This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 11. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation.

Server

SUSE Linux Enterprise Desktop. Office tools that work with Windows, Mac & UNIX. SUSE Linux Enterprise Workstation Extension. Use your enterprise server as a workstation. SUSE Embedded. For stable and secure purpose-built appliances, devices, and systems. Enterprise Linux. SUSE Linux Enterprise Server 11 was released on March 24, 2009 and included Linux kernel 2.6.27, Oracle Cluster File System Release 2, support for the OpenAIS cluster communication protocol for server and storage clustering, and Mono 2.0.

The SCAP content is is available in the scap-security-guide package which is developed at. Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation.

This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives.

Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Warning: As shown in the example, database files which are required for recursion, such as the root hints file, must be available to any clients which are allowed to make recursive queries. Under typical circumstances, this includes only the internal clients which are allowed to use this server as a general-purpose nameserver. Group Disable DNS Server DNS software should be disabled on any systems which does not need to be a nameserver.

Note that the BIND DNS server software is not installed on SUSE Linux Enterprise 11 by default. The remainder of this section discusses secure configuration of systems which must be nameservers. Group LDAP LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. SUSE Linux Enterprise 11 includes software that enables a system to act as both an LDAP client and server.

Group Configure OpenLDAP Server This section details some security-relevant settings for an OpenLDAP server. Warning: Before configuring any system to be an LDAP client, ensure that a working LDAP server is present on the network. Big boss oil less fryer parts. Group Mail Server Software Mail servers are used to send and receive email over the network.

Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible. Very few systems at any site should be configured to directly receive email over the network. Users should instead use mail client programs to retrieve email from a central server that supports protocols such as IMAP or POP3. However, it is normal for most systems to be independently capable of sending email, for instance so that cron jobs can report output to an administrator. Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from the local system to a central site MTA (or directly delivered to a local account), but the system still cannot receive mail directly over a network.