Jun 17, 2024 |
Apr 1, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Mar 19, 2024 Informational Update- 3.7 Ensure there are no 'staff' writable files - exceptions must be in TSD and audit
- 4.1.2.11 portmap
- 4.1.3.2 ndpd-host
- 4.5.3.17 sshd_config, ssh_config: MACs - Message Authtification Codes
- 7.2 Use FLRTVC regularly
Miscellaneous- Metadata updated.
- References updated.
- See also link updated.
- Variables updated.
Added- 2.3 Allowlist Authorized Software and Report Violations
- 2.4 Allowlist Authorized Libraries and Report Violations
- 2.5 Allowlist Authorized Scripts and Report Violations
- 4.1.2.1 inetd - aka Super Daemon
- 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts
- 4.1.4.4 NFS - localhost removal
- 4.10 Disable core dumps
- 4.2.12 nfs_use_reserved_ports
- 4.3.1 Ensure that IP Security is available
- 4.3.2 Ensure loopback traffic is blocked on external interfaces
- 4.3.3 Ensure that IPsec filters are active
- 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership
- 4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership
- 4.5.1.5 CDE - sgid/suid binary lockdown
- 4.5.1.7 CDE - screensaver lock
- 4.5.1.8 CDE - login screen hostname masking
- 4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership
- 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv
- 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information
- 4.6.1 /etc/security/login.cfg - logintimeout
- 4.6.2 /etc/security/login.cfg - logindelay
- 4.6.3 herald (logon message)
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less)
- 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit
- 4.7.2.3 crontab entries - owned by userid
- 4.9 Ensure root access is controlled
- 5.2.2 pwd_algorithm
- 8.1.1 Configuring syslog - local logging
Removed- 2.3 Allowlist Authorized Software and Report Violations - CHKEXEC
- 2.3 Allowlist Authorized Software and Report Violations - TE
- 2.3 Allowlist Authorized Software and Report Violations - kern.info
- 2.4 Allowlist Authorized Libraries and Report Violations - CHKKERNEXT
- 2.4 Allowlist Authorized Libraries and Report Violations - CHKSHLIB
- 2.4 Allowlist Authorized Libraries and Report Violations - TE
- 2.4 Allowlist Authorized Libraries and Report Violations - kern.info
- 2.5 Allowlist Authorized Scripts and Report Violations - CHKSCRIPT
- 2.5 Allowlist Authorized Scripts and Report Violations - kern.info
- 4.1.2.1 inetd - aka Super Daemon - aka Super Daemon
- 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nodev
- 4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts - nosuid
- 4.1.4.4 NFS - localhost removal - localhost removal
- 4.10 Disable core dumps - lsattr
- 4.10 Disable core dumps - lssec
- 4.2.12 nfs_use_reserved_ports - nfs_use_reserved_ports
- 4.2.12 nfs_use_reserved_ports - portcheck
- 4.3.1 Ensure that IP Security is available - ipsec_v4
- 4.3.1 Ensure that IP Security is available - ipsec_v6
- 4.3.2 Ensure loopback traffic is blocked on external interfaces - v4
- 4.3.2 Ensure loopback traffic is blocked on external interfaces - v6
- 4.3.3 Ensure that IPsec filters are active - v4
- 4.3.3 Ensure that IPsec filters are active - v6
- 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - explicit definition
- 4.5.1.10 CDE - /etc/dt/config/Xservers permissions and ownership - permissions and ownership
- 4.5.1.11 CDE - /etc/dt/config/*/Xresources permissions and ownership - /etc/dt/config/*/Xresources permissions and ownership
- 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtaction
- 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtappgather
- 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtprintinfo
- 4.5.1.5 CDE - sgid/suid binary lockdown - /usr/dt/bin/dtsession
- 4.5.1.7 CDE - screensaver lock - dtsession*lockTimeout
- 4.5.1.7 CDE - screensaver lock - dtsession*saverTimeout
- 4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.labelString
- 4.5.1.8 CDE - login screen hostname masking - dtlogin.greeting.persLabelString
- 4.5.1.9 CDE - /etc/dt/config/Xconfig permissions and ownership - /etc/dt/config/Xconfig permissions and ownership
- 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/rhosts.equiv
- 4.5.3.2 OpenSSH: Remove /etc/shosts.equiv and /etc/rhosts.equiv - /etc/shosts.equiv
- 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - SmtpGreetingMessage
- 4.5.4.1 /etc/mail/sendmail.cf - Hide sendmail version information - helpfile
- 4.6.1 /etc/security/login.cfg - logintimeout - logintimeout
- 4.6.2 /etc/security/login.cfg - logindelay - logindelay
- 4.6.3 herald (logon message) - logon message
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TIMEOUT
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - TMOUT
- 4.6.5 Unattended terminal session timeout is 900 seconds (or less) - readonly
- 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /audit
- 4.7.1.4 AUDIT subsystem: /audit and /etc/security/audit - /etc/security/audit
- 4.7.2.3 crontab entries - owned by userid - owned by userid
- 4.9 Ensure root access is controlled - rlogin
- 4.9 Ensure root access is controlled - sugroups
- 5.2.2 pwd_algorithm - pwd_algorithm
- 8.1.1 Configuring syslog - local logging - *.info/auth.none in /etc/syslog.conf
- 8.1.1 Configuring syslog - local logging - /var/adm/authlog
- 8.1.1 Configuring syslog - local logging - /var/adm/syslog
- 8.1.1 Configuring syslog - local logging - auth.info in /etc/syslog.conf
|
Feb 7, 2024 Functional Update- 4.13 Remove current working directory from root's PATH
- 4.3.3 Ensure that IPsec filters are active - v4
- 4.3.3 Ensure that IPsec filters are active - v6
|
Sep 19, 2023 Functional Update- 2.7 Remove Unused Symbolic Links
- 3.4 Remove group write permission from default groups - exceptions must be in TSD and audit
- 3.5 Application Data with requirement for world writable directories
- 3.6 Ensure there are no world writable files - exceptions must be in TSD and audit
- 3.8 Ensure all files and directories are owned by a user (uid) and assigned to a group (gid)
- 4.5.3.3 OpenSSH: Remove .shosts files
- 4.7.1.6 /var/adm/ras
- 4.7.2.2 Verify Trust of suid, sgid, acl, and trusted-bit files and programs
Miscellaneous- References updated.
- Variables updated.
|
Apr 12, 2023 |