~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide ~/f/scap-security-guide RPMS.2017/scap-security-guide-0.1.64-0.0.noarch.rpm RPMS/scap-security-guide-0.1.64-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-0.1.64-0.0.noarch.rpm to scap-security-guide-0.1.64-0.0.noarch.rpm comparing the rpm tags of scap-security-guide --- old-rpm-tags +++ new-rpm-tags @@ -221,9 +221,9 @@ -/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html b12ee82108b259b40e6024af1b52fc583dc7957daabf145a38cb1330d6d2af15 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 1690139ac340d46be3465a08831e80699c9fe98ff6692242b342bca38b2daba8 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 96c58b340d5b37ae8ebab7692e28a51014a15fbaefd320f5cb1aade8d2c70874 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html f6e321d286ea4ed4f9f12ecb6b500ebebab2d005a922d870974b184979a6bd09 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 10ec0c95e6948a363f9ec48f0ea33f3957e8eac95939068125ff61cf10ea2a06 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html cde6ee371cbb7da027494d91a48ea44bbb369c3b67499235465491fe808e3872 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html f808ab00036273141473549e5cb9d974b398207dc06989b9c7169081746370f6 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 3b685a05af9d8fc77093012fe20f5b2273be8b6d89ec2d1b869b9f406cbe41af 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2c0e8b3b084778b67effef723bcb54359af5568ce0b5b6e30bf1ed4f83185ca4 2 +/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html fb507a6c7a0c61794e0cfe817f9de734c30013feca40d09e7c666e294e2a51cf 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 961dce2fd4f1eb7ed88f0e9b8fcb639b377308f505293dff6214046cd66b0964 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 02513f98bacd695d2287aa69ef93f2774a8f60fbdbce307f0f075c3bebadcbbf 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 0f940b477948e9d937123fea6e6643338b6b98c7d6f77d0c28eb6048c14cd3c3 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 3af921fd069dfe73bf8dda80bceced6b352bc1ceefcfc352fc2ccfbd8be2e7c0 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html b5743394a98c23ff4adf03c460a4e31e86527891f13131e53f35bf7e503cb9ca 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 0733e12e4ea10390f824b5e5e3881effdd9a712ad29feb7d3ae999384897546c 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 8fe1934fef5cd0aea6de38f2b387a092a492780a15347461f1f9f8ccdc492925 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 233fe80b412b97c17d261ed6f2a6c1f5e52e1d601471eb12fcf76feee53ce004 2 @@ -231,11 +231,11 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 86523abe1be1373e660c69aec2f4ca2e9a7ede50db542a154b2235c09b41a258 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 54b7b5f5ef489ad5eee0b9b49e426c4ce516106eb056b5cbd5614df5989486b6 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 88be6712a93c66f046c1ece9572c771d346a1049f7470c229b1b6bd972558bcb 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html da62e0ebc963b26ec6070a39b709d3137028ed474c399339581d741b8fd541be 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html 6182096f62f6ea347e3c4add58d313cb66c9c78e94ca9aa4a8aad82923b97652 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html c3dbcb19b3f37005cf33fe164f66919e2df1edc7e40b8de3b48e3c58f01f5041 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html f99c695ec9f82a9547c6e58d2346486e6802e0c8c87fc54ceb460d7d40548775 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 04b38d89e68a9aaff87c98c33173ccf23f55c33232222a231cec12c850effaea 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html e8afb9e62bb154641fcf8cc24f87568b3b6297c29187e07fc8a9f2a4f8d69516 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html d965e1282774ceaa99a68b4da6cfdda5945b4ed184130ea301df5321b18b5214 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 70643d0028da0e21b56d84483723147a5b1f474b9d103b1a84fb0ab884b49e28 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html a93fceff170473cf51a286efc91b00e77d728104c9374cdbc0e0fbecca982e63 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 093c674b76a5dd03cbef4a48a6a84d92f65fa78e326cd62f797495c0e9d4f062 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 719bcd6b16cc67f069804179d3d3dc2243281968f1bc454c0773bc9cc769a49f 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html a53faa1be60169da3d109f4fee4af7065ecb48035c69534d8fad6696f21d6fa5 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html 57ab65907d361d33f16d0573b258e758e51c6d69707e6430c47f5e575da70ba6 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 3a7428fcda9467710733deccddf0f6a9a10454c43d21db16d16785c078e34a1d 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 15a3dcdd2319c78f39cf1c8bf19bc72609018695280fbb0cab4c067ad4517fd6 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html f291a2b9718deff2bec238ff2438bea105cf03116f22dd5b686a88bba69e1369 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 0774a5fc1cd17cc68e951b67eebe5a0cc6ce1c70c94c7284f0127f281bb4cd63 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 5974570182457f920891cbec9343f7afb35624e9ca583e34282d74fa9158edb8 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 21df03d591217e0262426e8cccc9b19a0cfeb72b6f13596dc7ba6a90a7b95382 2 @@ -243,4 +243,4 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html ca46df20e459c1788be7bf271ca2fdd0c69e423c1c5f8772912ed1d38a57eec9 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 0dda23df31094a7a2beb7027b5f38a3081826a0ce1fdb4c405cb2b31c43dc225 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 43ef495cd0738780cf14ef34f1ae30a1b34a224258ac176148d7f6c596d67bfd 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 90c27f7716f4c0a89b5f6b5e9443a581b43a205d493302ced4df2e848580f0b5 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 4688ded3d439a459ce73ff33e91b4841cfa16cfbdbad4279253865690d98974d 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 162d9969df5df13d18aa50ef3421f57ccf0f1e659926081e540cde80d4a58ed4 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 044f94384ce0d0662abb1570eba52139ae2802804aedbfa6c113e0e3699c684a 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 99a65ad60ede98682ce7bf9fe0e69b7303f3217d20f73582e2f71907cf01ea1c 2 @@ -314,3 +314,3 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 620eaf685ef540ee0f24e3eb02433c48859a527bdbc4fb21b978a37aacf52376 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 04130d47fddc5940e5cce12d4fc8c82b6ebb9ba34be84c8d52aec181bc235166 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 6d03d5ae8b8ea7ae005085dea8c18ef7d7e24169e8e12623a31c642e5ca5930a 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml a55b6c7f087f851df27847030b635016af8e14b54683e689252edd77df5e9bee 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 38c891fe2384d3c3b2c753131d5559a9c596d7dfb921f0c3404464aa004a7fbf 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 3bedfbacfd1e00722317d8b17969fb9fa3ea9fa36c5a755cd02694090d96fe75 0 @@ -318 +318 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 103b30af02da876fe19e0110d6f9970b41e8f87e2d5fd912507db68ed674e5e4 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 3a54283dc6552e3df23d37a2aab0d1ebf32a1861a1fe1ee1b923306e373284f3 0 @@ -321,3 +321,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2cb81bdc5162e17f2de3d1d61f3c1d4e2b38a063c556d3c807f3846f324e6893 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 0c5849b9a1fefff6ed3297a4707f50e95783c68b05cc739e4ba34bde5ca6c520 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml c100a277cf622c089c21d01cd07f785c8dc43061154a4b44330889f22d3a66f0 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 93c3831b2f88b02ab07d25d5ddafc9937aa3fdbb0d4f514f26c946d7fbd098ff 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 72bc7c6555bb36269127ef0b79a78113fa3a44ca4f967d352f620fb1c0939638 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml b41f7543221648d9169a621ee7c56a86aafafba252254e29529f6f5bd160d0e6 0 @@ -325 +325 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 55085e66c5746daf168657659f6e7af0c886d104f9a20e20c34171f66d6d6f03 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 4e4e091bdb34f06d3b19e849e522ba8a42e6c86ac1b79aedd467577b64c092fd 0 @@ -328,3 +328,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml d3e5a174884b8ad45587fe60733209445f972dfa717a83f60cacd770c958d433 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 6399c374826cd8d81f297aab25d8e68ee0659d40a0f7a79c7ee685d2928f79af 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml b490f6c4a8bc49d8883f9736ce3a19a7938e187dafc47e4e937d5792d39cc047 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 7c09256cbd55ebd6213c4b8669e0c18f641a2c6cb9fc110a33e10d7eef4366a9 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml ad84a0b33c0e774304297326a2387115c8e3f60978a11e3d1e535ecc0a5b3c55 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 45293ea76f5e81be19641acfad8b907a9bdf6fd4962150e8190a1f51e9f8c4ae 0 @@ -332 +332 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 499cb414235e345d16b386d67eb1cbb970e34dbf6b6c42e2b49af5ae42e79713 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml f8a94e544e5377c7cee9be0570cde82d2da09bfd0b57b4c5be9223d74e7f531c 0 comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-11-25 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for openSUSE
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:opensuse:leap:42.1
  • cpe:/o:opensuse:leap:42.2
  • cpe:/o:opensuse:leap:42.3
  • cpe:/o:opensuse:leap:15.0

Revision History

Current version: 0.1.64

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of openSUSE   Group contains 4 groups and 3 rules
Group   @@ -113,11 +113,7 @@ Verify Group Who Owns passwd File   [ref]
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -149,15 +145,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+chgrp 0 /etc/passwd
 

Rule   Verify User Who Owns passwd File   [ref]

To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -189,6 +185,10 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+chown 0 /etc/passwd
 

Rule   Verify Permissions on passwd File   [ref]

@@ -197,12 +197,7 @@ world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References

References:  - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -234,6 +229,11 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
 
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2022-11-25 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 61 groups and 162 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -398,15 +398,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installedIdentifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -420,17 +412,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -440,27 +440,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91492-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -474,21 +454,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91493-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -503,7 +474,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 2022-11-25 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 61 groups and 175 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -286,22 +286,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -403,6 +388,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -422,33 +422,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References

Identifiers:  CCE-83048-9

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
-	VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -492,6 +466,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2022-11-25 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 57 groups and 151 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -398,15 +398,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -420,17 +412,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -440,27 +440,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91492-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -474,21 +454,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91493-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -503,7 +474,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 2022-11-25 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 27 groups and 35 rules
Group   @@ -109,22 +109,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

Identifiers:  CCE-83013-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule


Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -161,34 +146,34 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  - CCE-83012-5

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
+      # comment out "!authenticate" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  + CCE-83012-5

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -225,6 +210,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
+

Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Group   Updating Software   Group contains 9 rules
[ref]   @@ -244,9 +244,7 @@ $ sudo zypper install dnf-automatic
Rationale:
dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Identifiers and References

Identifiers:  CCE-91476-2

References:  - BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+            BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -258,17 +256,19 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-


+


 [[packages]]
 name = "dnf-automatic"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
+

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
 

Rule   Configure dnf-automatic to Install Available Updates Automatically   [ref]

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against @@ -279,7 +279,25 @@ The automated installation of updates ensures that recent security patches are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References

Identifiers:  CCE-91474-7

References:  - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+  ini_file:
+    dest: /etc/dnf/automatic.conf
+    section: commands
+    option: apply_updates
+    value: 'yes'
+    create: true
+  tags:
+  - CCE-91474-7
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-SI-2(5)
+  - NIST-800-53-SI-2(c)
+  - dnf-automatic_apply_updates
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+


 found=false
 
 # set value in all files if they contain section or key
@@ -306,33 +324,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+

Rule   + Configure dnf-automatic to Install Only Security Updates +   [ref]

To configure dnf-automatic to install only security updates +automatically, set upgrade_type to security under +[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. +Reducing the amount of updated packages only to updates that were +issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  + CCE-91478-8

References:  + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: apply_updates
-    value: 'yes'
+    option: upgrade_type
+    value: security
     create: true
   tags:
-  - CCE-91474-7
+  - CCE-91478-8
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
+  - dnf-automatic_security_updates_only
   - low_complexity
+  - low_severity
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 100 groups and 256 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -396,6 +381,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -580,15 +580,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -602,17 +594,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 89 groups and 193 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -396,6 +381,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -530,15 +530,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -552,17 +544,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 83 groups and 190 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -396,6 +381,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -530,15 +530,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -552,17 +544,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 98 groups and 255 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -396,6 +381,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -580,15 +580,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91491-1

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -602,17 +594,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2022-11-25 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleStandard System Security Profile for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 4 groups and 3 rules
Group   @@ -113,11 +113,7 @@ Verify Group Who Owns passwd File   [ref]
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -149,15 +145,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+chgrp 0 /etc/passwd
 

Rule   Verify User Who Owns passwd File   [ref]

To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -189,6 +185,10 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+chown 0 /etc/passwd
 

Rule   Verify Permissions on passwd File   [ref]

@@ -198,12 +198,7 @@ accounts on the system and associated information, and protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References

Identifiers:  CCE-91452-3

References:  - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -237,6 +232,11 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
 
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-11-25 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 83 groups and 237 rules
Group   @@ -111,15 +111,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83067-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -136,17 +128,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure AIDE to Verify the Audit Tools   [ref]

The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale:
Protecting the integrity of the tools used for auditing purposes is a @@ -169,66 +169,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References

Identifiers:  CCE-83204-8

References:  - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule


Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -306,6 +247,65 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -325,33 +325,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References

Identifiers:  CCE-83048-9

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2022-11-25 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 61 groups and 169 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -398,15 +398,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91183-4

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -420,17 +412,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -440,27 +440,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91184-2

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -474,21 +454,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91185-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -503,7 +474,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 2022-11-25 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 61 groups and 182 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -286,22 +286,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -398,6 +383,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -417,33 +417,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References

Identifiers:  CCE-91214-7

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
-	VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -487,6 +461,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2022-11-25 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 57 groups and 158 rules
Group   @@ -122,15 +122,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -147,17 +139,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -180,18 +180,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -263,6 +252,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -398,15 +398,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91183-4

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -420,17 +412,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -440,27 +440,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91184-2

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -474,21 +454,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91185-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -503,7 +474,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 2022-11-25 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 2022-11-25 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 27 groups and 42 rules
Group   @@ -109,22 +109,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

Identifiers:  CCE-83291-5

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule


Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -161,34 +146,34 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  - CCE-85663-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
+      # comment out "!authenticate" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  + CCE-85663-3

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -225,6 +210,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
+

Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Group   Updating Software   Group contains 9 rules
[ref]   @@ -244,9 +244,7 @@ $ sudo zypper install dnf-automatic
Rationale:
dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed
Identifiers and References

Identifiers:  CCE-91163-6

References:  - BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+            BP28(R8), SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -258,17 +256,19 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-


+


 [[packages]]
 name = "dnf-automatic"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
+

Complexity:low
Disruption:low
Strategy:enable
include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
 

Rule   Configure dnf-automatic to Install Available Updates Automatically   [ref]

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against @@ -279,7 +279,25 @@ The automated installation of updates ensures that recent security patches are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References

Identifiers:  CCE-91165-1

References:  - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+  ini_file:
+    dest: /etc/dnf/automatic.conf
+    section: commands
+    option: apply_updates
+    value: 'yes'
+    create: true
+  tags:
+  - CCE-91165-1
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-SI-2(5)
+  - NIST-800-53-SI-2(c)
+  - dnf-automatic_apply_updates
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+


 found=false
 
 # set value in all files if they contain section or key
@@ -306,33 +324,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+

Rule   + Configure dnf-automatic to Install Only Security Updates +   [ref]

To configure dnf-automatic to install only security updates +automatically, set upgrade_type to security under +[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. +Reducing the amount of updated packages only to updates that were +issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  + CCE-91166-9

References:  + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: apply_updates
-    value: 'yes'
+    option: upgrade_type
+    value: security
     create: true
   tags:
-  - CCE-91165-1
+  - CCE-91166-9
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
+  - dnf-automatic_security_updates_only
   - low_complexity
+  - low_severity
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 109 groups and 275 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -391,6 +376,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -575,15 +575,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91183-4

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -597,17 +589,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 97 groups and 212 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -391,6 +376,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -525,15 +525,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91183-4

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -547,17 +539,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 91 groups and 209 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -391,6 +376,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Sudo   Group contains 3 rules
[ref]   @@ -525,15 +525,7 @@ is to give as few privileges as possible but still allow system users to get their work done.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_sudo_installed
Identifiers and References

Identifiers:  CCE-91183-4

References:  - BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+            BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -547,17 +539,25 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-


+


 [[packages]]
 name = "sudo"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
+

Complexity:low
Disruption:low
Strategy:enable
include install_sudo
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2022-11-25 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2022-11-25 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.64

  • draft - (as of 2022-12-09) + (as of 2039-01-10)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 107 groups and 274 rules
Group   @@ -115,15 +115,7 @@
 $ sudo zypper install aide
Rationale:
The AIDE package must be installed if it is to be available for integrity checking.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_package_aide_installed
Identifiers and References

Identifiers:  CCE-83289-9

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule


Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -140,17 +132,25 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-


+


 [[packages]]
 name = "aide"
 version = "*"
-

Complexity:low
Disruption:low
Strategy:enable
include install_aide
+

Complexity:low
Disruption:low
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -173,18 +173,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -256,6 +245,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -279,22 +279,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7,