UCF STIG Viewer Logo

SLES 12 Security Technical Implementation Guide


Overview

Date Finding Count (204)
2018-09-27 CAT I (High): 11 CAT II (Med): 170 CAT III (Low): 23
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-77437 High SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.
V-77133 High The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
V-77139 High There must be no shosts.equiv files on the SUSE operating system.
V-77451 High The SUSE operating system must not allow unattended or automatic logon via SSH.
V-77441 High All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-77045 High The SUSE operating system must be a vendor-supported release.
V-77137 High There must be no .shosts files on the SUSE operating system.
V-77473 High The SUSE operating system SSH daemon must encrypt forwarded remote X connections for interactive users.
V-77171 High The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
V-77067 High The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
V-77179 High The SUSE operating system root account must be the only account having unrestricted access to the system.
V-77113 Medium The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (1 day).
V-77395 Medium The SUSE operating system must generate audit records for all uses of the chmod command.
V-77397 Medium The SUSE operating system must generate audit records for all uses of the setfacl command.
V-77393 Medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-77475 Medium The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.
V-77399 Medium The SUSE operating system must generate audit records for all uses of the chacl command.
V-77413 Medium The SUSE operating system must generate audit records for all uses of the chage command.
V-77411 Medium The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
V-77417 Medium The SUSE operating system must generate audit records for all uses of the crontab command.
V-77363 Medium The SUSE operating system must generate audit records for all uses of the lchown command.
V-77415 Medium The SUSE operating system must generate audit records for all uses of the usermod command.
V-77419 Medium The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
V-77099 Medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
V-77093 Medium The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
V-77149 Medium The sticky bit must be set on all SUSE operating system world-writable directories.
V-77499 Medium The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
V-77309 Medium Audispd must take appropriate action when the SUSE operating system audit storage is full.
V-77493 Medium The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-77143 Medium SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
V-77145 Medium SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
V-77147 Medium All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-77061 Medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).
V-77401 Medium Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
V-77119 Medium The SUSE operating system must employ a password history file.
V-77405 Medium The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
V-77407 Medium The SUSE operating system must generate audit records for all modifications to the lastlog file.
V-77409 Medium The SUSE operating system must generate audit records for all uses of the passmass command.
V-77089 Medium The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (system-auth).
V-77153 Medium The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.
V-77151 Medium Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
V-77257 Medium SUSE operating system kernel core dumps must be disabled unless needed.
V-77087 Medium The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.
V-77251 Medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
V-77081 Medium The SUSE operating system must enforce passwords that contain at least one special character.
V-77253 Medium All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
V-77159 Medium The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
V-77489 Medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
V-77319 Medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-77359 Medium The SUSE operating system must generate audit records for all uses of the chown command.
V-77481 Medium Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
V-77483 Medium The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
V-77311 Medium The SUSE operating system must protect audit rules from unauthorized modification.
V-77313 Medium The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.
V-77111 Medium The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (1 day).
V-77117 Medium The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
V-77439 Medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
V-77435 Medium The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
V-77115 Medium The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
V-77431 Medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SFTP/FTP.
V-77433 Medium The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
V-77123 Medium The SUSE operating system must prevent the use of dictionary words for passwords.
V-77121 Medium The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations.
V-77127 Medium The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
V-77125 Medium The SUSE operating system must never automatically remove or disable emergency administrator accounts.
V-77193 Medium All SUSE operating system files and directories must have a valid group owner.
V-77129 Medium The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
V-77241 Medium SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-77329 Medium The SUSE operating system must generate audit records for all uses of the sudoedit command.
V-77321 Medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
V-77325 Medium The SUSE operating system must generate audit records for all uses of the su command.
V-77197 Medium All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
V-81805 Medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
V-81801 Medium The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
V-77199 Medium All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
V-81803 Medium The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
V-77109 Medium The SUSE operating system must employ passwords with a minimum of 15 characters.
V-77355 Medium The SUSE operating system must generate audit records for all uses of the lremovexattr command.
V-77429 Medium The SUSE operating system must not have the telnet-server package installed.
V-77315 Medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-77423 Medium The SUSE operating system must generate audit records for all uses of the finit_module command.
V-77421 Medium The SUSE operating system must generate audit records for all uses of the delete_module command.
V-77427 Medium The SUSE operating system must generate audit records for all modifications to the faillog file.
V-77425 Medium The SUSE operating system must generate audit records for all uses of the init_module command.
V-77509 Medium The SUSE operating system must implement certificate status checking for multifactor authentication.
V-77131 Medium The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-77501 Medium The SUSE operating system must not be performing packet forwarding unless the system is a router.
V-77503 Medium The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
V-77505 Medium The SUSE operating system wireless network adapters must be disabled unless approved and documented.
V-77507 Medium The SUSE operating system must have the packages required for multifactor authentication to be installed.
V-77105 Medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
V-77237 Medium SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-77487 Medium The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
V-77349 Medium The SUSE operating system must generate audit records for all uses of the setxattr command.
V-77485 Medium The SUSE operating system must be configured to use TCP syncookies.
V-77291 Medium The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.
V-77293 Medium The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
V-77295 Medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
V-77297 Medium The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
V-77299 Medium The SUSE operating system audit system must take appropriate action when the audit storage volume is full.
V-77513 Medium The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-77511 Medium The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
V-81785 Medium The SUSE operating system must not be configured to allow blank or null passwords.
V-77343 Medium The SUSE operating system must generate audit records for all uses of the rmmod command.
V-77341 Medium The SUSE operating system must generate audit records for all uses of the insmod command.
V-77347 Medium The SUSE operating system must generate audit records for all uses of the kmod command.
V-77459 Medium The SUSE operating system SSH daemon must be configured with a timeout interval.
V-77457 Medium The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
V-77455 Medium The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
V-81709 Medium Accounts on the SUSE operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.
V-77187 Medium All SUSE operating system files and directories must have a valid owner.
V-77185 Medium The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
V-77317 Medium The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-77181 Medium Temporary passwords for SUSE operating system logons must require an immediate change to a permanent password.
V-77229 Medium SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
V-77183 Medium If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
V-77053 Medium The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.
V-77225 Medium All SUSE operating system local initialization files must not execute world-writable programs.
V-77051 Medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.
V-77057 Medium The SUSE operating system must be able to lock the graphical user interface (GUI).
V-77055 Medium The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
V-77287 Medium The SUSE operating system must have the auditing package installed.
V-77285 Medium The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
V-77497 Medium The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
V-77141 Medium FIPS 140-2 mode must be enabled on the SUSE operating system.
V-77491 Medium The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-77351 Medium The SUSE operating system must generate audit records for all uses of the fsetxattr command.
V-77353 Medium The SUSE operating system must generate audit records for all uses of the removexattr command.
V-77449 Medium The SUSE operating system must deny direct logons to the root account using remote access via SSH.
V-77357 Medium The SUSE operating system must generate audit records for all uses of the fremovexattr command.
V-77445 Medium The SUSE operating system must be configured to display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, SSH logon prompts.
V-77447 Medium The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
V-77443 Medium The SUSE operating system must log SSH connection attempts and failures to the server.
V-77219 Medium All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
V-77049 Medium The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).
V-77345 Medium The SUSE operating system must generate audit records for all uses of the modprobe command.
V-77301 Medium The audit-audispd-plugins must be installed on the SUSE operating system.
V-77211 Medium All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
V-77107 Medium The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
V-77215 Medium All SUSE operating system local initialization files must have mode 0740 or less permissive.
V-77047 Medium Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
V-77495 Medium The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
V-77307 Medium The SUSE operating system must off-load audit records onto a different system or media from the system being audited.
V-77075 Medium The SUSE operating system must enforce passwords that contain at least one upper-case character.
V-77207 Medium All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
V-77077 Medium The SUSE operating system must enforce passwords that contain at least one lower-case character.
V-77071 Medium The SUSE operating system must lock an account after three consecutive invalid logon attempts.
V-77203 Medium All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
V-77073 Medium The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
V-77365 Medium The SUSE operating system must generate audit records for all uses of the fchownat command.
V-77289 Medium SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
V-77361 Medium The SUSE operating system must generate audit records for all uses of the fchown command.
V-77169 Medium The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
V-77167 Medium The SUSE operating system must disable the file system automounter unless required.
V-77165 Medium The SUSE operating system must disable the USB mass storage kernel module.
V-77079 Medium The SUSE operating system must enforce passwords that contain at least one numeric character.
V-77163 Medium The SUSE operating system must remove all outdated software components after updated versions have been installed.
V-77161 Medium The SUSE operating system tool zypper must have gpgcheck enabled.
V-77479 Medium The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
V-77383 Medium The SUSE operating system must generate audit records for all uses of the open_by_handle_at command.
V-77381 Medium The SUSE operating system must generate audit records for all uses of the openat command.
V-77467 Medium The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
V-77465 Medium The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
V-77463 Medium The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
V-77461 Medium The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
V-77369 Medium The SUSE operating system must generate audit records for all uses of the fchmod command.
V-77469 Medium The SUSE operating system SSH daemon must use privilege separation.
V-77273 Medium SUSE operating system commands and libraries must have the proper permissions to protect from unauthorized access.
V-77063 Medium The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
V-77379 Medium The SUSE operating system must generate audit records for all uses of the creat command.
V-77275 Medium The SUSE operating system must prevent unauthorized users from accessing system error messages.
V-77373 Medium The SUSE operating system must generate audit records for all uses of the open command.
V-77371 Medium The SUSE operating system must generate audit records for all uses of the fchmodat command.
V-77377 Medium The SUSE operating system must generate audit records for all uses of the ftruncate command.
V-77375 Medium The SUSE operating system must generate audit records for all uses of the truncate command.
V-77471 Medium The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
V-77403 Medium The SUSE operating system must generate audit records for all uses of the rm command.
V-77175 Medium The SUSE operating system must not have unnecessary accounts.
V-77177 Medium The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
V-77367 Medium The SUSE operating system must generate audit records for all uses of the chmod command.
V-77173 Medium The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
V-77391 Low The SUSE operating system must generate audit records for a uses of the chsh command.
V-77261 Low A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
V-77265 Low The SUSE operating system must use a separate file system for /var.
V-77157 Low The SUSE operating system file integrity tool must be configured to verify extended attributes.
V-77155 Low The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
V-77323 Low The SUSE operating system must generate audit records for all uses of the privileged functions.
V-77327 Low The SUSE operating system must generate audit records for all uses of the sudo command.
V-77135 Low The SUSE operating system must display the date and time of the last successful account logon upon logon.
V-77331 Low The SUSE operating system must generate audit records for all uses of the chfn command.
V-77339 Low The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
V-77069 Low The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
V-77059 Low The SUSE operating system must have vlock installed to allow for session locking.
V-77337 Low The SUSE operating system must generate audit records for all uses of the ssh-agent command.
V-77335 Low The SUSE operating system must generate audit records for all uses of the umount command.
V-77333 Low The SUSE operating system must generate audit records for all uses of the mount command.
V-77305 Low Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
V-77477 Low The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-77303 Low The SUSE operating system audit event multiplexor must be configured to use Kerberos.
V-77387 Low The SUSE operating system must generate audit records for all uses of the gpasswd command.
V-77385 Low The SUSE operating system must generate audit records for all uses of the passwd command.
V-77389 Low The SUSE operating system must generate audit records for all uses of the newgrp command.
V-77271 Low The SUSE operating system must use a separate file system for the system audit data path.
V-77065 Low The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).