diff --git a/DC-public-cloud b/DC-public-cloud
index 4ba7c70..5292a83 100644
--- a/DC-public-cloud
+++ b/DC-public-cloud
@@ -4,6 +4,8 @@
MAIN="MAIN.public-cloud.xml"
ROOTID="public-cloud"
+## Profiling
+PROFOS="sles"
PROFCONDITION="suse-product"
#PROFCONDITION="suse-product;beta"
#PROFCONDITION="community-project"
diff --git a/xml/cha_administration.xml b/xml/cha_administration.xml
index 0244863..01497aa 100644
--- a/xml/cha_administration.xml
+++ b/xml/cha_administration.xml
@@ -338,250 +338,362 @@
-
- Hardening instances
-
- To improve overall security, &suse; provides hardened images of some
- products. The images are hardened using &openscap;, a collection of open source tools that
- implement the Security Content Automation
- Protocol (SCAP) maintained by the National Institute
- of Standards and Technology (NIST). &openscap; supports automated configuration,
- vulnerability and patch checking, technical control compliance activities,
- and security measurement.
-
-
- To harden a system, &openscap; uses security
- rules that define certain security measures. Multiple rules can be combined
- into profiles. For more information, refer to the &openscap; documentation
- at .
-
+
+ Enabling LTSS
+
+ Long Term Service Pack Support (LTSS) extends the lifecycle of
+ &productname;. It is available as an extension. For more information about LTSS, refer to
+ .
+
+
+ LTSS subscriptions are version-specific
+
+ LTSS subscriptions are version-specific. If you have a subscription for
+ &slsa; 15 SP4, you cannot use that registration code to register LTSS on a
+ 15 SP3 image. Make sure to use the correct registration code for your instance
+ and upgrade it if necessary.
+
+
+
+ LTSS on BYOS
+
+ If you do not have an LTSS subscription for your BYOS instance, contact a &suse;
+ representative or visit for purchase
+ options.
+
+
+
+ To enable the LTSS extension, perform the following steps:
+
+
+
+ Log in to the &scc; to look up your LTSS registration
+ code.
+
+
+
+
+ Log in to your instance and make sure your system is registered:
+
+&prompt.sudo;SUSEConnect --status-text
+
+ If the system is not yet registered, register it (see ).
+
+
+
+
+ Check if the LTSS extension is available for your system. For &sle; 15 SP3, it looks
+ like this:
+
+&prompt.sudo;SUSEConnect --list-extensions | grep LTSS
+ SUSE Linux Enterprise Server LTSS 15 SP3 x86_64
+ Activate with: SUSEConnect -p SLES-LTSS/15.3/x86_64 -r ADDITIONAL REGCODE
+
+
+
+ Activate the module as instructed:
+
+&prompt.sudo;SUSEConnect -p SLES-LTSS/15.3/x86_64 -r LTSS_REGISTRATION_CODE
+
+
+
+
+ LTSS on PAYG
+
+ LTSS subscriptions for PAYG can be transacted through a private offer on the CSPs market
+ place or via direct transaction with SUSE. Reach out to cloudsales@suse.com to work out the
+ commercial details. You will receive a subscription and access to the &scc;). With your subscription, you can activate a
+ registration code for LTSS.
+
+
+ Existing LTSS subscriptions
+
+ If you already have an LTSS subscription that you are using in your data center, it will
+ work in the cloud just fine. You can deregister a system in your data center and move that
+ use of your LTSS subscription to an instance in the cloud.
+
+
+
+
+ To enable the LTSS extension, perform the following steps:
+
+
+
+ Log in to the &scc; to activate a registration code.
+ Note that LTSS subscriptions are version-specific. If you have a subscription for
+ &slsa; 15 SP4, you cannot use that registration code to register LTSS on a
+ 15 SP3 image. Make sure to activate the LTSS registration code for
+ the correct version and service pack (SP) of your instance!
+
+
+
+
+ Log in to your instance and make sure your system is registered with a subscription that
+ is eligible for LTSS. If the system is not yet registered, register it
+ (see ).
+
+
+
+
+ Update cloud-regionsrv-client:
+
+ &prompt.sudo;zypper up cloud-regionsrv-client
+
+ You need at least version 10.3.4 of the package.
+
+
+
+
+ Register the LTSS extension with the registration code you activated in the &scc;:
+
+&prompt.sudo;registercloudguset -r LTSS_REGISTRATION_CODE
+Running LTSS registration...this takes a little longer
+LTSS registration succeeded
+
+
+
+
-
- Pre-hardening
-
- Hardened images are pre-hardened to the extent they can safely be hardened
- without causing problems in public cloud frameworks. Certain rules can only
- be applied after instance creation, for example:
-
-
-
-
- Rules that require having passwords set up. Passwords would have to be
- public if configured during the image build. This would defeat the purpose of
- a secret password.
-
-
-
-
- Rules that affect the network configuration. Networking is set up during
- instance creation, therefore it is not possible to limit access during
- image build.
-
-
-
-
- Rules for custom partitioning. &suse;'s public cloud images are
- partitioned to meet the requirements of the framework in which they are
- released. If your system needs to meet standards that require separate
- file systems for given directories, we recommend that you build your own
- images and use LVM or move those directories onto attached disks to get
- the strictest data separation possible.
-
-
-
-
- Rules to remove packages. &suse;'s public cloud images cater to a wide range
- of use cases. Even if the number of packages is limited, it is impossible
- to determine what packages an instance requires.
-
-
-
-
-
- Avialable <phrase role="product">&openscap;</phrase> profiles
-
- After instance creation, you can use the installed
- openscap packages to complete the hardening process using
- any of the following profiles:
-
-
-
-
- Standard (standard.profile)
-
+
+ Hardening instances
+
+ To improve overall security, &suse; provides hardened images of some products.
+ The images are hardened using &openscap;, a collection of open
+ source tools that implement the Security Content Automation
+ Protocol (SCAP) maintained by the National Institute
+ of Standards and Technology (NIST). &openscap;
+ supports automated configuration, vulnerability and patch checking, technical control
+ compliance activities, and security measurement.
+
+
+ To harden a system, &openscap; uses security rules that define
+ certain security measures. Multiple rules can be combined into profiles.
+ For more information, refer to the &openscap; documentation at .
+
+
+
+ Pre-hardening
- Basic &openscap; system security
- standard.
+ Hardened images are pre-hardened to the extent they can safely be hardened without causing
+ problems in public cloud frameworks. Certain rules can only be applied after instance
+ creation, for example:
-
-
-
- &cisa; Server Level 2 (cis.profile)
-
+
+
+
+ Rules that require having passwords set up. Passwords would have to be public if
+ configured during the image build. This would defeat the purpose of a secret password.
+
+
+
+
+ Rules that affect the network configuration. Networking is set up during instance
+ creation, therefore it is not possible to limit access during image build.
+
+
+
+
+ Rules for custom partitioning. &suse;'s public cloud images are partitioned to meet the
+ requirements of the framework in which they are released.
+ If your system needs to meet standards that require separate file systems for given
+ directories, we recommend that you build your own images and use LVM or move those
+ directories onto attached disks to get the strictest data separation possible.
+
+
+
+
+ Rules to remove packages. &suse;'s public cloud images cater to a wide range of use
+ cases.
+ Even if the number of packages is limited, it is impossible to determine what packages
+ an instance requires.
+
+
+
+
+
+ Avialable <phrase role="product">&openscap;</phrase> profiles
- The &cis; Server Level 2 profile is considered
- to be defense in depth and is intended for environments
- where security is paramount. The recommendations associated with this
- profile can have an adverse effect on your organization if not
- implemented appropriately or without due care. For more information,
- refer to .
+ After instance creation, you can use the installed openscap packages to
+ complete the hardening process using any of the following profiles:
-
-
-
- Department of Defense &stiga; (stig.profile)
-
+
+
+
+ Standard (standard.profile)
+
+
+ Basic &openscap; system security standard.
+
+
+
+
+ &cisa; Server Level 2 (cis.profile)
+
+
+ The &cis; Server Level 2 profile is considered to be
+ defense in depth and is intended for environments where security is
+ paramount.
+ The recommendations associated with this profile can have an adverse effect on your
+ organization if not implemented appropriately or without due care.
+ For more information, refer to .
+
+
+
+
+ Department of Defense &stiga; (stig.profile)
+
+
+ The &disa; publishes &stig;s (&stiga;s) for
+ the Department of Defense.
+ The &stiga; profile replaces the previous &cisa; Level 3 profile and provides all
+ recommendations that are &stiga;-specific.
+ Overlap of recommendations from other profiles, i.e. &cisa; Level 1 and Level 2, are
+ present in the &stiga; profile as applicable.
+ For more information, refer to .
+
+
+
+
+ &hipaaa; Security Rule (hipaa.profile)
+
+
+ In response to the &hipaa; (&hipaaa;) of 1996, the
+ U.S. Department of Health and Human Services developed
+ Security Standards for the Protection of Electronic Protected
+ Health Information, commonly known as the HIPAA Security
+ Rule.
+ It establishes national standards to protect individuals' electronic personal health
+ information (e-PHI) that is created, received, used, or maintained by a covered
+ entity.
+ For more information, refer to .
+
+
+
+
+ &pcidss; (pci-dss.profile)
+
+
+ The &pcidss; (&pcidssa;) is a set of requirements to guide
+ merchants to protect cardholder data. It is maintained by the PCI Security
+ Standards Council (SSC) that was founded by all five major credit card
+ brands Visa, MasterCard, American Express, Discover, and JCB.
+ For more information, refer to .
+
+
+
+
- The &disa; publishes &stig;s
- (&stiga;s) for the Department of Defense.
- The &stiga; profile replaces the previous &cisa; Level 3 profile and
- provides all recommendations that are &stiga;-specific. Overlap of
- recommendations from other profiles, i.e. &cisa; Level 1 and Level 2,
- are present in the &stiga; profile as applicable. For more information,
- refer to .
+ All profile files are available in the ComplianceAsCode
+ repository.
-
-
-
- &hipaaa; Security Rule (hipaa.profile)
-
- In response to the &hipaa; (&hipaaa;) of 1996, the
- U.S. Department of Health and Human Services developed
- Security Standards for the Protection of Electronic Protected
- Health Information, commonly known as the HIPAA
- Security Rule. It establishes national standards to protect
- individuals' electronic personal health information (e-PHI) that is
- created, received, used, or maintained by a covered entity. For more
- information, refer to .
+ For a complete list of rules that have been applied during pre-hardening, refer to pcs-hardening.profile.
+ This profile is a combination of the &stiga; and
+ &cisa; profiles minus rules that can only be applied
+ after instance creation.
-
-
-
- &pcidss; (pci-dss.profile)
-
- The &pcidss; (&pcidssa;) is a set of requirements
- to guide merchants to protect cardholder data. It is maintained by the
- PCI Security Standards Council (SSC) that was founded
- by all five major credit card brands Visa, MasterCard, American Express,
- Discover, and JCB. For more information, refer to .
+ Images of &sles4sap; are hardened using a modified version of the profile
+ called pcs-hardening-sap.profile.
+ Users may need to make additional modifications to the system configuration
+ depending on individual application needs.
-
-
-
-
- All profile files are available in the ComplianceAsCode
- repository.
-
-
- For a complete list of rules that have been applied during pre-hardening,
- refer to pcs-hardening.profile.
- This profile is a combination of the &stiga; and
- &cisa; profiles minus rules that can only be applied
- after instance creation.
-
-
- Images of &sles4sap; are hardened using a modified version of the profile
- called pcs-hardening-sap.profile.
- Users may need to make additional modifications to the system configuration
- depending on individual application needs.
-
-
- Recommended profiles
-
- &suse; recommends using either the &cisa; or the
- &stiga; profile. You can use other profiles at your own
- discretion.
-
-
-
-
-
- Hardening instances with <phrase role="product">&openscap;</phrase>
-
- To evaluate an instance, you can run:
-
- &prompt.sudo;oscap xccdf eval \
- --profile stig \
- --results /tmp/results.xml \
- --report /tmp/report.html \
- --stig-viewer /tmp/stigviewer.xml \
- /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml
-
-
-
- Specifies the profile to use, e.g. stig or
- cis.
-
-
-
-
- Saves the results of the evaluation to /tmp/results.xml
-
-
-
-
- Generates a HTML report called /tmp/report.html in
- addition to the results in XML.
-
-
-
-
- Saves the results to /tmp/stigviewer.xml, which can
- be imported into the DISA STIG Viewer. Refer to for
- information about DISA STIG Viewer.
-
-
-
-
- Scap Security Guide (SSG) policy file in the
- datastream (ds) format. Make sure to select the correct
- version for your instance. To list all available policies, run:
- ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml.For
- more information about a particular policy, run
- oscap info on the file.
-
-
-
-
- The evaluation process usually takes a few minutes, depending on the number
- of selected rules.
-
-
- To remediate an instance, add the --remediate
- parameter:
-
- &prompt.sudo;oscap xccdf eval --remediate\
- --profile stig \
- --results /tmp/results.xml \
- --report /tmp/report.html \
- --stig-viewer /tmp/stigviewer.xml \
- /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml
-
-
- More information
-
- For more information on how to harden your &sle; system with &openscap;, refer to the article
- Hardening
- SUSE Linux Enterprise with OpenSCAP. For general
- information on &openscap;, refer to the SCAP
- Security Guide.
-
-
-
+
+ Recommended profiles
+
+ &suse; recommends using either the &cisa; or the
+ &stiga; profile. You can use other profiles at your own
+ discretion.
+
+
+
+
+
+ Hardening instances with <phrase role="product">&openscap;</phrase>
+
+ To evaluate an instance, you can run:
+
+&prompt.sudo;oscap xccdf eval \
+--profile stig \
+--results /tmp/results.xml \
+--report /tmp/report.html \
+--stig-viewer /tmp/stigviewer.xml \
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml
+
+
+
+ Specifies the profile to use, e.g. stig or
+ cis.
+
+
+
+
+ Saves the results of the evaluation to /tmp/results.xml
+
+
+
+
+ Generates a HTML report called /tmp/report.html in
+ addition to the results in XML.
+
+
+
+
+ Saves the results to /tmp/stigviewer.xml, which can
+ be imported into the DISA STIG Viewer. Refer to for
+ information about DISA STIG Viewer.
+
+
+
+
+ Scap Security Guide (SSG) policy file in the
+ datastream (ds) format. Make sure to select the correct
+ version for your instance. To list all available policies, run:
+ ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml.For
+ more information about a particular policy, run
+ oscap info on the file.
+
+
+
+
+ The evaluation process usually takes a few minutes, depending on the number
+ of selected rules.
+
+
+ To remediate an instance, add the --remediate
+ parameter:
+
+&prompt.sudo;oscap xccdf eval --remediate\
+--profile stig \
+--results /tmp/results.xml \
+--report /tmp/report.html \
+--stig-viewer /tmp/stigviewer.xml \
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml
+
+
+ More information
+
+ For more information on how to harden your &sle; system with &openscap;, refer to the article
+ Hardening
+ SUSE Linux Enterprise with OpenSCAP. For general
+ information on &openscap;, refer to the SCAP
+ Security Guide.
+
+
+
diff --git a/xml/product-entities.ent b/xml/product-entities.ent
index 7b6eac0..1c8fd65 100644
--- a/xml/product-entities.ent
+++ b/xml/product-entities.ent
@@ -2,9 +2,16 @@
-
-
-
+&sle;">
+&slereg;">
+&slsa; CSP">
+
+
+
+
+
+
+15.6&product-ga; SP&product-sp;5.5">