CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1

Audit Details

Name: CIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1

Updated: 9/26/2022

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 291

File Details

Filename: CIS_SUSE_Linux_Enterprise_15_Workstation_v1.1.1_L1.audit

Size: 901 kB

MD5: 2c6825a303b68b7e9a0aed75226460d0
SHA256: 4c546c18008716ba0eab89c9352e23fb52e846db3a72ca7d644897d541944ecd

Audit Items

DescriptionCategories
1.1.1.2 Ensure mounting of udf filesystems is disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.2 Ensure /tmp is configured

ACCESS CONTROL, MEDIA PROTECTION

1.1.3 Ensure noexec option set on /tmp partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.4 Ensure nodev option set on /tmp partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.5 Ensure nosuid option set on /tmp partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.6 Ensure /dev/shm is configured - fstab

ACCESS CONTROL, MEDIA PROTECTION

1.1.6 Ensure /dev/shm is configured - mount

ACCESS CONTROL, MEDIA PROTECTION

1.1.7 Ensure noexec option set on /dev/shm partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.8 Ensure nodev option set on /dev/shm partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.9 Ensure nosuid option set on /dev/shm partition

ACCESS CONTROL, MEDIA PROTECTION

1.1.12 Ensure noexec option set on /var/tmp partition

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.13 Ensure nodev option set on /var/tmp partition

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.14 Ensure nosuid option set on /var/tmp partition

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.18 Ensure nodev option set on /home partition

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.19 Ensure noexec option set on removable media partitions

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.20 Ensure nodev option set on removable media partitions

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.21 Ensure nosuid option set on removable media partitions

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.1.22 Ensure sticky bit is set on all world-writable directories

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION

1.2.1 Ensure GPG keys are configured

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.2.2 Ensure package manager repositories are configured

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.2.3 Ensure gpgcheck is globally activated

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

1.3.1 Ensure sudo is installed

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.3.2 Ensure sudo commands use pty

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.3.3 Ensure sudo log file exists

AUDIT AND ACCOUNTABILITY

1.4.1 Ensure AIDE is installed

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.4.2 Ensure filesystem integrity is regularly checked - cron

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.4.2 Ensure filesystem integrity is regularly checked - is-enabled aidecheck.service

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.4.2 Ensure filesystem integrity is regularly checked - is-enabled aidecheck.timer

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.4.2 Ensure filesystem integrity is regularly checked - status aidecheck.timer

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

1.5.1 Ensure bootloader password is set - password

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.5.1 Ensure bootloader password is set - superusers

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.5.2 Ensure permissions on bootloader config are configured

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.5.3 Ensure authentication required for single user mode - rescue.emergency

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.5.3 Ensure authentication required for single user mode - rescue.service

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.1 Ensure core dumps are restricted - fs.suid_dumpable sysctl.conf

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.1 Ensure core dumps are restricted - limits.conf

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.1 Ensure core dumps are restricted - sysctl fs.suid_dumpable

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.1 Ensure core dumps are restricted - systemd-coredump Storage

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.6.2 Ensure XD/NX support is enabled

SYSTEM AND INFORMATION INTEGRITY

1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl

SYSTEM AND INFORMATION INTEGRITY

1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf

SYSTEM AND INFORMATION INTEGRITY

1.6.4 Ensure prelink is disabled

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

1.7.1.1 Ensure AppArmor is installed - apparmor-docs

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.1 Ensure AppArmor is installed - apparmor-parser

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.1 Ensure AppArmor is installed - apparmor-profiles

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.1 Ensure AppArmor is installed - apparmor-utils

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.1 Ensure AppArmor is installed - libapparmor1

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmor=1

ACCESS CONTROL, MEDIA PROTECTION

1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - security=apparmor

ACCESS CONTROL, MEDIA PROTECTION