CIS SUSE Linux Enterprise Server 12 L1 v3.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS SUSE Linux Enterprise Server 12 L1 v3.0.0

Updated: 8/23/2022

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 272

File Details

Filename: CIS_SUSE_Linux_Enterprise_Server_12_v3.0.0_L1.audit

Size: 542 kB

MD5: ce4bba98a1da8e4ca6cc891243c3f8d1

SHA256: a5dba68740b16a19cdec0a466b00acfdaa6554c39a841c2891f4084142aef83e

Audit Changelog


Revision 1.8 Aug 23, 2022 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.7 Jul 27, 2022 Functional Update 5.3.4 Ensure SSH Protocol is set to 2
Revision 1.6 Apr 25, 2022 Miscellaneous Metadata updated.
Revision 1.5 Apr 5, 2022 Functional Update 6.1.3 Ensure permissions on /etc/shadow are configured 6.1.6 Ensure permissions on /etc/shadow- are configured
Revision 1.4 Apr 1, 2022 Functional Update 5.5.4 Ensure default user shell timeout is configured Informational Update 1.1.1.2 Ensure mounting of udf filesystems is disabled 1.1.12 Ensure noexec option set on /var/tmp partition 1.1.13 Ensure nodev option set on /var/tmp partition 1.1.14 Ensure nosuid option set on /var/tmp partition 1.1.18 Ensure nodev option set on /home partition 1.1.19 Ensure noexec option set on removable media partitions 1.1.2 Ensure /tmp is configured - config check 1.1.2 Ensure /tmp is configured - mount 1.1.20 Ensure nodev option set on removable media partitions 1.1.21 Ensure nosuid option set on removable media partitions 1.1.22 Ensure sticky bit is set on all world-writable directories 1.1.23 Disable Automounting 1.1.3 Ensure noexec option set on /tmp partition 1.1.4 Ensure nodev option set on /tmp partition 1.1.5 Ensure nosuid option set on /tmp partition 1.1.6 Ensure /dev/shm is configured - fstab 1.1.6 Ensure /dev/shm is configured - mount 1.1.7 Ensure noexec option set on /dev/shm partition 1.1.8 Ensure nodev option set on /dev/shm partition 1.1.9 Ensure nosuid option set on /dev/shm partition 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure package manager repositories are configured 1.2.3 Ensure gpgcheck is globally activated 1.3.2 Ensure filesystem integrity is regularly checked - aidecheck.service 1.3.2 Ensure filesystem integrity is regularly checked - aidecheck.timer 1.3.2 Ensure filesystem integrity is regularly checked - cron 1.4.1 Ensure bootloader password is set - password_pbkdf2 1.4.1 Ensure bootloader password is set - superusers 1.4.2 Ensure permissions on bootloader config are configured 1.5.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax 1.5.1 Ensure core dumps are restricted - systemd-coredump Storage 1.5.2 Ensure XD/NX support is enabled 1.6.1.1 Ensure AppArmor is installed - apparmor-parser 1.6.1.1 Ensure AppArmor is installed - apparmor-profiles 1.6.1.1 Ensure AppArmor is installed - apparmor-utils 1.6.1.1 Ensure AppArmor is installed - libapparmor1 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmor=1 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - security=apparmor 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - processes unconfined 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - profiles loaded 1.9 Ensure GDM is removed or login is configured - banner-message-enable 1.9 Ensure GDM is removed or login is configured - banner-message-text 1.9 Ensure GDM is removed or login is configured - disable-user-list 1.9 Ensure GDM is removed or login is configured - file-db 1.9 Ensure GDM is removed or login is configured - system-db 1.9 Ensure GDM is removed or login is configured - user-db 2.1.1 Ensure xinetd is not installed 2.2.1.2 Ensure systemd-timesyncd is configured 2.2.1.3 Ensure chrony is configured - user 2.2.1.4 Ensure ntp is configured - ntp:ntp 2.2.1.4 Ensure ntp is configured - restrict -4 2.2.1.4 Ensure ntp is configured - restrict -6 2.2.1.4 Ensure ntp is configured - server 2.2.10 Ensure IMAP and POP3 server is not installed 2.2.11 Ensure Samba is not installed 2.2.12 Ensure HTTP Proxy Server is not installed 2.2.13 Ensure net-snmp is not installed 2.2.14 Ensure NIS server is not installed 2.2.15 Ensure telnet-server is not installed 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-kernel-server 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked - nfs-utils 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked - package rpcbind 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked - service rpcbind.socket 2.2.18 Ensure rsync is not installed or the rsyncd service is masked 2.2.19 Ensure mail transfer agent is configured for local-only mode 2.2.2 Ensure X11 Server components are not installed 2.2.3 Ensure Avahi Server is not installed - avahi 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd 2.2.4 Ensure CUPS is not installed 2.2.5 Ensure DHCP Server is not installed 2.2.6 Ensure LDAP server is not installed 2.2.7 Ensure DNS Server is not installed 2.2.8 Ensure FTP Server is not installed 2.2.9 Ensure HTTP server is not installed 2.4 Ensure nonessential services are removed or masked 3.1.2 Ensure wireless interfaces are disabled - interfaces 3.1.2 Ensure wireless interfaces are disabled - iw list 3.2.1 Ensure IP forwarding is disabled - sysctl ipv4 3.2.1 Ensure IP forwarding is disabled - sysctl ipv4 conf files 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6 3.2.1 Ensure IP forwarding is disabled - sysctl ipv6 conf files 3.2.2 Ensure packet redirect sending is disabled - sysctl conf ipv4 all 3.2.2 Ensure packet redirect sending is disabled - sysctl conf ipv4 default 3.2.2 Ensure packet redirect sending is disabled - sysctl ipv4 all 3.2.2 Ensure packet redirect sending is disabled - sysctl ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv4 all 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 all 3.3.1 Ensure source routed packets are not accepted - sysctl conf ipv6 default 3.3.1 Ensure source routed packets are not accepted - sysctl ipv4 all 3.3.1 Ensure source routed packets are not accepted - sysctl ipv4 default 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 all 3.3.1 Ensure source routed packets are not accepted - sysctl ipv6 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv4 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv4 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl ipv6 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv4 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv4 default 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 all 3.3.2 Ensure ICMP redirects are not accepted - sysctl.conf ipv6 default 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl ipv4 all 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl ipv4 default 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl.conf ipv4 all 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl.conf ipv4 default 3.3.4 Ensure suspicious packets are logged - sysctl ipv4 all 3.3.4 Ensure suspicious packets are logged - sysctl ipv4 default 3.3.4 Ensure suspicious packets are logged - sysctl.conf ipv4 all 3.3.4 Ensure suspicious packets are logged - sysctl.conf ipv4 default 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl ipv4 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl.conf ipv4 3.3.6 Ensure bogus ICMP responses are ignored - sysctl ipv4 3.3.6 Ensure bogus ICMP responses are ignored - sysctl.conf ipv4 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl ipv4 all 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl ipv4 default 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl.conf ipv4 all 3.3.7 Ensure Reverse Path Filtering is enabled - sysctl.conf ipv4 default 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl ipv4 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl.conf ipv4 3.5.1.1 Ensure iptables package is installed 3.5.2.2 Ensure outbound and established connections are configured - input 3.5.2.2 Ensure outbound and established connections are configured - output 3.5.2.3 Ensure firewall rules exist for all open ports 3.5.2.4 Ensure default deny firewall policy - forward 3.5.2.4 Ensure default deny firewall policy - input 3.5.2.4 Ensure default deny firewall policy - output 3.5.3.1 Ensure IPv6 loopback traffic is configured - input 3.5.3.1 Ensure IPv6 loopback traffic is configured - output 3.5.3.2 Ensure IPv6 outbound and established connections are configured 3.5.3.3 Ensure IPv6 firewall rules exist for all open ports 3.5.3.4 Ensure IPv6 default deny firewall policy 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog Service is enabled and running - enabled 4.2.1.2 Ensure rsyslog Service is enabled and running - running 4.2.1.4 Ensure logging is configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host - rsyslog.conf/rsyslogd. 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - '$InputTCPServerRun 514' - rsyslog.conf/rsyslog.d 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - '$ModLoad imtcp.so' - rsyslog.conf/rsyslog.d 4.2.2.1 Ensure journald is configured to send logs to rsyslog 4.2.2.2 Ensure journald is configured to compress large log files 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk 4.2.3 Ensure permissions on all logfiles are configured 4.2.4 Ensure logrotate is configured 5.1.1 Ensure sudo is installed 5.1.2 Ensure sudo commands use pty 5.1.3 Ensure sudo log file exists 5.2.1 Ensure cron daemon is enabled and running - enabled 5.2.1 Ensure cron daemon is enabled and running - running 5.2.2 Ensure permissions on /etc/crontab are configured 5.2.3 Ensure permissions on /etc/cron.hourly are configured 5.2.4 Ensure permissions on /etc/cron.daily are configured 5.2.5 Ensure permissions on /etc/cron.weekly are configured 5.2.6 Ensure permissions on /etc/cron.monthly are configured 5.2.7 Ensure permissions on /etc/cron.d are configured 5.2.8 Ensure cron is restricted to authorized users - cron.allow 5.2.8 Ensure cron is restricted to authorized users - cron.deny 5.2.9 Ensure at is restricted to authorized users - at.allow 5.2.9 Ensure at is restricted to authorized users - at.deny 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.3.10 Ensure SSH HostbasedAuthentication is disabled 5.3.11 Ensure SSH root login is disabled 5.3.12 Ensure SSH PermitEmptyPasswords is disabled 5.3.13 Ensure SSH PermitUserEnvironment is disabled 5.3.14 Ensure only strong Ciphers are used 5.3.15 Ensure only strong MAC algorithms are used 5.3.16 Ensure only strong Key Exchange algorithms are used 5.3.17 Ensure SSH Idle Timeout Interval is configured - clientalivecountmax 5.3.17 Ensure SSH Idle Timeout Interval is configured - clientaliveinterval 5.3.18 Ensure SSH LoginGraceTime is set to one minute or less 5.3.19 Ensure SSH warning banner is configured 5.3.2 Ensure permissions on SSH private host key files are configured 5.3.20 Ensure SSH PAM is enabled 5.3.22 Ensure SSH MaxStartups is configured 5.3.23 Ensure SSH MaxSessions is limited 5.3.3 Ensure permissions on SSH public host key files are configured 5.3.4 Ensure SSH Protocol is set to 2 5.3.5 Ensure SSH access is limited 5.3.6 Ensure SSH LogLevel is appropriate 5.3.8 Ensure SSH MaxAuthTries is set to 4 or less 5.3.9 Ensure SSH IgnoreRhosts is enabled 5.4.1 Ensure password creation requirements are configured - dcredit 5.4.1 Ensure password creation requirements are configured - lcredit 5.4.1 Ensure password creation requirements are configured - minlen 5.4.1 Ensure password creation requirements are configured - ocredit 5.4.1 Ensure password creation requirements are configured - ucredit 5.4.2 Ensure lockout for failed password attempts is configured - common-account pam_tally2.so 5.4.2 Ensure lockout for failed password attempts is configured - common-auth deny 5.4.2 Ensure lockout for failed password attempts is configured - common-auth unlock_time 5.4.3 Ensure password reuse is limited 5.5.1.1 Ensure password hashing algorithm is SHA-512 5.5.1.2 Ensure password expiration is 365 days or less - PASS_MAX_DAYS 5.5.1.2 Ensure password expiration is 365 days or less - users 5.5.1.3 Ensure minimum days between password changes is configured - PASS_MIN_DAYS 5.5.1.3 Ensure minimum days between password changes is configured - users 5.5.1.4 Ensure password expiration warning days is 7 or more - PASS_WARN_AGE 5.5.1.4 Ensure password expiration warning days is 7 or more - users 5.5.1.5 Ensure inactive password lock is 30 days or less - INACTIVE 5.5.1.5 Ensure inactive password lock is 30 days or less - users 5.5.1.6 Ensure all users last password change date is in the past 5.5.2 Ensure system accounts are secured - /etc/passwd 5.5.2 Ensure system accounts are secured - passwd 5.5.3 Ensure default group for the root account is GID 0 5.5.4 Ensure default user shell timeout is configured 5.5.5 Ensure default user umask is configured - System Wide default 5.5.5 Ensure default user umask is configured - profiles 5.6 Ensure root login is restricted to system console 5.7 Ensure access to the su command is restricted 6.1.10 Ensure no ungrouped files or directories exist 6.1.11 Audit SUID executables 6.1.12 Audit SGID executables 6.1.5 Ensure permissions on /etc/passwd- are configured 6.1.6 Ensure permissions on /etc/shadow- are configured 6.1.7 Ensure permissions on /etc/group- are configured 6.1.8 Ensure no world writable files exist 6.1.9 Ensure no unowned files or directories exist 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure no users have .netrc files 6.2.11 Ensure users' .netrc Files are not group or world accessible 6.2.12 Ensure no users have .rhosts files 6.2.13 Ensure all groups in /etc/passwd exist in /etc/group 6.2.14 Ensure no duplicate UIDs exist 6.2.15 Ensure no duplicate GIDs exist 6.2.16 Ensure no duplicate user names exist 6.2.17 Ensure no duplicate group names exist 6.2.18 Ensure shadow group is empty 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure root is the only UID 0 account 6.2.4 Ensure root PATH Integrity 6.2.5 Ensure all users' home directories exist 6.2.6 Ensure users' home directories permissions are 750 or more restrictive 6.2.7 Ensure users own their home directories 6.2.8 Ensure users' dot files are not group or world writable 6.2.9 Ensure no users have .forward files Miscellaneous References updated. Added 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 default 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 default 3.5.2.1 Ensure loopback traffic is configured - ip saddr 127.0.0.0/8 3.5.2.1 Ensure loopback traffic is configured - lo accept Removed 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl ipv6 default 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 all 3.3.9 Ensure IPv6 router advertisements are not accepted - sysctl.conf ipv6 default 3.5.2.1 Ensure loopback traffic is configured- ip saddr 127.0.0.0/8 3.5.2.1 Ensure loopback traffic is configured- lo accept
Revision 1.3 Mar 29, 2022 Miscellaneous Metadata updated. References updated. Removed 1.6.1.1 Ensure AppArmor is installed - apparmor-docs
Revision 1.2 Mar 18, 2022 Functional Update 5.5.2 Ensure system accounts are secured - /etc/passwd Miscellaneous Metadata updated. References updated.
Revision 1.1 Jun 17, 2021 Miscellaneous Metadata updated. References updated.

Detections

Analytics

CIS SUSE Linux Enterprise Server 12 L1 v3.0.0

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Revision 1.8

Miscellaneous

Revision 1.7

Functional Update

Revision 1.6

Miscellaneous

Revision 1.5

Functional Update

Revision 1.4

Functional Update

Informational Update

Miscellaneous

Added

Removed

Revision 1.3

Miscellaneous

Removed

Revision 1.2

Functional Update

Miscellaneous

Revision 1.1

Miscellaneous

Detections

Analytics

CIS SUSE Linux Enterprise Server 12 L1 v3.0.0 Download File

Warning! Audit Deprecated

Audit Details

File Details

Audit Changelog

Miscellaneous

Functional Update

Miscellaneous

Functional Update

Functional Update

Informational Update

Miscellaneous

Added

Removed

Miscellaneous

Removed

Functional Update

Miscellaneous

Miscellaneous

CIS SUSE Linux Enterprise Server 12 L1 v3.0.0