Released 2022-10-21
| STIG ID | Title |
|---|---|
| SLES-15-010000 | The SUSE operating system must be a vendor-supported release. |
| SLES-15-010001 | The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool. |
| SLES-15-010010 | Vendor-packaged SUSE operating system security patches and updates must be installed and up to date. |
| SLES-15-010020 | The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console. |
| SLES-15-010030 | The SUSE operating system must not have the vsftpd package installed if not required for operational support. |
| SLES-15-010040 | The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH. |
| SLES-15-010050 | The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI). |
| SLES-15-010060 | The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text. |
| SLES-15-010080 | The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon. |
| SLES-15-010090 | The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. |
| SLES-15-010100 | The SUSE operating system must be able to lock the graphical user interface (GUI). |
| SLES-15-010110 | The SUSE operating system must utilize vlock to allow for session locking. |
| SLES-15-010120 | The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI). |
| SLES-15-010130 | The SUSE operating system must initiate a session lock after a 15-minute period of inactivity. |
| SLES-15-010140 | The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI). |
| SLES-15-010150 | The SUSE operating system must log SSH connection attempts and failures to the server. |
| SLES-15-010160 | The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections. |
| SLES-15-010170 | The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| SLES-15-010180 | The SUSE operating system must not have the telnet-server package installed. |
| SLES-15-010190 | SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. |
| SLES-15-010200 | SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. |
| SLES-15-010220 | The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. |
| SLES-15-010230 | The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users. |
| SLES-15-010240 | The SUSE operating system must disable the file system automounter unless required. |
| SLES-15-010260 | The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs). |
| SLES-15-010270 | The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
| SLES-15-010280 | The SUSE operating system SSH daemon must be configured with a timeout interval. |
| SLES-15-010300 | The sticky bit must be set on all SUSE operating system world-writable directories. |
| SLES-15-010310 | The SUSE operating system must be configured to use TCP syncookies. |
| SLES-15-010320 | The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity. |
| SLES-15-010330 | All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. |
| SLES-15-010340 | The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| SLES-15-010350 | The SUSE operating system must prevent unauthorized users from accessing system error messages. |
| SLES-15-010351 | The SUSE operating system library files must have mode 0755 or less permissive. |
| SLES-15-010352 | The SUSE operating system library directories must have mode 0755 or less permissive. |
| SLES-15-010353 | The SUSE operating system library files must be owned by root. |
| SLES-15-010354 | The SUSE operating system library directories must be owned by root. |
| SLES-15-010355 | The SUSE operating system library files must be group-owned by root. |
| SLES-15-010356 | The SUSE operating system library directories must be group-owned by root. |
| SLES-15-010357 | The SUSE operating system must have system commands set to a mode of 0755 or less permissive. |
| SLES-15-010358 | The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive. |
| SLES-15-010359 | The SUSE operating system must have system commands owned by root. |
| SLES-15-010360 | The SUSE operating system must have directories that contain system commands owned by root. |
| SLES-15-010361 | The SUSE operating system must have system commands group-owned by root or a system account. |
| SLES-15-010362 | The SUSE operating system must have directories that contain system commands group-owned by root. |
| SLES-15-010370 | The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system. |
| SLES-15-010380 | The SUSE operating system wireless network adapters must be disabled unless approved and documented. |
| SLES-15-010390 | SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control. |
| SLES-15-010400 | The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours. |
| SLES-15-010410 | The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |
| SLES-15-010420 | Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly. |
| SLES-15-010430 | The SUSE operating system tool zypper must have gpgcheck enabled. |
| SLES-15-010450 | The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges. |
| SLES-15-010460 | The SUSE operating system must have the packages required for multifactor authentication to be installed. |
| SLES-15-010470 | The SUSE operating system must implement certificate status checking for multifactor authentication. |
| SLES-15-010480 | The SUSE operating system must disable the USB mass storage kernel module. |
| SLES-15-010490 | If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day. |
| SLES-15-010500 | The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day. |
| SLES-15-010510 | FIPS 140-2 mode must be enabled on the SUSE operating system. |
| SLES-15-010530 | All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. |
| SLES-15-010540 | The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses. |
| SLES-15-010550 | Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution. |
| SLES-15-010560 | The SUSE operating system must remove all outdated software components after updated versions have been installed. |
| SLES-15-010570 | The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions. |
| SLES-15-010580 | The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly. |
| SLES-15-020000 | The SUSE operating system must provision temporary accounts with an expiration date for 72 hours. |
| SLES-15-020010 | The SUSE operating system must lock an account after three consecutive invalid access attempts. |
| SLES-15-020020 | The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. |
| SLES-15-020030 | The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). |
| SLES-15-020040 | The SUSE operating system must deny direct logons to the root account using remote access via SSH. |
| SLES-15-020050 | The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration. |
| SLES-15-020060 | The SUSE operating system must never automatically remove or disable emergency administrator accounts. |
| SLES-15-020080 | The SUSE operating system must display the date and time of the last successful account logon upon logon. |
| SLES-15-020090 | The SUSE operating system must not have unnecessary accounts. |
| SLES-15-020091 | The SUSE operating system must not have unnecessary account capabilities. |
| SLES-15-020099 | The SUSE operating system must specify the default "include" directory for the /etc/sudoers file. |
| SLES-15-020100 | The SUSE operating system root account must be the only account with unrestricted access to the system. |
| SLES-15-020101 | The SUSE operating system must restrict privilege elevation to authorized personnel. |
| SLES-15-020102 | The SUSE operating system must require re-authentication when using the "sudo" command. |
| SLES-15-020103 | The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo". |
| SLES-15-020104 | The SUSE operating system must not be configured to bypass password requirements for privilege escalation. |
| SLES-15-020110 | All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory. |
| SLES-15-020120 | The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon. |
| SLES-15-020130 | The SUSE operating system must enforce passwords that contain at least one uppercase character. |
| SLES-15-020140 | The SUSE operating system must enforce passwords that contain at least one lowercase character. |
| SLES-15-020150 | The SUSE operating system must enforce passwords that contain at least one numeric character. |
| SLES-15-020160 | The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed. |
| SLES-15-020170 | The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords. |
| SLES-15-020180 | The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. |
| SLES-15-020181 | The SUSE operating system must not have accounts configured with blank or null passwords. |
| SLES-15-020190 | The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords. |
| SLES-15-020200 | The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day). |
| SLES-15-020210 | The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day). |
| SLES-15-020220 | The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days. |
| SLES-15-020230 | The SUSE operating system must employ user passwords with a maximum lifetime of 60 days. |
| SLES-15-020240 | The SUSE operating system must employ a password history file. |
| SLES-15-020250 | The SUSE operating system must not allow passwords to be reused for a minimum of five generations. |
| SLES-15-020260 | The SUSE operating system must employ passwords with a minimum of 15 characters. |
| SLES-15-020270 | The SUSE operating system must enforce passwords that contain at least one special character. |
| SLES-15-020290 | The SUSE operating system must prevent the use of dictionary words for passwords. |
| SLES-15-020300 | The SUSE operating system must not be configured to allow blank or null passwords. |
| SLES-15-030000 | The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
| SLES-15-030010 | The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
| SLES-15-030020 | The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
| SLES-15-030030 | The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. |
| SLES-15-030040 | The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
| SLES-15-030050 | SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
| SLES-15-030060 | The SUSE operating system must generate audit records for all uses of the ssh-keysign command. |
| SLES-15-030070 | The SUSE operating system must generate audit records for all uses of the passwd command. |
| SLES-15-030080 | The SUSE operating system must generate audit records for all uses of the gpasswd command. |
| SLES-15-030090 | The SUSE operating system must generate audit records for all uses of the newgrp command. |
| SLES-15-030100 | The SUSE operating system must generate audit records for a uses of the chsh command. |
| SLES-15-030110 | The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands. |
| SLES-15-030120 | The SUSE operating system must generate audit records for all uses of the chage command. |
| SLES-15-030130 | The SUSE operating system must generate audit records for all uses of the crontab command. |
| SLES-15-030140 | The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. |
| SLES-15-030150 | The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. |
| SLES-15-030190 | The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. |
| SLES-15-030250 | The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls. |
| SLES-15-030290 | The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls. |
| SLES-15-030330 | The SUSE operating system must generate audit records for all uses of the sudoedit command. |
| SLES-15-030340 | The SUSE operating system must generate audit records for all uses of the chfn command. |
| SLES-15-030350 | The SUSE operating system must generate audit records for all uses of the mount system call. |
| SLES-15-030360 | The SUSE operating system must generate audit records for all uses of the umount system call. |
| SLES-15-030370 | The SUSE operating system must generate audit records for all uses of the ssh-agent command. |
| SLES-15-030380 | The SUSE operating system must generate audit records for all uses of the insmod command. |
| SLES-15-030390 | The SUSE operating system must generate audit records for all uses of the rmmod command. |
| SLES-15-030400 | The SUSE operating system must generate audit records for all uses of the modprobe command. |
| SLES-15-030410 | The SUSE operating system must generate audit records for all uses of the kmod command. |
| SLES-15-030420 | The SUSE operating system must generate audit records for all uses of the chmod command. |
| SLES-15-030430 | The SUSE operating system must generate audit records for all uses of the setfacl command. |
| SLES-15-030440 | The SUSE operating system must generate audit records for all uses of the chacl command. |
| SLES-15-030450 | The SUSE operating system must generate audit records for all uses of the chcon command. |
| SLES-15-030460 | The SUSE operating system must generate audit records for all uses of the rm command. |
| SLES-15-030470 | The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record. |
| SLES-15-030480 | The SUSE operating system must generate audit records for all modifications to the lastlog file. |
| SLES-15-030490 | The SUSE operating system must generate audit records for all uses of the passmass command. |
| SLES-15-030500 | The SUSE operating system must generate audit records for all uses of the usermod command. |
| SLES-15-030510 | The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command. |
| SLES-15-030520 | The SUSE operating system must generate audit records for all uses of the delete_module system call. |
| SLES-15-030530 | The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls. |
| SLES-15-030550 | The SUSE operating system must generate audit records for all uses of the su command. |
| SLES-15-030560 | The SUSE operating system must generate audit records for all uses of the sudo command. |
| SLES-15-030570 | The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event. |
| SLES-15-030580 | The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure. |
| SLES-15-030590 | The SUSE operating system audit system must take appropriate action when the audit storage volume is full. |
| SLES-15-030600 | The SUSE operating system must protect audit rules from unauthorized modification. |
| SLES-15-030620 | The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access. |
| SLES-15-030630 | The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| SLES-15-030640 | The SUSE operating system must generate audit records for all uses of the privileged functions. |
| SLES-15-030650 | The SUSE operating system must have the auditing package installed. |
| SLES-15-030660 | The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. |
| SLES-15-030670 | The audit-audispd-plugins must be installed on the SUSE operating system. |
| SLES-15-030680 | The SUSE operating system audit event multiplexor must be configured to use Kerberos. |
| SLES-15-030690 | Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited. |
| SLES-15-030700 | The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full. |
| SLES-15-030740 | The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat, and rmdir system calls. |
| SLES-15-030760 | The SUSE operating system must generate audit records for the /run/utmp file. |
| SLES-15-030770 | The SUSE operating system must generate audit records for the /var/log/wtmp file. |
| SLES-15-030780 | The SUSE operating system must generate audit records for the /var/log/btmp file. |
| SLES-15-030790 | The SUSE operating system must off-load audit records onto a different system or media from the system being audited. |
| SLES-15-030800 | Audispd must take appropriate action when the SUSE operating system audit storage is full. |
| SLES-15-030810 | The SUSE operating system must use a separate file system for the system audit data path. |
| SLES-15-030820 | The SUSE operating system must not disable syscall auditing. |
| SLES-15-040000 | The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
| SLES-15-040010 | The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
| SLES-15-040020 | There must be no .shosts files on the SUSE operating system. |
| SLES-15-040030 | There must be no shosts.equiv files on the SUSE operating system. |
| SLES-15-040040 | The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs). |
| SLES-15-040050 | The SUSE operating system file integrity tool must be configured to verify extended attributes. |
| SLES-15-040060 | The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. |
| SLES-15-040061 | The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. |
| SLES-15-040062 | The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence. |
| SLES-15-040070 | All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file. |
| SLES-15-040080 | All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist. |
| SLES-15-040090 | All SUSE operating system local interactive user home directories must have mode 0750 or less permissive. |
| SLES-15-040100 | All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group. |
| SLES-15-040110 | All SUSE operating system local initialization files must have mode 0740 or less permissive. |
| SLES-15-040120 | All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. |
| SLES-15-040130 | All SUSE operating system local initialization files must not execute world-writable programs. |
| SLES-15-040140 | SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. |
| SLES-15-040150 | SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. |
| SLES-15-040160 | SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. |
| SLES-15-040170 | SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. |
| SLES-15-040180 | All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group. |
| SLES-15-040190 | SUSE operating system kernel core dumps must be disabled unless needed. |
| SLES-15-040200 | A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent). |
| SLES-15-040210 | The SUSE operating system must use a separate file system for /var. |
| SLES-15-040220 | The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. |
| SLES-15-040230 | The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication. |
| SLES-15-040240 | The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive. |
| SLES-15-040250 | The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive. |
| SLES-15-040260 | The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files. |
| SLES-15-040280 | The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication. |
| SLES-15-040290 | The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. |
| SLES-15-040300 | The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
| SLES-15-040310 | The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets. |
| SLES-15-040320 | The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
| SLES-15-040321 | The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. |
| SLES-15-040330 | The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| SLES-15-040340 | The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
| SLES-15-040341 | The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| SLES-15-040350 | The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. |
| SLES-15-040360 | The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
| SLES-15-040370 | The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
| SLES-15-040380 | The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. |
| SLES-15-040381 | The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. |
| SLES-15-040382 | The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. |
| SLES-15-040390 | The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented. |
| SLES-15-040400 | All SUSE operating system files and directories must have a valid owner. |
| SLES-15-040410 | All SUSE operating system files and directories must have a valid group owner. |
| SLES-15-040420 | The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files. |
| SLES-15-040430 | The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI). |
| SLES-15-040440 | The SUSE operating system must not allow unattended or automatic logon via SSH. |