STIGQter STIGQter: STIG Summary:

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-234800r622137_ruleThe SUSE operating system must be a vendor-supported release.
SV-234801r622137_ruleThe SUSE operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP).
SV-234802r622137_ruleVendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SV-234803r622137_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.
SV-234804r622137_ruleThe SUSE operating system must not have the vsftpd package installed if not required for operational support.
SV-234805r622137_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
SV-234806r622137_ruleThe SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).
SV-234807r622137_ruleThe SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
SV-234808r622137_ruleThe SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.
SV-234809r622137_ruleThe SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
SV-234810r622137_ruleThe SUSE operating system must be able to lock the graphical user interface (GUI).
SV-234811r622137_ruleThe SUSE operating system must utilize vlock to allow for session locking.
SV-234812r622137_ruleThe SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).
SV-234813r622137_ruleThe SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
SV-234814r622137_ruleThe SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).
SV-234815r622137_ruleThe SUSE operating system must log SSH connection attempts and failures to the server.
SV-234816r622137_ruleThe SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
SV-234817r622137_ruleThe SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-234818r622137_ruleThe SUSE operating system must not have the telnet-server package installed.
SV-234819r622137_ruleSUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
SV-234820r622137_ruleSUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
SV-234821r622137_ruleThe SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
SV-234822r622137_ruleThe SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
SV-234823r622137_ruleThe SUSE operating system must disable the file system automounter unless required.
SV-234824r622137_ruleThe SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (system-auth).
SV-234825r622137_ruleThe SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
SV-234826r622137_ruleThe SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
SV-234827r622137_ruleThe SUSE operating system SSH daemon must be configured with a timeout interval.
SV-234828r622137_ruleThe sticky bit must be set on all SUSE operating system world-writable directories.
SV-234829r622137_ruleThe SUSE operating system must be configured to use TCP syncookies.
SV-234830r622137_ruleThe SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
SV-234831r622137_ruleAll SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
SV-234832r622137_ruleThe SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SV-234833r622137_ruleThe SUSE operating system must prevent unauthorized users from accessing system error messages.
SV-234834r622137_ruleThe SUSE operating system library files must have mode 0755 or less permissive.
SV-234835r622137_ruleThe SUSE operating system library directories must have mode 0755 or less permissive.
SV-234836r622137_ruleThe SUSE operating system library files must be owned by root.
SV-234837r622137_ruleThe SUSE operating system library directories must be owned by root.
SV-234838r622137_ruleThe SUSE operating system library files must be group-owned by root.
SV-234839r622137_ruleThe SUSE operating system library directories must be group-owned by root.
SV-234840r622137_ruleThe SUSE operating system must have system commands set to a mode of 0755 or less permissive.
SV-234841r622137_ruleThe SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
SV-234842r622137_ruleThe SUSE operating system must have system commands owned by root.
SV-234843r622137_ruleThe SUSE operating system must have directories that contain system commands owned by root.
SV-234844r622137_ruleThe SUSE operating system must have system commands group-owned by root.
SV-234845r622137_ruleThe SUSE operating system must have directories that contain system commands group-owned by root.
SV-234846r622137_ruleThe SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system.
SV-234847r622137_ruleThe SUSE operating system wireless network adapters must be disabled unless approved and documented.
SV-234848r622137_ruleSUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
SV-234849r622137_ruleThe SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.
SV-234850r622137_ruleThe SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-234851r622137_ruleAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
SV-234852r622137_ruleThe SUSE operating system tool zypper must have gpgcheck enabled.
SV-234853r622137_ruleThe SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
SV-234854r622137_ruleThe SUSE operating system must have the packages required for multifactor authentication to be installed.
SV-234855r622137_ruleThe SUSE operating system must implement certificate status checking for multifactor authentication.
SV-234856r622137_ruleThe SUSE operating system must disable the USB mass storage kernel module.
SV-234857r622137_ruleIf Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
SV-234858r622137_ruleThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
SV-234859r622137_ruleFIPS 140-2 mode must be enabled on the SUSE operating system.
SV-234860r622137_ruleAll networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
SV-234861r622137_ruleThe SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
SV-234862r622137_ruleAddress space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
SV-234863r622137_ruleThe SUSE operating system must remove all outdated software components after updated versions have been installed.
SV-234864r622137_ruleThe SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.
SV-234865r622137_ruleThe SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
SV-234866r622137_ruleThe SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
SV-234867r622137_ruleThe SUSE operating system must lock an account after three consecutive invalid access attempts.
SV-234868r622137_ruleThe SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
SV-234869r622137_ruleThe SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
SV-234870r622137_ruleThe SUSE operating system must deny direct logons to the root account using remote access via SSH.
SV-234871r622137_ruleThe SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
SV-234872r622137_ruleThe SUSE operating system must never automatically remove or disable emergency administrator accounts.
SV-234873r622137_ruleThe SUSE operating system must display the date and time of the last successful account logon upon logon.
SV-234874r622137_ruleThe SUSE operating system must not have unnecessary accounts.
SV-234875r622137_ruleThe SUSE operating system must not have unnecessary account capabilities.
SV-234876r622137_ruleThe SUSE operating system root account must be the only account with unrestricted access to the system.
SV-234877r622137_ruleThe SUSE operating system must restrict privilege elevation to authorized personnel.
SV-234878r622137_ruleThe SUSE operating system must require re-authentication when using the "sudo" command.
SV-234879r622137_ruleThe SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SV-234880r622137_ruleAll SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SV-234881r622137_ruleThe SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SV-234882r622137_ruleThe SUSE operating system must enforce passwords that contain at least one uppercase character.
SV-234883r622137_ruleThe SUSE operating system must enforce passwords that contain at least one lowercase character.
SV-234884r622137_ruleThe SUSE operating system must enforce passwords that contain at least one numeric character.
SV-234885r622137_ruleThe SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.
SV-234886r622137_ruleThe SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
SV-234887r622137_ruleThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SV-234888r622137_ruleThe SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
SV-234889r622137_ruleThe SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
SV-234890r622137_ruleThe SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
SV-234891r622137_ruleThe SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
SV-234892r622137_ruleThe SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
SV-234893r622137_ruleThe SUSE operating system must employ a password history file.
SV-234894r622137_ruleThe SUSE operating system must not allow passwords to be reused for a minimum of five generations.
SV-234895r622137_ruleThe SUSE operating system must employ passwords with a minimum of 15 characters.
SV-234896r622137_ruleThe SUSE operating system must enforce passwords that contain at least one special character.
SV-234897r622137_ruleThe SUSE operating system must prevent the use of dictionary words for passwords.
SV-234898r622137_ruleThe SUSE operating system must not be configured to allow blank or null passwords.
SV-234899r622137_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
SV-234900r622137_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
SV-234901r622137_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
SV-234902r622137_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
SV-234903r622137_ruleThe SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
SV-234904r622137_ruleSUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
SV-234905r622137_ruleThe SUSE operating system must generate audit records for all uses of the ssh-keysign command.
SV-234906r622137_ruleThe SUSE operating system must generate audit records for all uses of the passwd command.
SV-234907r622137_ruleThe SUSE operating system must generate audit records for all uses of the gpasswd command.
SV-234908r622137_ruleThe SUSE operating system must generate audit records for all uses of the newgrp command.
SV-234909r622137_ruleThe SUSE operating system must generate audit records for a uses of the chsh command.
SV-234910r622137_ruleThe SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.
SV-234911r622137_ruleThe SUSE operating system must generate audit records for all uses of the chage command.
SV-234912r622137_ruleThe SUSE operating system must generate audit records for all uses of the crontab command.
SV-234913r622137_ruleThe SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
SV-234914r622137_ruleThe SUSE operating system must generate audit records for all uses of the open system call.
SV-234915r622137_ruleThe SUSE operating system must generate audit records for all uses of the creat system call.
SV-234916r622137_ruleThe SUSE operating system must generate audit records for all uses of the openat system call.
SV-234917r622137_ruleThe SUSE operating system must generate audit records for all uses of the open_by_handle_at system call.
SV-234918r622137_ruleThe SUSE operating system must generate audit records for all uses of the removexattr system call.
SV-234919r622137_ruleThe SUSE operating system must generate audit records for all uses of the lremovexattr system call.
SV-234920r622137_ruleThe SUSE operating system must generate audit records for all uses of the fremovexattr system call.
SV-234921r622137_ruleThe SUSE operating system must generate audit records for all uses of the setxattr system call.
SV-234922r622137_ruleThe SUSE operating system must generate audit records for all uses of the fsetxattr system call.
SV-234923r622137_ruleThe SUSE operating system must generate audit records for all uses of the lsetxattr system call.
SV-234924r622137_ruleThe SUSE operating system must generate audit records for all uses of the chown system call.
SV-234925r622137_ruleThe SUSE operating system must generate audit records for all uses of the fchown system call.
SV-234926r622137_ruleThe SUSE operating system must generate audit records for all uses of the lchown system call.
SV-234927r622137_ruleThe SUSE operating system must generate audit records for all uses of the fchownat system call.
SV-234928r622137_ruleThe SUSE operating system must generate audit records for all uses of the chmod system call.
SV-234929r622137_ruleThe SUSE operating system must generate audit records for all uses of the fchmod system call.
SV-234930r622137_ruleThe SUSE operating system must generate audit records for all uses of the fchmodat system call.
SV-234931r622137_ruleThe SUSE operating system must generate audit records for all uses of the ftruncate system call.
SV-234932r622137_ruleThe SUSE operating system must generate audit records for all uses of the sudoedit command.
SV-234933r622137_ruleThe SUSE operating system must generate audit records for all uses of the chfn command.
SV-234934r622137_ruleThe SUSE operating system must generate audit records for all uses of the mount system call.
SV-234935r622137_ruleThe SUSE operating system must generate audit records for all uses of the umount system call.
SV-234936r622137_ruleThe SUSE operating system must generate audit records for all uses of the ssh-agent command.
SV-234937r622137_ruleThe SUSE operating system must generate audit records for all uses of the insmod command.
SV-234938r622137_ruleThe SUSE operating system must generate audit records for all uses of the rmmod command.
SV-234939r622137_ruleThe SUSE operating system must generate audit records for all uses of the modprobe command.
SV-234940r622137_ruleThe SUSE operating system must generate audit records for all uses of the kmod command.
SV-234941r622137_ruleThe SUSE operating system must generate audit records for all uses of the chmod command.
SV-234942r622137_ruleThe SUSE operating system must generate audit records for all uses of the setfacl command.
SV-234943r622137_ruleThe SUSE operating system must generate audit records for all uses of the chacl command.
SV-234944r622137_ruleThe SUSE operating system must generate audit records for all uses of the chcon command.
SV-234945r622137_ruleThe SUSE operating system must generate audit records for all uses of the rm command.
SV-234946r622137_ruleThe SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
SV-234947r622137_ruleThe SUSE operating system must generate audit records for all modifications to the lastlog file.
SV-234948r622137_ruleThe SUSE operating system must generate audit records for all uses of the passmass command.
SV-234949r622137_ruleThe SUSE operating system must generate audit records for all uses of the usermod command.
SV-234950r622137_ruleThe SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
SV-234951r622137_ruleThe SUSE operating system must generate audit records for all uses of the delete_module system call.
SV-234952r622137_ruleThe SUSE operating system must generate audit records for all uses of the finit_module system call.
SV-234953r622137_ruleThe SUSE operating system must generate audit records for all uses of the init_module system call.
SV-234954r622137_ruleThe SUSE operating system must generate audit records for all uses of the su command.
SV-234955r622137_ruleThe SUSE operating system must generate audit records for all uses of the sudo command.
SV-234956r622137_ruleThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
SV-234957r622137_ruleThe Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
SV-234958r622137_ruleThe SUSE operating system audit system must take appropriate action when the audit storage volume is full.
SV-234959r622137_ruleThe SUSE operating system must protect audit rules from unauthorized modification.
SV-234960r622137_ruleThe SUSE operating system must generate audit records for all uses of the truncate command.
SV-234961r622137_ruleThe SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.
SV-234962r622137_ruleThe SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
SV-234963r622137_ruleThe SUSE operating system must generate audit records for all uses of the privileged functions.
SV-234964r622137_ruleThe SUSE operating system must have the auditing package installed.
SV-234965r622137_ruleThe SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
SV-234966r622137_ruleThe audit-audispd-plugins must be installed on the SUSE operating system.
SV-234967r622137_ruleThe SUSE operating system audit event multiplexor must be configured to use Kerberos.
SV-234968r622137_ruleAudispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
SV-234969r622137_ruleThe SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
SV-234970r622137_ruleThe SUSE operating system must generate audit records for all uses of the rename system call.
SV-234971r622137_ruleThe SUSE operating system must generate audit records for all uses of the renameat system call.
SV-234972r622137_ruleThe SUSE operating system must generate audit records for all uses of the renameat2 system call.
SV-234973r622137_ruleThe SUSE operating system must generate audit records for all uses of the unlink system call.
SV-234974r622137_ruleThe SUSE operating system must generate audit records for all uses of the unlinkat system call.
SV-234975r622137_ruleThe SUSE operating system must generate audit records for the /run/utmp file.
SV-234976r622137_ruleThe SUSE operating system must generate audit records for the /var/log/wtmp file.
SV-234977r622137_ruleThe SUSE operating system must generate audit records for the /var/log/btmp file.
SV-234978r622137_ruleThe SUSE operating system must off-load audit records onto a different system or media from the system being audited.
SV-234979r622137_ruleAudispd must take appropriate action when the SUSE operating system audit storage is full.
SV-234980r622137_ruleThe SUSE operating system must use a separate file system for the system audit data path.
SV-234981r622137_ruleThe SUSE operating system must not disable syscall auditing.
SV-234982r622137_ruleThe SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
SV-234983r622137_ruleThe SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
SV-234984r622137_ruleThere must be no .shosts files on the SUSE operating system.
SV-234985r622137_ruleThere must be no shosts.equiv files on the SUSE operating system.
SV-234986r622137_ruleThe SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SV-234987r622137_ruleThe SUSE operating system file integrity tool must be configured to verify extended attributes.
SV-234988r622137_ruleThe SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SV-234989r622137_ruleThe SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SV-234990r622137_ruleThe SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
SV-234991r622137_ruleAll SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SV-234992r622137_ruleAll SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SV-234993r622137_ruleAll SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SV-234994r622137_ruleAll SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
SV-234995r622137_ruleAll SUSE operating system local initialization files must have mode 0740 or less permissive.
SV-234996r622137_ruleAll SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SV-234997r622137_ruleAll SUSE operating system local initialization files must not execute world-writable programs.
SV-234998r622137_ruleSUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-234999r622137_ruleSUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-235000r622137_ruleSUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SV-235001r622137_ruleSUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SV-235002r622137_ruleAll SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SV-235003r622137_ruleSUSE operating system kernel core dumps must be disabled unless needed.
SV-235004r622137_ruleA separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SV-235005r622137_ruleThe SUSE operating system must use a separate file system for /var.
SV-235006r622137_ruleThe SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SV-235007r622137_ruleThe SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SV-235008r622137_ruleThe SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SV-235009r622137_ruleThe SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
SV-235010r622137_ruleThe SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SV-235012r622137_ruleThe SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SV-235013r622137_ruleThe SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SV-235014r622137_ruleThe SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SV-235015r622137_ruleThe SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SV-235016r622137_ruleThe SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SV-235017r622137_ruleThe SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SV-235018r622137_ruleThe SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SV-235019r622137_ruleThe SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-235020r622137_ruleThe SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SV-235021r622137_ruleThe SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-235022r622137_ruleThe SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SV-235023r622137_ruleThe SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SV-235024r622137_ruleThe SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SV-235025r622137_ruleThe SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SV-235026r622137_ruleThe SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SV-235027r622137_ruleThe SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SV-235028r622137_ruleAll SUSE operating system files and directories must have a valid owner.
SV-235029r622137_ruleAll SUSE operating system files and directories must have a valid group owner.
SV-235030r622137_ruleThe SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
SV-235031r622137_ruleThe SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
SV-235032r622137_ruleThe SUSE operating system must not allow unattended or automatic logon via SSH.