Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15
openscap.26539
scap-yast2sec-xccdf.xml
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File scap-yast2sec-xccdf.xml of Package openscap.26539
<?xml version="1.0" encoding="UTF-8"?> <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SUSE-Security-Benchmark-YaST2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0"> <status date="2012-07-24">draft</status> <title>Hardening Linux Kernel</title> <description> The Linux kernel is at the heart of every Linux system. With its extensive configuration options, it comes to no surprise that specific settings can be enabled to further harden your system. <h:br /> <h:br /> In this guide, we focus on Linux kernel configuration entries that support additional hardening of your system, as well as the configuration through the <h:em>syctl</h:em> settings. </description> <version>1</version> <model system="urn:xccdf:scoring:default"/> <model system="urn:xccdf:scoring:flat"/> <Profile id="Default"> <title>Default vanilla kernel hardening</title> <description> Profile matching all standard (vanilla-kernel) hardening rules </description> <select idref="rule-sysctl-ipv4-forward" selected="true" /> <select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" /> <select idref="rule-sysctl-ipv6-all-forward" selected="true" /> <select idref="rule-sysctl-ipv6-default-forward" selected="true" /> <select idref="rule-kernel-syncookies" selected="true" /> <select idref="rule-pwd-maxdays" selected="true" /> <select idref="rule-pwd-mindays" selected="true" /> <select idref="rule-pwd-warnage" selected="true" /> <select idref="rule-pwd-minlen" selected="true" /> <select idref="rule-pwd-remember" selected="true" /> <select idref="rule-authc-faildelay" selected="true" /> <select idref="rule-authc-faildelayexist" selected="true" /> <select idref="rule-authc-xdmcp-remote" selected="true" /> <select idref="rule-authc-xdmcp-root" selected="true" /> <select idref="rule-usermgmt-uidmin" selected="true" /> <select idref="rule-usermgmt-uidmax" selected="true" /> <select idref="rule-usermgmt-gidmin" selected="true" /> <select idref="rule-usermgmt-gidmax" selected="true" /> <select idref="rule-misc-sysrq" selected="true" /> <select idref="rule-misc-hashalgo_md5" selected="true" /> <select idref="rule-misc-hashalgo_des" selected="true" /> <select idref="rule-misc-perm-check" selected="true" /> <select idref="rule-misc-sig-check" selected="true" /> <select idref="rule-srvc-dhcpd-chroot" selected="true" /> <select idref="rule-srvc-dhcpd-uid" selected="true" /> <select idref="rule-srvc-dhcpd6-chroot" selected="true" /> <select idref="rule-srvc-dhcpd6-uid" selected="true" /> <select idref="rule-srvc-update-restart" selected="true" /> <select idref="rule-srvc-remove-stop" selected="true" /> </Profile> <!-- @@GEN START rule-sysctl-ipv4-forward --> <Rule id="rule-sysctl-ipv4-forward" selected="false"> <title>sysctl net.ipv4.ip_forward must be 0</title> <description>sysctl net.ipv4.ip_forward must be 0</description> <fix>echo 0 > /proc/sys/net/ipv4/ip_forward</fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:2" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-sysctl-ipv4-forward --> <!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies --> <Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false"> <title>sysctl net.ipv4.tcp_syncookies must be 1</title> <description>sysctl net.ipv4.tcp_syncookies must be 1</description> <fix>echo 1 > /proc/sys/net/ipv4/tcp_syncookies</fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:3" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies --> <!-- @@GEN START rule-sysctl-ipv6-all-forward --> <Rule id="rule-sysctl-ipv6-all-forward" selected="false"> <title>sysctl net.ipv6.conf.all.forwarding must be 0</title> <description>sysctl net.ipv6.conf.all.forwarding must be 0</description> <fix>echo 0 > /proc/sys/net/ipv6/conf/all/forwarding</fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:4" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-sysctl-ipv6-all-forward --> <!-- @@GEN START rule-sysctl-ipv6-default-forward --> <Rule id="rule-sysctl-ipv6-default-forward" selected="false"> <title>sysctl net.ipv6.conf.default.forwarding must be 0</title> <description>sysctl net.ipv6.conf.default.forwarding must be 0</description> <fix>echo 0 > /proc/sys/net/ipv6/conf/default/forwarding</fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:5" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-sysctl-ipv6-default-forward --> <!-- @@GEN START rule-kernel-syncookies --> <Rule id="rule-kernel-syncookies" selected="false"> <title>kernel config CONFIG_SYN_COOKIES must be y</title> <description>kernel config CONFIG_SYN_COOKIES must be y</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:6" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-kernel-syncookies --> <!-- @@GEN START rule-pwd-maxdays --> <Rule id="rule-pwd-maxdays" selected="false"> <title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title> <description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:9" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-pwd-maxdays --> <!-- @@GEN START rule-pwd-mindays --> <Rule id="rule-pwd-mindays" selected="false"> <title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title> <description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:10" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-pwd-mindays --> <!-- @@GEN START rule-pwd-warnage --> <Rule id="rule-pwd-warnage" selected="false"> <title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title> <description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:11" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-pwd-warnage --> <!-- @@GEN START rule-pwd-minlen --> <Rule id="rule-pwd-minlen" selected="false"> <title>file /etc/pam.d/common-password must have a line that matches minlen=6</title> <description>file /etc/pam.d/common-password must have a line that matches minlen=6</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:12" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-pwd-minlen --> <!-- @@GEN START rule-pwd-remember --> <Rule id="rule-pwd-remember" selected="false"> <title>file /etc/pam.d/common-password must have a line that matches remember=</title> <description>file /etc/pam.d/common-password must have a line that matches remember=</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:13" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-pwd-remember --> <!-- @@GEN START rule-authc-faildelay --> <Rule id="rule-authc-faildelay" selected="false"> <title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title> <description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:16" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-authc-faildelay --> <!-- @@GEN START rule-authc-faildelayexist --> <Rule id="rule-authc-faildelayexist" selected="false"> <title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title> <description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:17" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-authc-faildelayexist --> <!-- @@GEN START rule-authc-xdmcp-remote --> <Rule id="rule-authc-xdmcp-remote" selected="false"> <title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title> <description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:18" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-authc-xdmcp-remote --> <!-- @@GEN START rule-authc-xdmcp-root --> <Rule id="rule-authc-xdmcp-root" selected="false"> <title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title> <description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:19" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-authc-xdmcp-root --> <!-- @@GEN START rule-usermgmt-uidmin --> <Rule id="rule-usermgmt-uidmin" selected="false"> <title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title> <description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:22" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-usermgmt-uidmin --> <!-- @@GEN START rule-usermgmt-uidmax --> <Rule id="rule-usermgmt-uidmax" selected="false"> <title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title> <description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:23" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-usermgmt-uidmax --> <!-- @@GEN START rule-usermgmt-gidmin --> <Rule id="rule-usermgmt-gidmin" selected="false"> <title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title> <description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:24" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-usermgmt-gidmin --> <!-- @@GEN START rule-usermgmt-gidmax --> <Rule id="rule-usermgmt-gidmax" selected="false"> <title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title> <description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:25" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-usermgmt-gidmax --> <!-- @@GEN START rule-misc-sysrq --> <Rule id="rule-misc-sysrq" selected="false"> <title>sysctl kernel.sysrq must be 0</title> <description>sysctl kernel.sysrq must be 0</description> <fix>echo 0 > /proc/sys/kernel/sysrq</fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:29" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-misc-sysrq --> <!-- @@GEN START rule-misc-hashalgo_md5 --> <Rule id="rule-misc-hashalgo_md5" selected="false"> <title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title> <description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:30" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-misc-hashalgo_md5 --> <!-- @@GEN START rule-misc-hashalgo_des --> <Rule id="rule-misc-hashalgo_des" selected="false"> <title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title> <description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:31" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-misc-hashalgo_des --> <!-- @@GEN START rule-misc-perm-check --> <Rule id="rule-misc-perm-check" selected="false"> <title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title> <description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:32" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-misc-perm-check --> <!-- @@GEN START rule-misc-sig-check --> <Rule id="rule-misc-sig-check" selected="false"> <title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title> <description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:33" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-misc-sig-check --> <!-- @@GEN START rule-srvc-dhcpd-chroot --> <Rule id="rule-srvc-dhcpd-chroot" selected="false"> <title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title> <description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:38" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-dhcpd-chroot --> <!-- @@GEN START rule-srvc-dhcpd-uid --> <Rule id="rule-srvc-dhcpd-uid" selected="false"> <title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title> <description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:39" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-dhcpd-uid --> <!-- @@GEN START rule-srvc-dhcpd6-chroot --> <Rule id="rule-srvc-dhcpd6-chroot" selected="false"> <title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title> <description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:40" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-dhcpd6-chroot --> <!-- @@GEN START rule-srvc-dhcpd6-uid --> <Rule id="rule-srvc-dhcpd6-uid" selected="false"> <title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title> <description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:41" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-dhcpd6-uid --> <!-- @@GEN START rule-srvc-update-restart --> <Rule id="rule-srvc-update-restart" selected="false"> <title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title> <description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:42" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-update-restart --> <!-- @@GEN START rule-srvc-remove-stop --> <Rule id="rule-srvc-remove-stop" selected="false"> <title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title> <description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:de.suse.suse121:def:43" href="scap-yast2sec-oval.xml" /> </check> </Rule> <!-- @@GEN END rule-srvc-remove-stop --> </Benchmark>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor