DISA SLES 15 STIG v1r6

Audit Details

Name: DISA SLES 15 STIG v1r6

Updated: 7/27/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 299

File Details

Filename: DISA_STIG_SLES_15_v1r6.audit

Size: 676 kB

MD5: 8b83d230a58f3fa80d6b8825ce05ca24
SHA256: 6b0c957594226cc214f905119e5b06628f0bb0ed40bdef7b23fe5c0e9e9fc447

Audit Items

DescriptionCategories
DISA_STIG_SLES_15_v1r6.audit from DISA SUSE Linux Enterprise Server 15 v1r6 STIG
SLES-15-010000 - The SUSE operating system must be a vendor-supported release.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - installed

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - running

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010010 - Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010020 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.

ACCESS CONTROL

SLES-15-010030 - The SUSE operating system must not have the vsftpd package installed if not required for operational support.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

SLES-15-010040 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH - issue

ACCESS CONTROL

SLES-15-010040 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH - sshd_config

ACCESS CONTROL

SLES-15-010050 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI) - filename

ACCESS CONTROL

SLES-15-010050 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI) - text-info

ACCESS CONTROL

SLES-15-010050 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI) - title

ACCESS CONTROL

SLES-15-010060 - The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.

ACCESS CONTROL

SLES-15-010080 - The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

SLES-15-010090 - The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

SLES-15-010100 - The SUSE operating system must be able to lock the graphical user interface (GUI).

ACCESS CONTROL

SLES-15-010110 - The SUSE operating system must utilize vlock to allow for session locking.

ACCESS CONTROL

SLES-15-010120 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI) - GUI.

ACCESS CONTROL

SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity - export

ACCESS CONTROL

SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity - readonly

ACCESS CONTROL

SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity - TMOUT

ACCESS CONTROL

SLES-15-010140 - The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI) - GUI.

ACCESS CONTROL

SLES-15-010150 - The SUSE operating system must log SSH connection attempts and failures to the server - LogLevel

ACCESS CONTROL

SLES-15-010160 - The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.

ACCESS CONTROL

SLES-15-010170 - The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010180 - The SUSE operating system must not have the telnet-server package installed.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

SLES-15-010190 - SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

SLES-15-010200 - SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

ACCESS CONTROL

SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - active

ACCESS CONTROL, CONFIGURATION MANAGEMENT

SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - enabled

ACCESS CONTROL, CONFIGURATION MANAGEMENT

SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - rules

ACCESS CONTROL, CONFIGURATION MANAGEMENT

SLES-15-010230 - The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010240 - The SUSE operating system must disable the file system automounter unless required.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010260 - The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).

IDENTIFICATION AND AUTHENTICATION

SLES-15-010270 - The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

ACCESS CONTROL, MAINTENANCE

SLES-15-010280 - The SUSE operating system SSH daemon must be configured with a timeout interval.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010300 - The sticky bit must be set on all SUSE operating system world-writable directories.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010310 - The SUSE operating system must be configured to use TCP syncookies.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010320 - The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010330 - All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010340 - The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010350 - The SUSE operating system must prevent unauthorized users from accessing system error messages - permissions

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010350 - The SUSE operating system must prevent unauthorized users from accessing system error messages - permissions.local

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010351 - The SUSE operating system library files must have mode 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010352 - The SUSE operating system library directories must have mode 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010353 - The SUSE operating system library files must be owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010354 - The SUSE operating system library directories must be owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010355 - The SUSE operating system library files must be group-owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010356 - The SUSE operating system library directories must be group-owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010357 - The SUSE operating system must have system commands set to a mode of 0755 or less permissive.

CONFIGURATION MANAGEMENT