1 # OSSEC Linux Audit - (C) 2018 OSSEC Project
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
7 # [Application name] [any or all] [reference]
11 # - f (for file or directory)
12 # - p (process running)
13 # - d (any file inside the directory)
16 # For the registry and for directories, use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # Also, use " -> r:^\. -> ..." to search all files in a directory
19 # For files, use "->" to look for a specific value in the file.
21 # Values can be preceded by: =: (for equal) - default
22 # r: (for ossec regexes)
23 # >: (for strcmp greater)
24 # <: (for strcmp lower)
25 # Multiple patterns can be specified by using " && " between them.
26 # (All of them must match for it to return true).
29 # CIS Checks for SUSE SLES 12
30 # Based on CIS Benchmark for SUSE Linux Enterprise Server 12 v1.0.0
33 $rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
36 [CIS - Testing against the CIS SUSE Linux Enterprise Server 12 Benchmark v1.0.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
37 f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12";
38 f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP1";
39 f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2";
40 f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP3";
41 f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4";
44 [CIS - SLES12 - 2.1 - Build considerations - Robust partition scheme - /tmp is not on its own partition {CIS: 2.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
45 f:/etc/fstab -> !r:/tmp;
48 [CIS - SLES12 - 2.2 - Partition /tmp without 'nodev' set {CIS: 2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
49 f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
52 [CIS - SLES12 - 2.3 - Partition /tmp without 'nosuid' set {CIS: 2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
53 f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
56 [CIS - SLES12 - 2.4 - Partition /tmp without 'noexec' set {CIS: 2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
57 f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
59 # 2.5 Build considerations - Partition scheme.
60 [CIS - SLES12 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 2.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
61 f:/etc/fstab -> !r^# && !r:/var;
63 # 2.6 bind mount /var/tmp to /tmp
64 [CIS - SLES12 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 2.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
65 f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
67 # 2.7 /var/log: partition
68 [CIS - SLES12 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 2.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
69 f:/etc/fstab -> ^# && !r:/var/log;
71 # 2.8 /var/log/audit: partition
72 [CIS - SLES12 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 2.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
73 f:/etc/fstab -> ^# && !r:/var/log/audit;
75 # 2.9 /home: partition
76 [CIS - SLES12 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 2.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
77 f:/etc/fstab -> ^# && !r:/home;
80 [CIS - SLES12 - 2.10 - Partition /home without 'nodev' set {CIS: 2.10 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
81 f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
83 # 2.11 nodev on removable media partitions (not scored)
84 [CIS - SLES12 - 2.11 - Removable partition /media without 'nodev' set {CIS: 2.11 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
85 f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
87 # 2.12 noexec on removable media partitions (not scored)
88 [CIS - SLES12 - 2.12 - Removable partition /media without 'noexec' set {CIS: 2.12 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
89 f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
91 # 2.13 nosuid on removable media partitions (not scored)
92 [CIS - SLES12 - 2.13 - Removable partition /media without 'nosuid' set {CIS: 2.13 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
93 f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
95 # 2.14 /dev/shm: nodev
96 [CIS - SLES12 - 2.14 - /dev/shm without 'nodev' set {CIS: 2.14 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
97 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
99 # 2.15 /dev/shm: nosuid
100 [CIS - SLES12 - 2.15 - /dev/shm without 'nosuid' set {CIS: 2.15 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
101 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
103 # 2.16 /dev/shm: noexec
104 [CIS - SLES12 - 2.16 - /dev/shm without 'noexec' set {CIS: 2.16 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
105 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
107 # 2.17 sticky bit on world writable directories (Scored)
110 # 2.18 disable cramfs (not scored)
112 # 2.19 disable freevxfs (not scored)
114 # 2.20 disable jffs2 (not scored)
116 # 2.21 disable hfs (not scored)
118 # 2.22 disable hfsplus (not scored)
120 # 2.23 disable squashfs (not scored)
122 # 2.24 disable udf (not scored)
124 # 2.25 disable automounting (Scored)
127 ###############################################
128 # 3 Secure Boot Settings
129 ###############################################
131 # 3.1 Set User/Group Owner on /etc/grub.conf
132 # TODO (no mode tests)
133 # stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
135 # 3.2 Set Permissions on /etc/grub.conf (Scored)
136 # TODO (no mode tests)
137 # stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
139 # 3.3 Set Boot Loader Password (Scored)
140 [CIS - SLES12 - 3.3 - GRUB Password not set {CIS: 3.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
141 f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
143 ###############################################
144 # 4 Additional Process Hardening
145 ###############################################
147 # 4.1 Restrict Core Dumps (Scored)
148 [CIS - SLES12 - 4.1 - Interactive Boot not disabled {CIS: 4.1 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
149 f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
151 # 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored)
154 # 4.3 Enable Randomized Virtual Memory Region Placement (Scored)
155 [CIS - SLES12 - 4.3 - Randomized Virtual Memory Region Placement not enabled {CIS: 4.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
156 f:/proc/sys/kernel/randomize_va_space -> 2;
158 # 4.4 Disable Prelink (Scored)
161 # 4.5 Activate AppArmor (Scored)
164 ###############################################
166 ###############################################
168 ###############################################
169 # 5.1 Remove Legacy Services
170 ###############################################
172 # 5.1.1 Remove NIS Server (Scored)
173 [CIS - SLES12 - 5.1.1 - Disable standard boot services - NIS (server) Enabled {CIS: 5.1.1 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
174 d:$rc_dirs -> ^S\d\dypserv$;
175 f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
177 # 5.1.2 Remove NIS Client (Scored)
178 [CIS - SLES12 - 5.1.2 - Disable standard boot services - NIS (client) Enabled {CIS: 51.2 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
179 d:$rc_dirs -> ^S\d\dypbind$;
180 f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
182 # 5.1.3 Remove rsh-server (Scored)
183 [CIS - SLES12 - 5.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 5.1.3 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
184 f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
185 f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
186 f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
188 f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
189 f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
190 f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
192 # 5.1.4 Remove rsh client (Scored)
195 # 5.1.5 Remove talk-server (Scored)
196 [CIS - SLES12 - 5.1.5 - talk enabled on xinetd {CIS: 5.1.5 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
197 f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
198 f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
200 # 5.1.6 Remove talk client (Scored)
203 # 5.1.7 Remove telnet-server (Scored)
204 # TODO: detect it is installed at all
205 [CIS - SLES12 - 5.1.7 - Telnet enabled on xinetd {CIS: 5.1.7 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
206 f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
207 f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
209 # 5.1.8 Remove tftp-server (Scored)
210 [CIS - SLES12 - 5.1.8 - tftpd enabled on xinetd {CIS: 5.1.8 SLES12} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
211 f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
212 f:/usr/lib/systemd/system/tftp.service -> r:Exec;
214 # 5.1.9 Remove xinetd (Scored)
215 [CIS - SLES12 - 5.1.9 - xinetd detected {CIS: 5.1.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
216 f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
218 # 5.2 Disable chargen-udp (Scored)
219 [CIS - SLES12 - 5.2 - chargen-udp enabled on xinetd {CIS: 5.2 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
220 f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no;
222 # 5.3 Disable chargen (Scored)
223 [CIS - SLES12 - 5.3 - chargen enabled on xinetd {CIS: 5.3 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
224 f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no;
226 # 5.4 Disable daytime-udp (Scored)
227 [CIS - SLES12 - 5.4 - daytime-udp enabled on xinetd {CIS: 5.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
228 f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no;
230 # 5.5 Disable daytime (Scored)
231 [CIS - SLES12 - 5.5 - daytime enabled on xinetd {CIS: 5.5 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
232 f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no;
235 # 5.6 Disable echo-udp (Scored)
236 [CIS - SLES12 - 5.6 - echo-udp enabled on xinetd {CIS: 5.6 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
237 f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no;
239 # 5.7 Disable echo (Scored)
240 [CIS - SLES12 - 5.7 - echo enabled on xinetd {CIS: 5.7 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
241 f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no;
243 # 5.8 Disable discard-udp (Scored)
244 [CIS - SLES12 - 5.8 - discard-udp enabled on xinetd {CIS: 5.8 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
245 f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no;
247 # 5.9 Disable discard (Scored)
248 [CIS - SLES12 - 5.9 - discard enabled on xinetd {CIS: 5.9 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
249 f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no;
251 # 5.10 Disable time-udp (Scored)
252 [CIS - SLES12 - 5.10 - time-udp enabled on xinetd {CIS: 5.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
253 f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no;
255 # 5.11 Disable time (Scored)
256 [CIS - SLES12 - 5.11 - time enabled on xinetd {CIS: 5.11 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
257 f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no;
259 ###############################################
260 # 6 Special Purpose Services
261 ###############################################
263 # 6.1 Remove X Windows (Scored)
264 [CIS - SLES12 - 6.1 - X11 not disabled {CIS: 6.1 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
265 f:/usr/lib/systemd/system/default.target -> r:Graphical;
268 # 6.2 Disable Avahi Server (Scored)
269 [CIS - SLES12 - 6.2 - Avahi daemon not disabled {CIS: 6.2 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
272 # 6.3 Disable Print Server - CUPS (Not Scored)
275 # 6.4 Remove DHCP Server (Scored)
276 [CIS - SLES12 - 6.4 - DHCPnot disabled {CIS: 6.4 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
277 f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
279 # 6.5 Configure Network Time Protocol (NTP) (Scored)
281 [CIS - SLES12 - 6.5 - NTPD not Configured {CIS: 6.5 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
282 f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
283 f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
285 # 6.6 Remove LDAP (Not Scored)
288 # 6.7 Disable NFS and RPC (Not Scored)
289 [CIS - SLES12 - 6.7 - Disable standard boot services - NFS Enabled {CIS: 6.7 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
290 d:$rc_dirs -> ^S\d\dnfs$;
291 d:$rc_dirs -> ^S\d\dnfslock$;
293 # 6.8 Remove DNS Server (Not Scored)
296 # 6.9 Remove FTP Server (Not Scored)
297 [CIS - SLES12 - 6.9 - VSFTP enabled on xinetd {CIS: 6.9 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
298 f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
300 # 6.10 Remove HTTP Server (Not Scored)
301 [CIS - SLES12 - 6.10 - Disable standard boot services - Apache web server Enabled {CIS: 6.10 SLES12}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
302 d:$rc_dirs -> ^S\d\dapache2$;
304 # 6.11 Remove Dovecot (IMAP and POP3 services) (Not Scored)
305 [CIS - SLES12 - 6.11 - imap enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
306 f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
308 [CIS - SLES12 - 6.11 - pop3 enabled on xinetd {CIS: 6.11 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
309 f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
311 # 6.12 Remove Samba (Not Scored)
312 [CIS - SLES12 - 6.12 - Disable standard boot services - Samba Enabled {CIS: 6.12 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
313 d:$rc_dirs -> ^S\d\dsamba$;
314 d:$rc_dirs -> ^S\d\dsmb$;
316 # 6.13 Remove HTTP Proxy Server (Not Scored)
317 [CIS - SLES12 - 6.13 - Disable standard boot services - Squid Enabled {CIS: 6.13 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
318 d:$rc_dirs -> ^S\d\dsquid$;
320 # 6.14 Remove SNMP Server (Not Scored)
321 [CIS - SLES12 - 6.14 - Disable standard boot services - SNMPD process Enabled {CIS: 6.14 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
322 d:$rc_dirs -> ^S\d\dsnmpd$;
324 # 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored)
327 # 6.16 Ensure rsync service is not enabled (Scored)
328 [CIS - SLES12 - 6.16 - Disable standard boot services - rsyncd process Enabled {CIS: 6.16 SLES12} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
329 d:$rc_dirs -> ^S\d\drsyncd$;
331 # 6.17 Ensure Biosdevname is not enabled (Scored)
334 ###############################################
335 # 7 Network Configuration and Firewalls
336 ###############################################
338 ###############################################
339 # 7.1 Modify Network Parameters (Host Only)
340 ###############################################
342 # 7.1.1 Disable IP Forwarding (Scored)
343 [CIS - SLES12 - 7.1.1 - Network parameters - IP Forwarding enabled {CIS: 7.1.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
344 f:/proc/sys/net/ipv4/ip_forward -> 1;
345 f:/proc/sys/net/ipv6/ip_forward -> 1;
347 # 7.1.2 Disable Send Packet Redirects (Scored)
348 [CIS - SLES12 - 7.1.2 - Network parameters - IP send redirects enabled {CIS: 7.1.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
349 f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
350 f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
352 ###############################################
353 # 7.2 Modify Network Parameters (Host and Router)
354 ###############################################
356 # 7.2.1 Disable Source Routed Packet Acceptance (Scored)
357 [CIS - SLES12 - 7.2.1 - Network parameters - Source routing accepted {CIS: 7.2.1 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
358 f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
360 # 7.2.2 Disable ICMP Redirect Acceptance (Scored)
361 [CIS - SLES12 - 7.2.2 - Network parameters - ICMP redirects accepted {CIS: 7.2.2 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
362 f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
363 f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
365 # 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
366 [CIS - SLES12 - 7.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 7.2.3 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
367 f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
368 f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
370 # 7.2.4 Log Suspicious Packets (Scored)
371 [CIS - SLES12 - 7.2.4 - Network parameters - martians not logged {CIS: 7.2.4 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
372 f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
374 # 7.2.5 Enable Ignore Broadcast Requests (Scored)
375 [CIS - SLES12 - 7.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 7.2.5 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
376 f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
378 # 7.2.6 Enable Bad Error Message Protection (Scored)
379 [CIS - SLES12 - 7.2.6 - Network parameters - Bad error message protection not enabled {CIS: 7.2.6 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
380 f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
382 # 7.2.7 Enable RFC-recommended Source Route Validation (Scored)
383 [CIS - SLES12 - 7.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 7.2.7 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
384 f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
385 f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
387 # 7.2.8 Enable TCP SYN Cookies (Scored)
388 [CIS - SLES12 - 7.2.8 - Network parameters - SYN Cookies not enabled {CIS: 7.2.8 SLES12} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
389 f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
391 ###############################################
393 ###############################################
395 # 7.3.1 Disable IPv6 Router Advertisements (Not Scored)
397 # 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored)
399 # 7.3.3 Disable IPv6 (Not Scored)
401 ###############################################
402 # 7.4 Install TCP Wrappers
403 ###############################################
405 # 7.4.1 Install TCP Wrappers (Not Scored)
407 # 7.4.2 Create /etc/hosts.allow (Not Scored)
409 # 7.4.3 Verify Permissions on /etc/hosts.allow (Scored)
412 # 7.4.4 Create /etc/hosts.deny (Not Scored)
414 # 7.5.5 Verify Permissions on /etc/hosts.deny (Scored)
417 ###############################################
418 # 7.5 Uncommon Network Protocols
419 ###############################################
421 # 7.5.1 Disable DCCP (Not Scored)
423 # 7.5.2 Disable SCTP (Not Scored)
425 # 7.5.3 Disable RDS (Not Scored)
427 # 7.5.4 Disable TIPC (Not Scored)
429 # 7.6 Deactivate Wireless Interfaces (Not Scored)
431 # 7.7 Enable SuSEfirewall2 (Scored)
433 # 7.8 Limit access to trusted networks (Not Scored)
435 ###############################################
436 # 8 Logging and Auditing
437 ###############################################
439 ###############################################
440 # 8.1 Configure System Accounting (auditd)
441 ###############################################
443 ###############################################
444 # 8.1.1 Configure Data Retention
445 ###############################################
447 # 8.1.1.1 Configure Audit Log Storage Size (Not Scored)
449 # 8.1.1.2 Disable System on Audit Log Full (Not Scored)
451 # 8.1.1.3 Keep All Auditing Information (Scored)
453 # 8.1.2 Enable auditd Service (Scored)
455 # 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
457 # 8.1.4 Record Events That Modify Date and Time Information (Scored)
459 # 8.1.5 Record Events That Modify User/Group Information (Scored)
461 # 8.1.6 Record Events That Modify the System’s Network Environment (Scored)
463 # 8.1.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
465 # 8.1.8 Collect Login and Logout Events (Scored)
467 # 8.1.9 Collect Session Initiation Information (Scored)
469 # 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
471 # 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
473 # 8.1.12 Collect Use of Privileged Commands (Scored)
475 # 8.1.13 Collect Successful File System Mounts (Scored)
477 # 8.1.14 Collect File Deletion Events by User (Scored)
479 # 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored)
481 # 8.1.16 Collect System Administrator Actions (sudolog) (Scored)
483 # 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
485 # 8.1.18 Make the Audit Configuration Immutable (Scored)
487 ###############################################
488 # 8.2 Configure rsyslog
489 ###############################################
491 # 8.2.1 Install the rsyslog package (Scored)
494 # 8.2.2 Activate the rsyslog Service (Scored)
497 # 8.2.3 Configure /etc/rsyslog.conf (Not Scored)
499 # 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored)
501 # 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
503 # 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
505 ###############################################
506 # 8.3 Advanced Intrusion Detection Environment (AIDE)
507 ###############################################
509 # 8.3.1 Install AIDE (Scored)
511 # 8.3.2 Implement Periodic Execution of File Integrity (Scored)
513 # 8.4 Configure logrotate (Not Scored)
515 ###############################################
516 # 9 System Access, Authentication and Authorization
517 ###############################################
519 ###############################################
520 # 9.1 Configure cron and anacron
521 ###############################################
523 # 9.1.1 Enable cron Daemon (Scored)
525 # 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored)
527 # 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
529 # 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
531 # 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
533 # 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
535 # 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored)
537 # 9.1.8 Restrict at/cron to Authorized Users (Scored)
539 ###############################################
541 ###############################################
543 # 9.2.1 Set SSH Protocol to 2 (Scored)
544 [CIS - SLES12 - 9.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
545 f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
547 # 9.2.2 Set LogLevel to INFO (Scored)
548 [CIS - SLES12 - 9.2.1 - SSH Configuration - Loglevel not INFO {CIS: 9.2.1 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
549 f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
551 # 9.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
554 # 9.2.4 Disable SSH X11 Forwarding (Scored)
557 # 9.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
558 [ CIS - SLES12 - 9.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - SLES12 - 9.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
559 f:/etc/ssh/sshd_config -> !r:^# && r:MaxAuthTries && !r:3\s*$;
560 f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries;
561 f:/etc/ssh/sshd_config -> !r:MaxAuthTries;
563 # 9.2.6 Set SSH IgnoreRhosts to Yes (Scored)
564 [CIS - SLES12 - 9.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 9.2.6 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
565 f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
567 # 9.2.7 Set SSH HostbasedAuthentication to No (Scored)
568 [CIS - SLES12 - 9.2.7 - SSH Configuration - Host based authentication enabled {CIS: 9.2.7 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
569 f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
571 # 9.2.8 Disable SSH Root Login (Scored)
572 [CIS - SLES12 - 9.2.8 - SSH Configuration - Root login allowed {CIS: 9.2.8 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
573 f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
574 f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
576 # 9.2.9 Set SSH PermitEmptyPasswords to No (Scored)
577 [CIS - SLES12 - 9.2.9 - SSH Configuration - Empty passwords permitted {CIS: 9.2.9 SLES12} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
578 f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
579 f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
581 # 9.2.10 Do Not Allow Users to Set Environment Options (Scored)
583 # 9.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
585 # 9.2.12 Set Idle Timeout Interval for User Login (Not Scored)
587 # 9.2.13 Limit Access via SSH (Scored)
589 # 9.2.14 Set SSH Banner (Scored)
591 ###############################################
593 ###############################################
595 # 9.3.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
597 # 9.3.2 Set Lockout for Failed Password Attempts (Not Scored)
599 # 9.3.3 Limit Password Reuse (Scored)
601 # 9.4 Restrict root Login to System Console (Not Scored)
603 # 9.5 Restrict Access to the su Command (Scored)
605 ###############################################
606 # 10 User Accounts and Environment
607 ###############################################
609 ###############################################
610 # 10.1 Set Shadow Password Suite Parameters (/etc/login.defs)
611 ###############################################
613 # 10.1.1 Set Password Expiration Days (Scored)
615 # 10.1.2 Set Password Change Minimum Number of Days (Scored)
617 # 10.1.3 Set Password Expiring Warning Days (Scored)
619 # 10.2 Disable System Accounts (Scored)
621 # 10.3 Set Default Group for root Account (Scored)
623 # 10.4 Set Default umask for Users (Scored)
625 # 10.5 Lock Inactive User Accounts (Scored)
628 ###############################################
630 ###############################################
632 # 11.1 Set Warning Banner for Standard Login Services (Scored)
634 # 11.2 Remove OS Information from Login Warning Banners (Scored)
636 # 11.3 Set Graphical Warning Banner (Not Scored)
638 ###############################################
639 # 12 Verify System File Permissions
640 ###############################################
642 # 12.1 Verify System File Permissions (Not Scored)
644 # 12.2 Verify Permissions on /etc/passwd (Scored)
646 # 12.3 Verify Permissions on /etc/shadow (Scored)
648 # 12.4 Verify Permissions on /etc/group (Scored)
650 # 12.5 Verify User/Group Ownership on /etc/passwd (Scored)
652 # 12.6 Verify User/Group Ownership on /etc/shadow (Scored)
654 # 12.7 Verify User/Group Ownership on /etc/group (Scored)
656 # 12.8 Find World Writable Files (Not Scored)
658 # 12.9 Find Un-owned Files and Directories (Scored)
660 # 12.10 Find Un-grouped Files and Directories (Scored)
662 # 12.11 Find SUID System Executables (Not Scored)
664 # 12.12 Find SGID System Executables (Not Scored)
666 ###############################################
667 # 13 Review User and Group Settings
668 ###############################################
670 # 13.1 Ensure Password Fields are Not Empty (Scored)
672 # 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
674 # 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
676 # 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
678 # 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
679 [CIS - SLES12 - 13.5 - Non-root account with uid 0 {CIS: 13.5 SLES12} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
680 f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
682 # 13.6 Ensure root PATH Integrity (Scored)
684 # 13.7 Check Permissions on User Home Directories (Scored)
686 # 13.8 Check User Dot File Permissions (Scored)
688 # 13.9 Check Permissions on User .netrc Files (Scored)
690 # 13.10 Check for Presence of User .rhosts Files (Scored)
692 # 13.11 Check Groups in /etc/passwd (Scored)
694 # 13.12 Check That Users Are Assigned Valid Home Directories (Scored)
696 # 13.13 Check User Home Directory Ownership (Scored)
698 # 13.14 Check for Duplicate UIDs (Scored)
700 # 13.15 Check for Duplicate GIDs (Scored)
702 # 13.16 Check for Duplicate User Names (Scored)
704 # 13.17 Check for Duplicate Group Names (Scored)
706 # 13.18 Check for Presence of User .netrc Files (Scored)
708 # 13.19 Check for Presence of User .forward Files (Scored)
710 # 13.20 Ensure shadow group is empty (Scored)
714 [CIS - SLES12 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
715 f:/etc/shadow -> r:^\w+::;
717 [CIS - SLES12 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
718 f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
719 f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
721 [CIS - SLES12 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
722 d:$rc_dirs -> ^S\d\dkudzu$;
724 [CIS - SLES12 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
725 d:$rc_dirs -> ^S\d\dpostgresql$;
727 [CIS - SLES12 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
728 d:$rc_dirs -> ^S\d\dmysqld$;
730 [CIS - SLES12 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
731 d:$rc_dirs -> ^S\d\dnamed$;
733 [CIS - SLES12 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_SUSE_Linux_Enterprise_Server_12_Benchmark_v1.0.0.pdf]
734 d:$rc_dirs -> ^S\d\dnetfs$;