TickYouOff
Sign in
Back
🔒

SUSE Linux Enterprise Server 15 STIG — Compliance Checklist

Medium 16 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps administrators apply, verify, and maintain DISA’s SLES 15 STIG controls. It’s intended for system administrators and compliance officers managing SLES 15 in managed or DoD-aligned environments.

Source: https://ncp.nist.gov/checklist/984

Progress
0 / 16
  1. Download SCAP 1.3 content — Get DISA SCAP 1.3 content for the SLES 15 STIG benchmark.
  2. Download standalone XCCDF and automated SCC content — Obtain XCCDF and SCC resources matching your architecture (x86_64, aarch64).
  3. Verify CPE target matches SLES 15 — Confirm the target is cpe:/o:suse:suse_linux_enterprise_server:15.
  4. Apply latest SLES 15 updates and security patches — Use zypper or your update management tool to install patches.
  5. Run SCAP benchmark scan against target hosts — Execute the SCAP/XCCDF scan using your chosen toolset.
  6. Review SCAP scan results and export report — Focus first on high and critical findings; export evidence.
  7. Prioritize and remediate high-severity findings — Plan fixes, obtain approvals, and track remediation steps.
  8. Verify remediation and re-scan to confirm fixes — Re-run scans to ensure issues are resolved and closed.
  9. Configure system auditing (auditd) per STIG guidance — Ensure audit rules, rotation, and retention meet STIG requirements.
  10. Enforce secure SSH configuration (disable root login, strong ciphers) — Update /etc/ssh/sshd_config and restart sshd after changes.
  11. Harden password and account policies (lockouts, complexity) — Configure PAM, password expiry, and account lockout settings.
  12. Disable unused services and remove unnecessary packages — List services, then mask/disable or remove packages not required.
  13. Configure centralized logging and retain logs per DoD policy — Forward logs to a central server and set retention rules.
  14. Implement firewall rules to restrict inbound services — Use firewalld/iptables to limit access to required ports only.
  15. Document exceptions and submit change requests to DISA when needed — Send proposed revisions or comments to [email protected].
  16. Subscribe to DISA STIG updates and monitor resource changes — Watch for Resource Title, SCC, and SHA updates to keep content current.
Sign in to save
📝 My Notes