2.14 Ensure only strong MAC algorithms are used 5.2.15 Ensure only strong Key Exchange algorithms are used 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less 5.2.18 Ensure SSH warning banner is configured 5.2.19 Ensure SSH PAM is enabled 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.21 Ensure SSH MaxStartups is configured 5.2.22 Ensure SSH MaxSessions is limited 5.2.3 Ensure permissions on SSH public host key files are configured 5.2.4 Ensure SSH access is limited 5.2.5 Ensure SSH LogLevel is appropriate 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less 5.2.8 Ensure SSH IgnoreRhosts is enabled 5.2.9 Ensure SSH HostbasedAuthentication is disabled 5.3.3 Ensure password reuse is limited 5.4.1.1 Ensure password hashing algorithm is SHA-512 5.4.1.6 Ensure all users last password change date is in the past 5.4.3 Ensure default group for the root account is GID 0 5.4.4 Ensure default user shell timeout is configured 5.5 Ensure root login is restricted to system console 5.6 Ensure access to the su command is restricted 6.1.10 Ensure no ungrouped files or directories exist 6.1.11 Audit SUID executables 6.1.12 Audit SGID executables 6.1.2 Ensure permissions on /etc/passwd are configured 6.1.4 Ensure permissions on /etc/group are configured 6.1.5 Ensure permissions on /etc/passwd- are configured 6.1.7 Ensure permissions on /etc/group- are configured 6.1.8 Ensure no world writable files exist 6.1.9 Ensure no unowned files or directories exist 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure no users have .netrc files 6.2.11 Ensure users' .netrc Files are not group or world accessible 6.2.12 Ensure no users have .rhosts files 6.2.13 Ensure all groups in /etc/passwd exist in /etc/group 6.2.14 Ensure no duplicate UIDs exist 6.2.15 Ensure no duplicate GIDs exist 6.2.16 Ensure no duplicate user names exist 6.2.17 Ensure no duplicate group names exist 6.2.18 Ensure shadow group is empty 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure root is the only UID 0 account 6.2.4 Ensure root PATH Integrity 6.2.5 Ensure all users' home directories exist 6.2.6 Ensure users' home directories permissions are 750 or more restrictive 6.2.7 Ensure users own their home directories 6.2.8 Ensure users' dot files are not group or world writable 6.2.9 Ensure no users have .forward files Informational Update 1.1.1.2 Ensure mounting of udf filesystems is disabled 1.1.12 Ensure noexec option set on /var/tmp partition 1.1.13 Ensure nodev option set on /var/tmp partition 1.1.14 Ensure nosuid option set on /var/tmp partition 1.1.18 Ensure nodev option set on /home partition 1.1.19 Ensure noexec option set on removable media partitions 1.1.2 Ensure /tmp is configured 1.1.20 Ensure nodev option set on removable media partitions 1.1.21 Ensure nosuid option set on removable media partitions 1.1.22 Ensure sticky bit is set on all world-writable directories 1.1.23 Disable Automounting 1.1.3 Ensure noexec option set on /tmp partition 1.1.4 Ensure nodev option set on /tmp partition 1.1.5 Ensure nosuid option set on /tmp partition 1.1.7 Ensure noexec option set on /dev/shm partition 1.1.8 Ensure nodev option set on /dev/shm partition 1.1.9 Ensure nosuid option set on /dev/shm partition 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure package manager repositories are configured 1.2.3 Ensure gpgcheck is globally activated 1.3.1 Ensure sudo is installed 1.3.2 Ensure sudo commands use pty 1.3.3 Ensure sudo log file exists 1.4.1 Ensure AIDE is installed 1.5.2 Ensure permissions on bootloader config are configured 1.6.2 Ensure XD/NX support is enabled 1.6.4 Ensure prelink is disabled 1.8.1.4 Ensure permissions on /etc/motd are configured 1.8.1.5 Ensure permissions on /etc/issue are configured 1.8.1.6 Ensure permissions on /etc/issue.net are configured 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure xinetd is not installed 2.2.1.1 Ensure time synchronization is in use 2.2.1.2 Ensure systemd-timesyncd is configured 2.2.10 Ensure FTP Server is not installed 2.2.11 Ensure HTTP server is not installed 2.2.12 Ensure IMAP and POP3 server is not installed 2.2.13 Ensure Samba is not installed 2.2.14 Ensure HTTP Proxy Server is not installed 2.2.15 Ensure net-snmp is not installed 2.2.16 Ensure mail transfer agent is configured for local-only mode 2.2.17 Ensure rsync is not installed or the rsyncd service is masked 2.2.18 Ensure NIS server is not installed 2.2.19 Ensure telnet-server is not installed 2.2.2 Ensure X11 Server components are not installed 2.2.4 Ensure CUPS is not installed 2.2.5 Ensure DHCP Server is not installed 2.2.6 Ensure LDAP server is not installed 2.2.9 Ensure DNS Server is not installed 2.3.1 Ensure NIS Client is not installed 2.3.2 Ensure rsh client is not installed 2.3.3 Ensure talk client is not installed 2.3.4 Ensure telnet client is not installed 2.3.5 Ensure LDAP client is not installed 2.4 Ensure nonessential services are removed or masked 3.5.1.4 Ensure default zone is set 3.5.1.5 Ensure network interfaces are assigned to appropriate zone 3.5.1.6 Ensure unnecessary services and ports are not accepted 3.5.2.1 Ensure nftables is installed 3.5.2.10 Ensure nftables rules are permanent 3.5.2.3 Ensure iptables are flushed 3.5.2.4 Ensure a table exists 3.5.2.9 Ensure nftables service is enabled 3.5.3.1.1 Ensure iptables package is installed 3.5.3.1.2 Ensure nftables is not installed 3.5.3.2.1 Ensure default deny firewall policy 3.5.3.2.3 Ensure outbound and established connections are configured 3.5.3.2.4 Ensure firewall rules exist for all open ports 3.5.3.3.1 Ensure IPv6 default deny firewall policy 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports 4.2.1.1 Ensure rsyslog is installed 4.2.1.4 Ensure logging is configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.2.1 Ensure journald is configured to send logs to rsyslog 4.2.2.2 Ensure journald is configured to compress large log files 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk 4.2.3 Ensure permissions on all logfiles are configured 4.2.4 Ensure logrotate is configured 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.4 Ensure permissions on /etc/cron.daily are configured 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5.1.7 Ensure permissions on /etc/cron.d are configured 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.10 Ensure SSH root login is disabled 5.2.11 Ensure SSH PermitEmptyPasswords is disabled 5.2.12 Ensure SSH PermitUserEnvironment is disabled 5.2.13 Ensure only strong Ciphers are used 5.2.14 Ensure only strong MAC algorithms are used 5.2.15 Ensure only strong Key Exchange algorithms are used 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less 5.2.18 Ensure SSH warning banner is configured 5.2.19 Ensure SSH PAM is enabled 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.21 Ensure SSH MaxStartups is configured 5.2.22 Ensure SSH MaxSessions is limited 5.2.3 Ensure permissions on SSH public host key files are configured 5.2.4 Ensure SSH access is limited 5.2.5 Ensure SSH LogLevel is appropriate 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less 5.2.8 Ensure SSH IgnoreRhosts is enabled 5.2.9 Ensure SSH HostbasedAuthentication is disabled 5.3.3 Ensure password reuse is limited 5.4.1.1 Ensure password hashing algorithm is SHA-512 5.4.1.6 Ensure all users last password change date is in the past 5.4.3 Ensure default group for the root account is GID 0 5.4.4 Ensure default user shell timeout is configured 5.5 Ensure root login is restricted to system console 5.6 Ensure access to the su command is restricted 6.1.10 Ensure no ungrouped files or directories exist 6.1.11 Audit SUID executables 6.1.12 Audit SGID executables 6.1.2 Ensure permissions on /etc/passwd are configured 6.1.3 Ensure permissions on /etc/shadow are configured 6.1.4 Ensure permissions on /etc/group are configured 6.1.5 Ensure permissions on /etc/passwd- are configured 6.1.6 Ensure permissions on /etc/shadow- are configured 6.1.7 Ensure permissions on /etc/group- are configured 6.1.8 Ensure no world writable files exist 6.1.9 Ensure no unowned files or directories exist 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure no users have .netrc files 6.2.11 Ensure users' .netrc Files are not group or world accessible 6.2.12 Ensure no users have .rhosts files 6.2.13 Ensure all groups in /etc/passwd exist in /etc/group 6.2.14 Ensure no duplicate UIDs exist 6.2.15 Ensure no duplicate GIDs exist 6.2.16 Ensure no duplicate user names exist 6.2.17 Ensure no duplicate group names exist 6.2.18 Ensure shadow group is empty 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure root is the only UID 0 account 6.2.4 Ensure root PATH Integrity 6.2.5 Ensure all users' home directories exist 6.2.6 Ensure users' home directories permissions are 750 or more restrictive 6.2.7 Ensure users own their home directories 6.2.8 Ensure users' dot files are not group or world writable 6.2.9 Ensure no users have .forward files Miscellaneous Metadata updated. Platform check updated. References updated. Variables updated. Added 1.1.6 Ensure /dev/shm is configured 1.10 Ensure GDM is removed or login is configured 1.4.2 Ensure filesystem integrity is regularly checked 1.5.1 Ensure bootloader password is set 1.5.3 Ensure authentication required for single user mode 1.6.1 Ensure core dumps are restricted 1.6.3 Ensure address space layout randomization (ASLR) is enabled 1.7.1.1 Ensure AppArmor is installed 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode 1.8.1.1 Ensure message of the day is configured properly 1.8.1.2 Ensure local login warning banner is configured properly 1.8.1.3 Ensure remote login warning banner is configured properly 2.2.1.3 Ensure chrony is configured 2.2.3 Ensure Avahi Server is not installed 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked 3.1.2 Ensure wireless interfaces are disabled 3.2.1 Ensure IP forwarding is disabled 3.2.2 Ensure packet redirect sending is disabled 3.3.1 Ensure source routed packets are not accepted 3.3.2 Ensure ICMP redirects are not accepted 3.3.3 Ensure secure ICMP redirects are not accepted 3.3.4 Ensure suspicious packets are logged 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.7 Ensure Reverse Path Filtering is enabled 3.3.8 Ensure TCP SYN Cookies is enabled 3.3.9 Ensure IPv6 router advertisements are not accepted 3.5.1.1 Ensure FirewallD is installed 3.5.1.2 Ensure nftables is not installed or stopped and masked 3.5.1.3 Ensure firewalld service is enabled and running 3.5.2.2 Ensure firewalld is not installed or stopped and masked 3.5.2.5 Ensure base chains exist 3.5.2.6 Ensure loopback traffic is configured 3.5.2.7 Ensure outbound and established connections are configured 3.5.2.8 Ensure default deny firewall policy 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked 3.5.3.2.2 Ensure loopback traffic is configured 3.5.3.3.2 Ensure IPv6 loopback traffic is configured 4.2.1.2 Ensure rsyslog Service is enabled and running 4.2.1.3 Ensure rsyslog default file permissions configured 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. 5.1.1 Ensure cron daemon is enabled and running 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.2.16 Ensure SSH Idle Timeout Interval is configured 5.3.1 Ensure password creation requirements are configured 5.3.2 Ensure lockout for failed password attempts is configured 5.4.1.2 Ensure password expiration is 365 days or less 5.4.1.3 Ensure minimum days between password changes is configured 5.4.1.4 Ensure password expiration warning days is 7 or more 5.4.1.5 Ensure inactive password lock is 30 days or less 5.4.2 Ensure system accounts are secured 5.4.5 Ensure default user umask is configured Removed 1.1.6 Ensure /dev/shm is configured - fstab 1.1.6 Ensure /dev/shm is configured - mount 1.10 Ensure GDM is removed or login is configured - banner-message-enable 1.10 Ensure GDM is removed or login is configured - banner-message-text 1.10 Ensure GDM is removed or login is configured - disable-user-list 1.10 Ensure GDM is removed or login is configured - file-db 1.10 Ensure GDM is removed or login is configured - system-db 1.10 Ensure GDM is removed or login is configured - user-db 1.4.2 Ensure filesystem integrity is regularly checked - cron 1.4.2 Ensure filesystem integrity is regularly checked - is-enabled aidecheck.service 1.4.2 Ensure filesystem integrity is regularly checked - is-enabled aidecheck.timer 1.4.2 Ensure filesystem integrity is regularly checked - status aidecheck.timer 1.5.1 Ensure bootloader password is set - password 1.5.1 Ensure bootloader password is set - superusers 1.5.3 Ensure authentication required for single user mode - rescue.emergency 1.5.3 Ensure authentication required for single user mode - rescue.service 1.6.1 Ensure core dumps are restricted - fs.suid_dumpable sysctl.conf 1.6.1 Ensure core dumps are restricted - limits.conf 1.6.1 Ensure core dumps are restricted - sysctl fs.suid_dumpable 1.6.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax 1.6.1 Ensure core dumps are restricted - systemd-coredump Storage 1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl 1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf 1.7.1.1 Ensure AppArmor is installed - apparmor-docs 1.7.1.1 Ensure AppArmor is installed - apparmor-parser 1.7.1.1 Ensure AppArmor is installed - apparmor-profiles 1.7.1.1 Ensure AppArmor is installed - apparmor-utils 1.7.1.1 Ensure AppArmor is installed - libapparmor1 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmor=1 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - security=apparmor 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - processes unconfined 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - profiles loaded 1.8.1.1 Ensure message of the day is configured properly - content 1.8.1.1 Ensure message of the day is configured properly - site policy banner 1.8.1.2 Ensure local login warning banner is configured properly - invalid entries 1.8.1.2 Ensure local login warning banner is configured properly - site policy banner 1.8.1.3 Ensure remote login warning banner is configured properly - invalid entries 1.8.1.3 Ensure remote login warning banner is configured properly - site policy banner 2.2.1.3 Ensure chrony is configured - server 2.2.1.3 Ensure chrony is configured - user 2.2.3 Ensure Avahi Server is not installed - avahi 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-kernel-server 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-utils 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - package rpcbind 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind.socket 3.1.2 Ensure wireless interfaces are disabled - interfaces 3.1.2 Ensure wireless interfaces are disabled - iw list 3.2.1 Ensure IP forwarding is disabled - sysctl ipv4 3.2.1 Ensure IP forwarding is disabled - sysctl ipv4 conf files 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6 conf files 3.2.2 Ensure packet redirect sending is disabled - sysctl conf ipv4 all 3.2.2 Ensure packet redirect sending is disabled - sysctl conf ipv4 default 3.2.2 Ensure packet redirect sending is disabled - sysctl ipv4 all 3.2.2 Ensure packet redirect sending is disabled - sysctl ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv4 all 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 all 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 default 3.3.1 Ensure source routed packets are not accepted - sysctl ipv4 all 3.3.1 Ensure source routed packets are not accepted - sysctl ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 all 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv4 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv4 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv4 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv4 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 default 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl ipv4 all 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl ipv4 default 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl.conf ipv4 all 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl.conf ipv4 default 3.3.4 Ensure suspicious packets are logged - sysctl ipv4 all 3.3.4 Ensure suspicious packets are logged - sysctl ipv4 default 3.3.4 Ensure suspicious packets are logged - sysctl.conf ipv4 all 3.3.4 Ensure suspicious packets are logged - sysctl.conf ipv4 default 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl ipv4 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl.conf ipv4 3.3.6 Ensure bogus ICMP responses are ignored - sysctl ipv4 3.3.6 Ensure bogus ICMP responses are ignored - sysctl.conf ipv4 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl ipv4 all 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl ipv4 default 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl.conf ipv4 all 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl.conf ipv4 default 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl ipv4 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl.conf ipv4 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 default 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 default 3.5.1.1 Ensure FirewallD is installed - firewalld 3.5.1.1 Ensure FirewallD is installed - iptables 3.5.1.2 Ensure nftables is not installed or stopped and masked - nftables active 3.5.1.2 Ensure nftables is not installed or stopped and masked - nftables masked 3.5.1.2 Ensure nftables is not installed or stopped and masked - package nftables 3.5.1.3 Ensure firewalld service is enabled and running - firewall state running 3.5.1.3 Ensure firewalld service is enabled and running - firewalld enabled 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld active 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld masked 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld package 3.5.2.5 Ensure base chains exist - forward 3.5.2.5 Ensure base chains exist - input 3.5.2.5 Ensure base chains exist - output 3.5.2.6 Ensure loopback traffic is configured - ip saddr 127.0.0.0/8 3.5.2.6 Ensure loopback traffic is configured - ip6 saddr 3.5.2.6 Ensure loopback traffic is configured - lo accept 3.5.2.7 Ensure outbound and established connections are configured - input 3.5.2.7 Ensure outbound and established connections are configured - output 3.5.2.8 Ensure default deny firewall policy - forward 3.5.2.8 Ensure default deny firewall policy - input 3.5.2.8 Ensure default deny firewall policy - output 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld active 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld masked 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld package 3.5.3.2.2 Ensure loopback traffic is configured - input 3.5.3.2.2 Ensure loopback traffic is configured - output 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.2 Ensure rsyslog service is enabled and running 4.2.1.3 Ensure rsyslog default file permissions are configured 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts 5.1.1 Ensure cron daemon is enabled and running - enabled 5.1.1 Ensure cron daemon is enabled and running - running 5.1.8 Ensure cron is restricted to authorized users - cron.allow 5.1.8 Ensure cron is restricted to authorized users - cron.deny 5.1.9 Ensure at is restricted to authorized users - at.allow 5.1.9 Ensure at is restricted to authorized users - at.deny 5.2.16 Ensure SSH Idle Timeout Interval is configured - clientalivecountmax 5.2.16 Ensure SSH Idle Timeout Interval is configured - clientaliveinterval 5.3.1 Ensure password creation requirements are configured - dcredit 5.3.1 Ensure password creation requirements are configured - lcredit 5.3.1 Ensure password creation requirements are configured - minlen 5.3.1 Ensure password creation requirements are configured - ocredit 5.3.1 Ensure password creation requirements are configured - ucredit 5.3.2 Ensure lockout for failed password attempts is configured - common-account pam_tally2.so 5.3.2 Ensure lockout for failed password attempts is configured - login deny 5.3.2 Ensure lockout for failed password attempts is configured - login unlock_time 5.4.1.2 Ensure password expiration is 365 days or less - PASS_MAX_DAYS 5.4.1.2 Ensure password expiration is 365 days or less - users 5.4.1.3 Ensure minimum days between password changes is configured - PASS_MIN_DAYS 5.4.1.3 Ensure minimum days between password changes is configured - users 5.4.1.4 Ensure password expiration warning days is 7 or more - PASS_WARN_AGE 5.4.1.4 Ensure password expiration warning days is 7 or more - users 5.4.1.5 Ensure inactive password lock is 30 days or less - INACTIVE 5.4.1.5 Ensure inactive password lock is 30 days or less - users 5.4.2 Ensure system accounts are secured - /etc/passwd 5.4.2 Ensure system accounts are secured - passwd 5.4.5 Ensure default user umask is configured - System Wide default 5.4.5 Ensure default user umask is configured - profiles
Revision 1.24 Apr 22, 2024 Functional Update 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.23 Jan 9, 2024 Functional Update 5.4.1.3 Ensure minimum days between password changes is configured - users

Detections

Analytics

CIS SUSE Linux Enterprise 15 Server L1 v1.1.1

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.32

Miscellaneous

Revision 1.31

Informational Update

Miscellaneous

Revision 1.30

Functional Update

Revision 1.29

Functional Update

Miscellaneous

Revision 1.28

Functional Update

Revision 1.27

Miscellaneous

Revision 1.26

Functional Update

Revision 1.25

Functional Update

Informational Update

Miscellaneous

Added

Removed

Revision 1.24

Functional Update

Revision 1.23

Functional Update

Detections

Analytics

CIS SUSE Linux Enterprise 15 Server L1 v1.1.1 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Miscellaneous

Informational Update

Miscellaneous

Functional Update

Functional Update

Miscellaneous

Functional Update

Miscellaneous

Functional Update

Functional Update

Informational Update

Miscellaneous

Added

Removed

Functional Update

Functional Update

CIS SUSE Linux Enterprise 15 Server L1 v1.1.1