DISA SLES 15 STIG v2r1

Audit Details

Name: DISA SLES 15 STIG v2r1

Updated: 10/15/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 217

File Details

Filename: DISA_STIG_SLES_15_v2r1.audit

Size: 534 kB

MD5: 35e7a8cfeff2ff1a5f8624f91033c0ba
SHA256: 01888d81b432652ea74dea68e34720f0857bb7df284f67adc01268f2a7b28042

Audit Items

DescriptionCategories
DISA_STIG_SLES_15_v2r1.audit from DISA SUSE Linux Enterprise Server 15 v2r1 STIG
SLES-15-010000 - The SUSE operating system must be a vendor-supported release.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010010 - Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010020 - The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via local console.

ACCESS CONTROL

SLES-15-010030 - The SUSE operating system must not have the vsftpd package installed if not required for operational support.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

SLES-15-010040 - The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.

ACCESS CONTROL

SLES-15-010050 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI) - GUI.

ACCESS CONTROL

SLES-15-010050 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).

ACCESS CONTROL

SLES-15-010060 - The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.

ACCESS CONTROL

SLES-15-010080 - The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

SLES-15-010090 - The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

SLES-15-010100 - The SUSE operating system must be able to lock the graphical user interface (GUI).

ACCESS CONTROL

SLES-15-010110 - The SUSE operating system must utilize vlock to allow for session locking.

ACCESS CONTROL

SLES-15-010120 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).

ACCESS CONTROL

SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.

ACCESS CONTROL

SLES-15-010140 - The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).

ACCESS CONTROL

SLES-15-010150 - The SUSE operating system must log SSH connection attempts and failures to the server.

ACCESS CONTROL

SLES-15-010160 - The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

ACCESS CONTROL

SLES-15-010170 - The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010180 - The SUSE operating system must not have the telnet-server package installed.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

SLES-15-010190 - SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

SLES-15-010200 - SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

ACCESS CONTROL

SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

SLES-15-010230 - The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010240 - The SUSE operating system must disable the file system automounter unless required.

IDENTIFICATION AND AUTHENTICATION

SLES-15-010260 - The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).

IDENTIFICATION AND AUTHENTICATION

SLES-15-010270 - The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

ACCESS CONTROL, MAINTENANCE

SLES-15-010280 - The SUSE operating system SSH daemon must be configured with a timeout interval.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010300 - The sticky bit must be set on all SUSE operating system world-writable directories.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010310 - The SUSE operating system must be configured to use TCP syncookies.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010320 - The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010330 - All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010340 - The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010350 - The SUSE operating system must prevent unauthorized users from accessing system error messages.

SYSTEM AND INFORMATION INTEGRITY

SLES-15-010351 - The SUSE operating system library files must have mode 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010352 - The SUSE operating system library directories must have mode 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010353 - The SUSE operating system library files must be owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010354 - The SUSE operating system library directories must be owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010355 - The SUSE operating system library files must be group-owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010356 - The SUSE operating system library directories must be group-owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010357 - The SUSE operating system must have system commands set to a mode of 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010358 - The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.

CONFIGURATION MANAGEMENT

SLES-15-010359 - The SUSE operating system must have system commands owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010360 - The SUSE operating system must have directories that contain system commands owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010361 - The SUSE operating system must have system commands group-owned by root or a system account.

CONFIGURATION MANAGEMENT

SLES-15-010362 - The SUSE operating system must have directories that contain system commands group-owned by root.

CONFIGURATION MANAGEMENT

SLES-15-010370 - The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system.

ACCESS CONTROL

SLES-15-010375 - The SUSE operating system must restrict access to the kernel message buffer.

SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010380 - The SUSE operating system wireless network adapters must be disabled unless approved and documented.

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

SLES-15-010390 - SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.

ACCESS CONTROL, CONFIGURATION MANAGEMENT