|
| 1 | +documentation_complete: true |
| 2 | + |
| 3 | +metadata: |
| 4 | + version: V1 |
| 5 | + SMEs: |
| 6 | + - jgleissner |
| 7 | + |
| 8 | +reference: |
| 9 | + |
| 10 | +title: 'Public Cloud Hardening for SUSE Linux Enterprise 15 CHOST' |
| 11 | + |
| 12 | +description: |- |
| 13 | + This profile contains configuration checks to be used to harden |
| 14 | + SUSE Linux Enterprise 15 CHOST for use with public cloud providers. |
| 15 | + |
| 16 | + |
| 17 | +selections: |
| 18 | + - account_disable_post_pw_expiration |
| 19 | + - accounts_have_homedir_login_defs |
| 20 | + - accounts_maximum_age_login_defs |
| 21 | + - accounts_password_set_max_life_existing |
| 22 | + - accounts_password_set_min_life_existing |
| 23 | + - accounts_passwords_pam_faildelay_delay |
| 24 | + - accounts_passwords_pam_tally2 |
| 25 | + - accounts_tmout |
| 26 | + - accounts_umask_etc_login_defs |
| 27 | + - aide_check_audit_tools |
| 28 | + - aide_periodic_checking_systemd_timer |
| 29 | + - aide_verify_acls |
| 30 | + - aide_verify_ext_attributes |
| 31 | + - auditd_audispd_encrypt_sent_records |
| 32 | + - auditd_data_disk_full_action |
| 33 | + - auditd_data_retention_space_left |
| 34 | + - audit_rules_dac_modification_chmod |
| 35 | + - audit_rules_dac_modification_chown |
| 36 | + - audit_rules_dac_modification_fchmod |
| 37 | + - audit_rules_dac_modification_fchmodat |
| 38 | + - audit_rules_dac_modification_fchown |
| 39 | + - audit_rules_dac_modification_fchownat |
| 40 | + - audit_rules_dac_modification_fremovexattr |
| 41 | + - audit_rules_dac_modification_fsetxattr |
| 42 | + - audit_rules_dac_modification_lchown |
| 43 | + - audit_rules_dac_modification_lremovexattr |
| 44 | + - audit_rules_dac_modification_lsetxattr |
| 45 | + - audit_rules_dac_modification_removexattr |
| 46 | + - audit_rules_dac_modification_setxattr |
| 47 | + - audit_rules_dac_modification_umount |
| 48 | + - audit_rules_dac_modification_umount2 |
| 49 | + - audit_rules_enable_syscall_auditing |
| 50 | + - audit_rules_execution_chacl |
| 51 | + - audit_rules_execution_chcon |
| 52 | + - audit_rules_execution_chmod |
| 53 | + - audit_rules_execution_rm |
| 54 | + - audit_rules_execution_setfacl |
| 55 | + - audit_rules_kernel_module_loading_delete |
| 56 | + - audit_rules_kernel_module_loading_finit |
| 57 | + - audit_rules_kernel_module_loading_init |
| 58 | + - audit_rules_login_events_lastlog |
| 59 | + - audit_rules_login_events_tallylog |
| 60 | + - audit_rules_media_export |
| 61 | + - audit_rules_privileged_commands_chage |
| 62 | + - audit_rules_privileged_commands_chfn |
| 63 | + - audit_rules_privileged_commands_chsh |
| 64 | + - audit_rules_privileged_commands_crontab |
| 65 | + - audit_rules_privileged_commands_gpasswd |
| 66 | + - audit_rules_privileged_commands_insmod |
| 67 | + - audit_rules_privileged_commands_kmod |
| 68 | + - audit_rules_privileged_commands_modprobe |
| 69 | + - audit_rules_privileged_commands_newgrp |
| 70 | + - audit_rules_privileged_commands_pam_timestamp_check |
| 71 | + - audit_rules_privileged_commands_passmass |
| 72 | + - audit_rules_privileged_commands_passwd |
| 73 | + - audit_rules_privileged_commands_rmmod |
| 74 | + - audit_rules_privileged_commands_ssh_agent |
| 75 | + - audit_rules_privileged_commands_ssh_keysign |
| 76 | + - audit_rules_privileged_commands_su |
| 77 | + - audit_rules_privileged_commands_sudo |
| 78 | + - audit_rules_privileged_commands_sudoedit |
| 79 | + - audit_rules_privileged_commands_unix2_chkpwd |
| 80 | + - audit_rules_privileged_commands_unix_chkpwd |
| 81 | + - audit_rules_privileged_commands_usermod |
| 82 | + - audit_rules_session_events_btmp |
| 83 | + - audit_rules_session_events_utmp |
| 84 | + - audit_rules_session_events_wtmp |
| 85 | + - audit_rules_suid_privilege_function |
| 86 | + - audit_rules_sysadmin_actions |
| 87 | + - audit_rules_unsuccessful_file_modification_creat |
| 88 | + - audit_rules_unsuccessful_file_modification_ftruncate |
| 89 | + - audit_rules_unsuccessful_file_modification_open |
| 90 | + - audit_rules_unsuccessful_file_modification_openat |
| 91 | + - audit_rules_unsuccessful_file_modification_open_by_handle_at |
| 92 | + - audit_rules_unsuccessful_file_modification_rename |
| 93 | + - audit_rules_unsuccessful_file_modification_renameat |
| 94 | + - audit_rules_unsuccessful_file_modification_renameat2 |
| 95 | + - audit_rules_unsuccessful_file_modification_truncate |
| 96 | + - audit_rules_unsuccessful_file_modification_unlink |
| 97 | + - audit_rules_unsuccessful_file_modification_unlinkat |
| 98 | + - audit_rules_usergroup_modification_group |
| 99 | + - audit_rules_usergroup_modification_gshadow |
| 100 | + - audit_rules_usergroup_modification_opasswd |
| 101 | + - audit_rules_usergroup_modification_passwd |
| 102 | + - audit_rules_usergroup_modification_shadow |
| 103 | + - banner_etc_issue |
| 104 | + - cracklib_accounts_password_pam_dcredit |
| 105 | + - cracklib_accounts_password_pam_difok |
| 106 | + - cracklib_accounts_password_pam_lcredit |
| 107 | + - cracklib_accounts_password_pam_minlen |
| 108 | + - cracklib_accounts_password_pam_ocredit |
| 109 | + - cracklib_accounts_password_pam_retry |
| 110 | + - cracklib_accounts_password_pam_ucredit |
| 111 | + - display_login_attempts |
| 112 | + - ensure_gpgcheck_globally_activated |
| 113 | + - file_groupownership_system_commands_dirs |
| 114 | + - file_permissions_home_directories |
| 115 | + - inactivity_timeout_value=15_minutes |
| 116 | + - kernel_module_usb-storage_disabled |
| 117 | + - package_aide_installed |
| 118 | + - package_audit-audispd-plugins_installed |
| 119 | + - package_audit_installed |
| 120 | + - set_password_hashing_algorithm_systemauth |
| 121 | + - sshd_disable_root_login |
| 122 | + - sshd_disable_user_known_hosts |
| 123 | + - sshd_disable_x11_forwarding |
| 124 | + - sshd_enable_warning_banner |
| 125 | + - sshd_idle_timeout_value=10_minutes |
| 126 | + - sshd_set_idle_timeout |
| 127 | + - sshd_set_keepalive_0 |
| 128 | + - sshd_set_loglevel_verbose |
| 129 | + - sshd_use_approved_ciphers_ordered_stig |
| 130 | + - sshd_use_approved_macs_ordered_stig |
| 131 | + - var_account_disable_post_pw_expiration=35 |
| 132 | + - var_accounts_fail_delay=4 |
| 133 | + - var_accounts_max_concurrent_login_sessions=10 |
| 134 | + - var_accounts_maximum_age_login_defs=60 |
| 135 | + - var_accounts_minimum_age_login_defs=7 |
| 136 | + - var_accounts_tmout=15_min |
| 137 | + - var_auditd_disk_full_action=syslog |
| 138 | + - var_password_pam_dcredit=1 |
| 139 | + - var_password_pam_delay=4000000 |
| 140 | + - var_password_pam_lcredit=1 |
| 141 | + - var_password_pam_minlen=15 |
| 142 | + - var_password_pam_ocredit=1 |
| 143 | + - var_password_pam_ucredit=1 |
| 144 | + - var_password_pam_unix_remember=5 |
| 145 | + - var_removable_partition=dev_cdrom |
| 146 | + - var_sshd_set_keepalive=0 |
| 147 | + - var_sssd_memcache_timeout=1_day |
| 148 | + - var_sudo_timestamp_timeout=always_prompt |
| 149 | + - var_time_service_set_maxpoll=18_hours |
0 commit comments