CIS SUSE Linux Enterprise 15 Workstation L1 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS SUSE Linux Enterprise 15 Workstation L1 v1.0.0

Updated: 3/22/2022

Authority: CIS

Plugin: Unix

Revision: 1.7

Estimated Item Count: 290

File Details

Filename: CIS_SUSE_Linux_Enterprise_15_Workstation_v1.0.0_L1.audit

Size: 701 kB

MD5: ae90b9de1d6333ce7bf59b106f635360
SHA256: 482b4ad5845bc3b5e0a717e94cfdcbf781db3330a7a9db89e951ada25e496948

Audit Changelog

 
Revision 1.7

Mar 22, 2022

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.6

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.5

May 10, 2021

Functional Update
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv4 all
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 all
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.4

Oct 14, 2020

Functional Update
  • 4.2.3 Ensure permissions on all logfiles are configured
Revision 1.3

Oct 5, 2020

Functional Update
  • 1.1.12 Ensure noexec option set on /var/tmp partition
  • 1.1.13 Ensure nodev option set on /var/tmp partition
  • 1.1.14 Ensure nosuid option set on /var/tmp partition
  • 1.1.18 Ensure nodev option set on /home partition
  • 1.1.2 Ensure /tmp is configured
  • 1.10 Ensure GDM is removed or login is configured - banner-message-enable
  • 1.10 Ensure GDM is removed or login is configured - banner-message-text
  • 1.10 Ensure GDM is removed or login is configured - disable-user-list
  • 1.10 Ensure GDM is removed or login is configured - file-db
  • 1.10 Ensure GDM is removed or login is configured - system-db
  • 1.10 Ensure GDM is removed or login is configured - user-db
  • 1.4.2 Ensure filesystem integrity is regularly checked - aidecheck.service
  • 1.4.2 Ensure filesystem integrity is regularly checked - aidecheck.timer
  • 1.4.2 Ensure filesystem integrity is regularly checked - cron
  • 1.6.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax
  • 1.6.1 Ensure core dumps are restricted - systemd-coredump Storage
  • 1.6.2 Ensure XD/NX support is enabled
  • 1.8.1.1 Ensure message of the day is configured properly - content
  • 1.8.1.1 Ensure message of the day is configured properly - site policy banner
  • 2.2.1.1 Ensure time synchronization is in use
  • 2.2.1.2 Ensure systemd-timesyncd is configured
  • 2.2.1.3 Ensure chrony is configured - server
  • 2.2.1.3 Ensure chrony is configured - user
  • 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
  • 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-kernel-server
  • 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-utils
  • 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - package rpcbind
  • 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind
  • 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind.socket
  • 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6
  • 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6 conf files
  • 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 all
  • 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 default
  • 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 all
  • 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 default
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 all
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 default
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 all
  • 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 default
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 all
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 default
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 all
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 default
  • 3.5.1.1 Ensure FirewallD is installed - firewalld
  • 3.5.1.1 Ensure FirewallD is installed - iptables
  • 3.5.1.2 Ensure nftables is not installed or stopped and masked - nftables active
  • 3.5.1.2 Ensure nftables is not installed or stopped and masked - nftables masked
  • 3.5.1.2 Ensure nftables is not installed or stopped and masked - package nftables
  • 3.5.1.3 Ensure firewalld service is enabled and running - firewall state running
  • 3.5.1.3 Ensure firewalld service is enabled and running - firewalld enabled
  • 3.5.1.4 Ensure default zone is set
  • 3.5.1.5 Ensure network interfaces are assigned to appropriate zone
  • 3.5.1.6 Ensure unnecessary services and ports are not accepted
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.10 Ensure nftables rules are permanent
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld active
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld masked
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - firewalld package
  • 3.5.2.3 Ensure iptables are flushed
  • 3.5.2.4 Ensure a table exists
  • 3.5.2.5 Ensure base chains exist - forward
  • 3.5.2.5 Ensure base chains exist - input
  • 3.5.2.5 Ensure base chains exist - output
  • 3.5.2.6 Ensure loopback traffic is configured - ip saddr 127.0.0.0/8
  • 3.5.2.6 Ensure loopback traffic is configured - ip6 saddr
  • 3.5.2.6 Ensure loopback traffic is configured - lo accept
  • 3.5.2.7 Ensure outbound and established connections are configured - input
  • 3.5.2.7 Ensure outbound and established connections are configured - output
  • 3.5.2.8 Ensure default deny firewall policy - forward
  • 3.5.2.8 Ensure default deny firewall policy - input
  • 3.5.2.8 Ensure default deny firewall policy - output
  • 3.5.2.9 Ensure nftables service is enabled
  • 3.5.3.1.1 Ensure iptables package is installed
  • 3.5.3.1.2 Ensure nftables is not installed
  • 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld active
  • 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld masked
  • 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - firewalld package
  • 3.5.3.2.1 Ensure default deny firewall policy
  • 3.5.3.2.2 Ensure loopback traffic is configured - input
  • 3.5.3.2.2 Ensure loopback traffic is configured - output
  • 3.5.3.2.3 Ensure outbound and established connections are configured
  • 3.5.3.2.4 Ensure firewall rules exist for all open ports
  • 3.5.3.3.1 Ensure IPv6 default deny firewall policy
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output
  • 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
  • 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
  • 5.1.1 Ensure cron daemon is enabled and running - enabled
  • 5.1.1 Ensure cron daemon is enabled and running - running
  • 5.1.2 Ensure permissions on /etc/crontab are configured
  • 5.1.3 Ensure permissions on /etc/cron.hourly are configured
  • 5.1.4 Ensure permissions on /etc/cron.daily are configured
  • 5.1.5 Ensure permissions on /etc/cron.weekly are configured
  • 5.1.6 Ensure permissions on /etc/cron.monthly are configured
  • 5.1.7 Ensure permissions on /etc/cron.d are configured
  • 5.1.8 Ensure cron is restricted to authorized users - cron.allow
  • 5.1.8 Ensure cron is restricted to authorized users - cron.deny
  • 5.1.9 Ensure at is restricted to authorized users - at.allow
  • 5.1.9 Ensure at is restricted to authorized users - at.deny
  • 5.4.4 Ensure default user shell timeout is configured
Miscellaneous
  • Platform check updated.
Revision 1.2

Sep 30, 2020

Functional Update
  • 6.2.8 Ensure users' dot files are not group or world writable
Revision 1.1

Sep 29, 2020

Miscellaneous
  • References updated.