[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for SUSE Linux 12, published 2025-11-24
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Tue Nov 25 08:27:52 PST 2025
*Product: * BigFix Compliance
*Title: * Updated DISA STIG Checklist for SUSE Linux 12.
*Security Benchmark: * DISA STIG Checklist for SUSE Linux 12 Benchmark, v3r3
*Published Sites: * DISA STIG Checklist for SUSE Linux 12, site version 5
(The site version is provided for air-gap customers.)
*Details:*
● Total New Fixlets: 1
● Total Updated Fixlets: 96
● Total Deleted Fixlets: 3
● Total Fixlets in Site: 203
*ADDED :*
● The SUSE operating system must initiate a session lock after a
10-minute period of inactivity.
*UPDATED :*
● The SUSE operating system must display a banner before granting
local or remote access to the system via a graphical user logon.
● The sticky bit must be set on all SUSE operating system
world-writable directories.
● The SUSE operating system must not have duplicate User IDs (UIDs)
for interactive users.
● All SUSE operating system files and directories must have a valid
owner.
● All SUSE operating system files and directories must have a valid
group owner.
● All SUSE operating system local initialization files must have mode
0740 or less permissive.
● All SUSE operating system local interactive user initialization
files executable search paths must contain only paths that resolve to the
users home directory.
● SUSE operating system file systems that contain user home
directories must be mounted to prevent files with the setuid and setgid bit
set from being executed.
● All SUSE operating system world-writable directories must be
group-owned by root, sys, bin, or an application group.
● The SUSE operating system must use a separate file system for the
system audit data path.
● The SUSE operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage facility.
● The SUSE operating system must not allow automatic logon via SSH.
● The SUSE operating system must not allow users to override SSH
environment variables.
● The SUSE operating system must use a virus scan program.
● The SUSE operating system SSH daemon must prevent remote hosts from
connecting to the proxy display.
● The SUSE operating system must generate audit records for all uses
of the unlink, unlinkat, rename, renameat and rmdir syscalls.
● The SUSE operating system must restrict access to the kernel message
buffer.
● The SUSE operating system must employ FIPS 140-3 approved
cryptographic hashing algorithms for all stored passwords.
● There must be no .shosts files on the SUSE operating system.
● There must be no shosts.equiv files on the SUSE operating system.
● SUSE operating system file systems that are being imported via
Network File System (NFS) must be mounted to prevent files with the setuid
and setgid bit set from being executed.
● SUSE operating system file systems that are being imported via
Network File System (NFS) must be mounted to prevent binary files from
being executed.
● The SUSE operating system must use a separate file system for /var.
● The SUSE operating system must generate audit records for all
account creations, modifications, disabling, and termination events that
affect /etc/passwd.
● The SUSE operating system must generate audit records for all
account creations, modifications, disabling, and termination events that
affect /etc/group.
● The SUSE operating system must generate audit records for all
account creations, modifications, disabling, and termination events that
affect /etc/shadow.
● The SUSE operating system must generate audit records for all
account creations, modifications, disabling, and termination events that
affect /etc/opasswd.
● The SUSE operating system must generate audit records for all uses
of the privileged functions.
● The SUSE operating system must generate audit records for all uses
of the su command.
● The SUSE operating system must generate audit records for all uses
of the sudo command.
● The SUSE operating system must generate audit records for all uses
of the chfn command.
● The SUSE operating system must generate audit records for all uses
of the mount command.
● The SUSE operating system must generate audit records for all uses
of the umount command.
● The SUSE operating system must generate audit records for all uses
of the ssh-agent command.
● The SUSE operating system must generate audit records for all uses
of the ssh-keysign command.
● The SUSE operating system must generate audit records for all uses
of the kmod command.
● The SUSE operating system must generate audit records for all uses
of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and
lremovexattr syscalls.
● The SUSE operating system must generate audit records for all uses
of the chown, fchown, fchownat, and lchown syscalls.
● The SUSE operating system must generate audit records for all uses
of the chmod, fchmod, and fchmodat system calls.
● The SUSE operating system must generate audit records for all uses
of the creat, open, openat, open_by_handle_at, truncate, and ftruncate
syscalls.
● The SUSE operating system must generate audit records for all uses
of the passwd command.
● The SUSE operating system must generate audit records for all uses
of the gpasswd command.
● The SUSE operating system must generate audit records for all uses
of the newgrp command.
● The SUSE operating system must generate audit records for a uses of
the chsh command.
● The SUSE operating system must generate audit records for all
account creations, modifications, disabling, and termination events that
affect /etc/gshadow.
● The SUSE operating system must generate audit records for all uses
of the chmod command.
● The SUSE operating system must generate audit records for all uses
of the setfacl command.
● The SUSE operating system must generate audit records for all uses
of the chacl command.
● Successful/unsuccessful attempts to modify categories of information
(e.g., classification levels) must generate audit records.
● The SUSE operating system must generate audit records for all uses
of the rm command.
● The SUSE operating system must generate audit records for all
modifications to the tallylog file must generate an audit record.
● The SUSE operating system must generate audit records for all
modifications to the lastlog file.
● The SUSE operating system must generate audit records for all uses
of the passmass command.
● The SUSE operating system must generate audit records for all uses
of the unix_chkpwd command.
● The SUSE operating system must generate audit records for all uses
of the chage command.
● The SUSE operating system must generate audit records for all uses
of the usermod command.
● The SUSE operating system must generate audit records for all uses
of the crontab command.
● The SUSE operating system must generate audit records for all uses
of the pam_timestamp_check command.
● The SUSE operating system must generate audit records for all uses
of the delete_module command.
● The SUSE operating system must generate audit records for all uses
of the init_module and finit_module syscalls.
● The SUSE operating system must generate audit records for all
modifications to the faillog file.
● The SUSE operating system must log SSH connection attempts and
failures to the server.
● The SUSE operating system must display the date and time of the last
successful account logon upon an SSH logon.
● The SUSE operating system must deny direct logons to the root
account using remote access via SSH.
● The SUSE operating system SSH daemon must be configured with a
timeout interval.
● The SUSE operating system for all network connections associated
with SSH traffic must immediately terminate at the end of the session or
after 10 minutes of inactivity.
● The SUSE operating system SSH daemon must be configured to not allow
authentication using known hosts authentication.
● The SUSE operating system SSH daemon must perform strict mode
checking of home directory configuration files.
● The SUSE operating system SSH daemon must disable forwarded remote X
connections for interactive users, unless to fulfill documented and
validated mission requirements.
● The SUSE operating system must implement kptr-restrict to prevent
the leaking of internal kernel addresses.
● Address space layout randomization (ASLR) must be implemented by the
SUSE operating system to protect memory from unauthorized code execution.
● The SUSE operating system must be configured to use TCP syncookies.
● The SUSE operating system must not forward Internet Protocol version
4 (IPv4) source-routed packets.
● The SUSE operating system must not forward Internet Protocol version
6 (IPv6) source-routed packets.
● The SUSE operating system must not forward Internet Protocol version
4 (IPv4) source-routed packets by default.
● The SUSE operating system must not respond to Internet Protocol
version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a
broadcast address.
● The SUSE operating system must prevent Internet Protocol version 4
(IPv4) Internet Control Message Protocol (ICMP) redirect messages from
being accepted.
● The SUSE operating system must not allow interfaces to accept
Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP)
redirect messages by default.
● The SUSE operating system must not allow interfaces to accept
Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP)
redirect messages by default.
● The SUSE operating system must not allow interfaces to send Internet
Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect
messages by default.
● The SUSE operating system must not send Internet Protocol version 4
(IPv4) Internet Control Message Protocol (ICMP) redirects.
● The SUSE operating system must not be performing Internet Protocol
version 4 (IPv4) packet forwarding unless the system is a router.
● The SUSE operating system library files must have mode 0755 or less
permissive.
● The SUSE operating system library directories must have mode 0755 or
less permissive.
● The SUSE operating system library files must be owned by root.
● The SUSE operating system library directories must be owned by root.
● The SUSE operating system library files must be group-owned by root.
● The SUSE operating system library directories must be group-owned by
root.
● The SUSE operating system must have directories that contain system
commands set to a mode of 0755 or less permissive.
● The SUSE operating system must have system commands owned by root.
● The SUSE operating system must have directories that contain system
commands owned by root.
● The SUSE operating system must have directories that contain system
commands group-owned by root.
● The SUSE operating system must not forward Internet Protocol version
6 (IPv6) source-routed packets by default.
● The SUSE operating system must prevent Internet Protocol version 6
(IPv6) Internet Control Message Protocol (ICMP) redirect messages from
being accepted.
● The SUSE operating system must not be performing Internet Protocol
version 6 (IPv6) packet forwarding unless the system is a router.
● The SUSE operating system must not be performing Internet Protocol
version 6 (IPv6) packet forwarding by default unless the system is a router.
*DELETED :*
● The SUSE operating system must implement the Endpoint Security for
Linux Threat Prevention tool.
● The SUSE operating system must employ a password history file.
● The SUSE operating system must not allow passwords to be reused for
a minimum of five (5) generations.
*Additional details:*
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.
Improved few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed”
for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are
rebooted.
● Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.
*Actions to take:*
● To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 10 and
later.
● If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>
*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>
We hope you find this latest release of SCM content useful and effective.
Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20251125/8059d3f2/attachment.html>
More information about the Besadmin-announcements
mailing list