STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

V1R4

Benchmark ID

SLEM_5_STIG

Total Checks

208

Tags

linux

CAT I: 23CAT II: 182CAT III: 3

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (208)

V-261263HIGHSLEM 5 must be a vendor-supported release.V-261265MEDIUMSLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system.V-261266HIGHSLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence.V-261267HIGHSLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.V-261268HIGHSLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.V-261269MEDIUMSLEM 5 must restrict access to the kernel message buffer.V-261270MEDIUMSLEM 5 kernel core dumps must be disabled unless needed.V-261271MEDIUMAddress space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution.V-261272MEDIUMSLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses.V-261273MEDIUMVendor-packaged SLEM 5 security patches and updates must be installed and up to date.V-261274HIGHThe SLEM 5 tool zypper must have gpgcheck enabled.V-261275MEDIUMSLEM 5 must remove all outdated software components after updated versions have been installed.V-261276MEDIUMSLEM 5 must use vlock to allow for session locking.V-261277HIGHSLEM 5 must not have the telnet-server package installed.V-261278MEDIUMA separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent).V-261279MEDIUMSLEM 5 must use a separate file system for /var.V-261280MEDIUMSLEM 5 must use a separate file system for the system audit data path.V-261281MEDIUMSLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.V-261282MEDIUMSLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.V-261283MEDIUMSLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.V-261284HIGHAll SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.V-261285MEDIUMSLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.V-261286MEDIUMSLEM 5 must disable the file system automounter.V-261287MEDIUMSLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive.V-261288MEDIUMSLEM 5 must have system commands set to a mode of 755 or less permissive.V-261289MEDIUMSLEM 5 library directories must have mode 755 or less permissive.V-261290MEDIUMSLEM 5 library files must have mode 755 or less permissive.V-261291MEDIUMAll SLEM 5 local interactive user home directories must have mode 750 or less permissive.V-261292MEDIUMAll SLEM 5 local initialization files must have mode 740 or less permissive.V-261293MEDIUMSLEM 5 SSH daemon public host key files must have mode 644 or less permissive.V-261294MEDIUMSLEM 5 SSH daemon private host key files must have mode 640 or less permissive.V-261295MEDIUMSLEM 5 library files must be owned by root.V-261296MEDIUMSLEM 5 library files must be group-owned by root.V-261297MEDIUMSLEM 5 library directories must be owned by root.V-261298MEDIUMSLEM 5 library directories must be group-owned by root.V-261299MEDIUMSLEM 5 must have system commands owned by root.V-261300MEDIUMSLEM 5 must have system commands group-owned by root or a system account.V-261301MEDIUMSLEM 5 must have directories that contain system commands owned by root.V-261302MEDIUMSLEM 5 must have directories that contain system commands group-owned by root.V-261303MEDIUMAll SLEM 5 files and directories must have a valid owner.V-261304MEDIUMAll SLEM 5 files and directories must have a valid group owner.V-261305MEDIUMAll SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group.V-261306MEDIUMAll SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group.V-261307MEDIUMThe sticky bit must be set on all SLEM 5 world-writable directories.V-261308MEDIUMSLEM 5 must prevent unauthorized users from accessing system error messages.V-261309MEDIUMSLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-261310MEDIUMSLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.V-261311MEDIUMSLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.V-261312MEDIUMSLEM 5 must not have network interfaces in promiscuous mode unless approved and documented.V-261313MEDIUMSLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets.V-261314MEDIUMSLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.V-261315MEDIUMSLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-261316MEDIUMSLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.V-261317MEDIUMSLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.V-261318MEDIUMSLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.V-261319MEDIUMSLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.V-261320MEDIUMSLEM 5 must be configured to use TCP syncookies.V-261321MEDIUMSLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.V-261322MEDIUMSLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.V-261323MEDIUMSLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-261324MEDIUMSLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.V-261325MEDIUMSLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.V-261326MEDIUMSLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.V-261327HIGHSLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.V-261328HIGHSLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.V-261329MEDIUMSLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.V-261330HIGHSLEM 5 must not allow unattended or automatic logon via SSH.V-261331MEDIUMSLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.V-261332MEDIUMSLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.V-261333MEDIUMSLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.V-261334HIGHSLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.V-261335HIGHSLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.V-261336HIGHSLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.V-261337MEDIUMSLEM 5 must deny direct logons to the root account using remote access via SSH.V-261338MEDIUMSLEM 5 must log SSH connection attempts and failures to the server.V-261339MEDIUMSLEM 5 must display the date and time of the last successful account logon upon an SSH logon.V-261340MEDIUMSLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication.V-261341MEDIUMSLEM 5 SSH daemon must perform strict mode checking of home directory configuration files.V-261342MEDIUMSLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-261343HIGHThere must be no .shosts files on SLEM 5.V-261344HIGHThere must be no shosts.equiv files on SLEM 5.V-261345HIGHSLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI).V-261346MEDIUMSLEM 5 wireless network adapters must be disabled unless approved and documented.V-261347MEDIUMSLEM 5 must disable the USB mass storage kernel module.V-261348MEDIUMAll SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory.V-261349MEDIUMSLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files.V-261350MEDIUMSLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.V-261351MEDIUMAll SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file.V-261352MEDIUMAll SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist.V-261353MEDIUMAll SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory.V-261354MEDIUMAll SLEM 5 local initialization files must not execute world-writable programs.V-261355MEDIUMSLEM 5 must automatically expire temporary accounts within 72 hours.V-261356MEDIUMSLEM 5 must never automatically remove or disable emergency administrator accounts.V-261357MEDIUMSLEM 5 must not have unnecessary accounts.V-261358MEDIUMSLEM 5 must not have unnecessary account capabilities.V-261359HIGHSLEM 5 root account must be the only account with unrestricted access to the system.V-261360MEDIUMSLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.V-261361MEDIUMSLEM 5 must not have duplicate User IDs (UIDs) for interactive users.V-261363MEDIUMSLEM 5 must initiate a session lock after a 15-minute period of inactivity.V-261364MEDIUMSLEM 5 must lock an account after three consecutive invalid access attempts.V-261365MEDIUMSLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM).V-261367LOWSLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types.V-261368LOWSLEM 5 must have policycoreutils package installed.V-261369HIGHSLEM 5 must use a Linux Security Module configured to enforce limits on system services.V-261370MEDIUMSLEM 5 must enable the SELinux targeted policy.V-261371MEDIUMSLEM 5 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.V-261372MEDIUMSLEM 5 must use the invoking user's password for privilege escalation when using "sudo".V-261373MEDIUMSLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges.V-261374MEDIUMSLEM 5 must require reauthentication when using the "sudo" command.V-261375MEDIUMSLEM 5 must restrict privilege elevation to authorized personnel.V-261376MEDIUMSLEM 5 must specify the default "include" directory for the /etc/sudoers file.V-261377MEDIUMSLEM 5 must enforce passwords that contain at least one uppercase character.V-261378MEDIUMSLEM 5 must enforce passwords that contain at least one lowercase character.V-261379MEDIUMSLEM 5 must enforce passwords that contain at least one numeric character.V-261380MEDIUMSLEM 5 must enforce passwords that contain at least one special character.V-261381MEDIUMSLEM 5 must prevent the use of dictionary words for passwords.V-261382MEDIUMSLEM 5 must employ passwords with a minimum of 15 characters.V-261383MEDIUMSLEM 5 must require the change of at least eight of the total number of characters when passwords are changed.V-261384MEDIUMSLEM 5 must not allow passwords to be reused for a minimum of five generations.V-261385MEDIUMSLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.V-261386HIGHSLEM 5 must not be configured to allow blank or null passwords.V-261387HIGHSLEM 5 must not have accounts configured with blank or null passwords.V-261388MEDIUMSLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one day).V-261389MEDIUMSLEM 5 must employ user passwords with a maximum lifetime of 60 days.V-261390MEDIUMSLEM 5 must employ a password history file.V-261391HIGHSLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.V-261392HIGHSLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.V-261393MEDIUMSLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).V-261394MEDIUMSLEM 5 must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).V-261395MEDIUMSLEM 5 must be configured to create or update passwords with a maximum lifetime of 60 days.V-261396MEDIUMSLEM 5 must have the packages required for multifactor authentication to be installed.V-261397MEDIUMSLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).V-261398MEDIUMSLEM 5 must implement certificate status checking for multifactor authentication.V-261399MEDIUMIf Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day.V-261400MEDIUMSLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.V-261401MEDIUMSLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-261402MEDIUMSLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.V-261403MEDIUMSLEM 5 must use a file integrity tool to verify correct operation of all security functions.V-261404MEDIUMSLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs).V-261405MEDIUMSLEM 5 file integrity tool must be configured to verify extended attributes.V-261406MEDIUMSLEM 5 file integrity tool must be configured to protect the integrity of the audit tools.V-261407MEDIUMAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.V-261408MEDIUMSLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.V-261409MEDIUMSLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.V-261410MEDIUMSLEM 5 must have the auditing package installed.V-261411MEDIUMSLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.V-261412MEDIUMThe audit-audispd-plugins package must be installed on SLEM 5.V-261413MEDIUMSLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.V-261414MEDIUMSLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.V-261415MEDIUMSLEM 5 audit system must take appropriate action when the audit storage volume is full.V-261416MEDIUMSLEM 5 must offload audit records onto a different system or media from the system being audited.V-261417MEDIUMAudispd must take appropriate action when SLEM 5 audit storage is full.V-261418MEDIUMSLEM 5 must protect audit rules from unauthorized modification.V-261419MEDIUMSLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.V-261420MEDIUMSLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access.V-261421LOWSLEM 5 audit event multiplexor must be configured to use Kerberos.V-261422MEDIUMAudispd must offload audit records onto a different system or media from SLEM 5 being audited.V-261423MEDIUMThe information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.V-261424MEDIUMThe information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.V-261425MEDIUMSLEM 5 must generate audit records for all uses of the "chacl" command.V-261426MEDIUMSLEM 5 must generate audit records for all uses of the "chage" command.V-261427MEDIUMSLEM 5 must generate audit records for all uses of the "chcon" command.V-261428MEDIUMSLEM 5 must generate audit records for all uses of the "chfn" command.V-261429MEDIUMSLEM 5 must generate audit records for all uses of the "chmod" command.V-261430MEDIUMSLEM 5 must generate audit records for a uses of the "chsh" command.V-261431MEDIUMSLEM 5 must generate audit records for all uses of the "crontab" command.V-261432MEDIUMSLEM 5 must generate audit records for all uses of the "gpasswd" command.V-261433MEDIUMSLEM 5 must generate audit records for all uses of the "insmod" command.V-261434MEDIUMSLEM 5 must generate audit records for all uses of the "kmod" command.V-261435MEDIUMSLEM 5 must generate audit records for all uses of the "modprobe" command.V-261436MEDIUMSLEM 5 must generate audit records for all uses of the "newgrp" command.V-261437MEDIUMSLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command.V-261438MEDIUMSLEM 5 must generate audit records for all uses of the "passwd" command.V-261439MEDIUMSLEM 5 must generate audit records for all uses of the "rm" command.V-261440MEDIUMSLEM 5 must generate audit records for all uses of the "rmmod" command.V-261441MEDIUMSLEM 5 must generate audit records for all uses of the "setfacl" command.V-261442MEDIUMSLEM 5 must generate audit records for all uses of the "ssh-agent" command.V-261443MEDIUMSLEM 5 must generate audit records for all uses of the "ssh-keysign" command.V-261444MEDIUMSLEM 5 must generate audit records for all uses of the "su" command.V-261445MEDIUMSLEM 5 must generate audit records for all uses of the "sudo" command.V-261446MEDIUMSLEM 5 must generate audit records for all uses of the "sudoedit" command.V-261447MEDIUMSLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.V-261448MEDIUMSLEM 5 must generate audit records for all uses of the "usermod" command.V-261449MEDIUMSLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.V-261450MEDIUMSLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.V-261451MEDIUMSLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-261452MEDIUMSLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-261453MEDIUMSLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls.V-261454MEDIUMSLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.V-261455MEDIUMSLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.V-261456MEDIUMSLEM 5 must generate audit records for all uses of the "delete_module" system call.V-261457MEDIUMSLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls.V-261458MEDIUMSLEM 5 must generate audit records for all uses of the "mount" system call.V-261459MEDIUMSLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.V-261460MEDIUMSLEM 5 must generate audit records for all uses of the "umount" system call.V-261461MEDIUMSLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.V-261462MEDIUMSLEM 5 must generate audit records for all uses of privileged functions.V-261463MEDIUMSLEM 5 must generate audit records for all modifications to the "lastlog" file.V-261464MEDIUMSLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record.V-261465MEDIUMSLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.V-261466MEDIUMSuccessful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record.V-261467MEDIUMSuccessful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record.V-261468MEDIUMSuccessful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record.V-261469MEDIUMSLEM 5 must generate audit records for the "/run/utmp file".V-261470MEDIUMSLEM 5 must generate audit records for the "/var/log/btmp" file.V-261471MEDIUMSLEM 5 must generate audit records for the "/var/log/wtmp" file.V-261472MEDIUMSLEM 5 must not disable syscall auditing.V-261473HIGHFIPS 140-2/140-3 mode must be enabled on SLEM 5.