Checklist Summary:

This benchmark was developed and tested on SUSE Linux Enterprise Server (SLES) 10 SP1. It is likely to work for other versions of SUSE Linux as well (such as openSUSE). The scoring tool may yield inaccurate results on non-SUSE systems. The actions listed in this document are written with the assumption that they will be executed by the root user running the bash shell and without noclobber set. Also, the following directories are assumed to be in root's path: /bin:/sbin:/usr/bin:/usr/sbin

Checklist Role:

• Operating System

Known Issues:

Rebooting the system is required after completing all of the actions below in order to complete the re-configuration of the system. In many cases, the changes made in the steps below will not take effect until this reboot is performed. If substantial operating system updates are performed after the initial OS load, you may have to reboot more than once. In addition to any specific issues presented by a particular service or protocol, every service has the potential of being an entry point into a system if a vulnerability is found. This is why we recommend that some services are disabled even though there is no clear way to exploit them, and there has never been a problem with the service. If you are running an un-needed service, you could have a problem if a hole is found. Before performing the steps of this benchmark it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. If this step is not performed, then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. The script provided in Appendix B of this document will automatically back up all files that may be modified by the actions below. Note that an executable copy of this script is also provided in the archive containing the PDF version of this document and the CIS scoring tool. Assuming the administrator is in the directory where the archive has been unpacked, the command to execute the backup script would be: ./do-backup.sh One of the byproducts of the do-backup.sh script is /root/do-restore.sh, which is dynamically generated based on the results of the do-backup.sh script. To roll back the changes performed by this benchmark, first run RevertBastille followed by do-restore.sh, and all changes will be backed out. Since not all Linux installations are identical, the do-restore.sh script is created based on the files that actually existed at the time do-backup.sh was run. Note: If you make any changes manually to any of the files that were preserved by do-backup.sh, those changes will be lost when do-restore.sh is executed. It may be prudent to delete the do-restore.sh script once you have validated the changes to prevent inadvertently undoing the changes. If you have not done so already, plan out a partitioned hard drive. The default partitioning for SUSE Linux Enterprise Server is a single file system. It is preferable to use a setup similar to the following: / 1 GB swap 1xRAM /var 1 GB /usr 4 GB /opt 4 GB /home remaining disk space It is important to keep /var and /home on their own partitions. Some applications have a tendency to crash when the / or /usr filesystem reaches 100%. This could happen if users were to store considerable amounts of data (developers storing jar files or copies of application logs, for example) or logs were to fill up their partition. Some Enterprises define a /logs partition and store application logs there. For additional security, an additional and separate partition may be created for /boot which creates the kernel binaries and boot loader configuration. A /boot partition may be mounted read-only to avoid accidental damage and to make malicious changes a little bit more difficult (e.g. less space for backdoors in malicious kernel patches). A read-only /boot partition however will require special procedures for a valid kernel patch (or update). Throughout this Benchmark, you may be directed to enable software package init scripts using the chkconfig command. This assumes you already installed said package(s). If the chkconfig command fails, verify you actually installed the software required.

Target Audience:

Not provided.

Target Operational Environment:

• Managed

Testing Information:

This benchmark was developed and tested on SUSE Linux Enterprise Server (SLES) 10 SP1.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind.

Product Support:

http://forums.opensuse.org/ http://support.novell.com/linux/

Point of Contact:

cis-feedback@cisecurity.org

Sponsor:

http://www.cisecurity.org/

Licensing:

Not provided.

Change History:

Archive - 8/31/23

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 08/31/2023