CIS AlmaLinux OS 9 Server L1 v1.0.0

Audit Details

Name: CIS AlmaLinux OS 9 Server L1 v1.0.0

Updated: 7/9/2024

Authority: CIS

Plugin: Unix

Revision: 1.30

Estimated Item Count: 202

File Details

Filename: CIS_AlmaLinux_OS_9_v1.0.0_L1_Server.audit

Size: 740 kB

MD5: 2060e286606cc4ac9150254d197fd2dd

SHA256: 8ca78e64c8c5b937a2378c1525b277f6adefd7a4a7021b641472d3abce6ce614

Audit Changelog


Revision 1.30 Jul 9, 2024 Functional Update 5.1.9 Ensure at is restricted to authorized users
Revision 1.29 Jun 17, 2024 Miscellaneous Metadata updated.
Revision 1.28 Jun 6, 2024 Functional Update 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.8.1 Ensure /dev/shm is a separate partition 1.1.8.2 Ensure nodev option set on /dev/shm partition 1.1.8.3 Ensure noexec option set on /dev/shm partition 1.1.8.4 Ensure nosuid option set on /dev/shm partition 1.1.9 Disable USB Storage 1.10 Ensure system-wide crypto policy is not legacy 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.4.1 Ensure bootloader password is set 1.5.1 Ensure core dump storage is disabled 1.5.2 Ensure core dump backtraces are disabled 1.5.3 Ensure address space layout randomization (ASLR) is enabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8.10 Ensure XDCMP is not enabled 1.8.2 Ensure GDM login banner is configured 1.8.3 Ensure GDM disable-user-list option is enabled 1.8.4 Ensure GDM screen locks when the user is idle 1.8.5 Ensure GDM screen locks cannot be overridden 1.8.6 Ensure GDM automatic mounting of removable media is disabled 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden 1.8.8 Ensure GDM autorun-never is enabled 1.8.9 Ensure GDM autorun-never is not overridden 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure time synchronization is in use 2.2.10 Ensure Samba is not installed 2.2.11 Ensure HTTP Proxy Server is not installed 2.2.12 Ensure net-snmp is not installed 2.2.13 Ensure telnet-server is not installed 2.2.14 Ensure dnsmasq is not installed 2.2.15 Ensure mail transfer agent is configured for local-only mode 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked 2.2.2 Ensure Avahi Server is not installed 2.2.3 Ensure CUPS is not installed 2.2.4 Ensure DHCP Server is not installed 2.2.5 Ensure DNS Server is not installed 2.2.6 Ensure VSFTP Server is not installed 2.2.7 Ensure TFTP Server is not installed 2.3.1 Ensure telnet client is not installed 2.3.2 Ensure LDAP client is not installed 2.3.3 Ensure TFTP client is not installed 2.3.4 Ensure FTP client is not installed 2.4 Ensure nonessential services listening on the system are removed or masked 3.1.1 Ensure IPv6 status is identified 3.2.1 Ensure IP forwarding is disabled 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.8 Ensure TCP SYN Cookies is enabled 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.3 Ensure journald is configured to send logs to rsyslog 4.2.1.4 Ensure rsyslog default file permissions are configured 4.2.1.5 Ensure logging is configured 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured 5.1.1 Ensure cron daemon is enabled 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.14 Ensure system-wide crypto policy is not over-ridden 5.2.15 Ensure SSH warning banner is configured 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.3 Ensure permissions on SSH public host key files are configured 5.3.1 Ensure sudo is installed 5.3.2 Ensure sudo commands use pty 5.3.3 Ensure sudo log file exists 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally 5.3.6 Ensure sudo authentication timeout is configured correctly 5.3.7 Ensure access to the su command is restricted 5.4.1 Ensure custom authselect profile is used 5.5.3 Ensure password reuse is limited 5.6.1.5 Ensure all users last password change date is in the past 5.6.3 Ensure default user shell timeout is 900 seconds or less 5.6.4 Ensure default group for the root account is GID 0 5.6.6 Ensure root password is set 6.1.1 Ensure permissions on /etc/passwd are configured 6.1.10 Ensure no unowned files or directories exist 6.1.11 Ensure no ungrouped files or directories exist 6.1.12 Ensure sticky bit is set on all world-writable directories 6.1.2 Ensure permissions on /etc/passwd- are configured 6.1.3 Ensure permissions on /etc/group are configured 6.1.4 Ensure permissions on /etc/group- are configured 6.1.5 Ensure permissions on /etc/shadow are configured 6.1.6 Ensure permissions on /etc/shadow- are configured 6.1.7 Ensure permissions on /etc/gshadow are configured 6.1.8 Ensure permissions on /etc/gshadow- are configured 6.1.9 Ensure no world writable files exist 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure local interactive user home directories exist 6.2.11 Ensure local interactive users own their home directories 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive 6.2.13 Ensure no local interactive user has .netrc files 6.2.14 Ensure no local interactive user has .forward files 6.2.15 Ensure no local interactive user has .rhosts files 6.2.16 Ensure local interactive user dot files are not group or world writable 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group 6.2.4 Ensure no duplicate UIDs exist 6.2.5 Ensure no duplicate GIDs exist 6.2.6 Ensure no duplicate user names exist 6.2.7 Ensure no duplicate group names exist 6.2.8 Ensure root PATH Integrity 6.2.9 Ensure root is the only UID 0 account Informational Update 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.8.1 Ensure /dev/shm is a separate partition 1.1.8.2 Ensure nodev option set on /dev/shm partition 1.1.8.3 Ensure noexec option set on /dev/shm partition 1.1.8.4 Ensure nosuid option set on /dev/shm partition 1.1.9 Disable USB Storage 1.10 Ensure system-wide crypto policy is not legacy 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.4.1 Ensure bootloader password is set 1.5.1 Ensure core dump storage is disabled 1.5.2 Ensure core dump backtraces are disabled 1.5.3 Ensure address space layout randomization (ASLR) is enabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8.10 Ensure XDCMP is not enabled 1.8.2 Ensure GDM login banner is configured 1.8.3 Ensure GDM disable-user-list option is enabled 1.8.4 Ensure GDM screen locks when the user is idle 1.8.5 Ensure GDM screen locks cannot be overridden 1.8.6 Ensure GDM automatic mounting of removable media is disabled 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden 1.8.8 Ensure GDM autorun-never is enabled 1.8.9 Ensure GDM autorun-never is not overridden 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure time synchronization is in use 2.2.10 Ensure Samba is not installed 2.2.11 Ensure HTTP Proxy Server is not installed 2.2.12 Ensure net-snmp is not installed 2.2.13 Ensure telnet-server is not installed 2.2.14 Ensure dnsmasq is not installed 2.2.15 Ensure mail transfer agent is configured for local-only mode 2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked 2.2.2 Ensure Avahi Server is not installed 2.2.3 Ensure CUPS is not installed 2.2.4 Ensure DHCP Server is not installed 2.2.5 Ensure DNS Server is not installed 2.2.6 Ensure VSFTP Server is not installed 2.2.7 Ensure TFTP Server is not installed 2.3.1 Ensure telnet client is not installed 2.3.2 Ensure LDAP client is not installed 2.3.3 Ensure TFTP client is not installed 2.3.4 Ensure FTP client is not installed 2.4 Ensure nonessential services listening on the system are removed or masked 3.1.1 Ensure IPv6 status is identified 3.1.2 Ensure wireless interfaces are disabled 3.2.1 Ensure IP forwarding is disabled 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.8 Ensure TCP SYN Cookies is enabled 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.3 Ensure journald is configured to send logs to rsyslog 4.2.1.4 Ensure rsyslog default file permissions are configured 4.2.1.5 Ensure logging is configured 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured 4.2.3 Ensure all logfiles have appropriate permissions and ownership 4.3 Ensure logrotate is configured 5.1.1 Ensure cron daemon is enabled 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.4 Ensure permissions on /etc/cron.daily are configured 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5.1.7 Ensure permissions on /etc/cron.d are configured 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.14 Ensure system-wide crypto policy is not over-ridden 5.2.15 Ensure SSH warning banner is configured 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.3 Ensure permissions on SSH public host key files are configured 5.3.1 Ensure sudo is installed 5.3.2 Ensure sudo commands use pty 5.3.3 Ensure sudo log file exists 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally 5.3.6 Ensure sudo authentication timeout is configured correctly 5.3.7 Ensure access to the su command is restricted 5.4.1 Ensure custom authselect profile is used 5.5.3 Ensure password reuse is limited 5.6.1.5 Ensure all users last password change date is in the past 5.6.3 Ensure default user shell timeout is 900 seconds or less 5.6.4 Ensure default group for the root account is GID 0 5.6.6 Ensure root password is set 6.1.1 Ensure permissions on /etc/passwd are configured 6.1.10 Ensure no unowned files or directories exist 6.1.11 Ensure no ungrouped files or directories exist 6.1.12 Ensure sticky bit is set on all world-writable directories 6.1.13 Audit SUID executables 6.1.14 Audit SGID executables 6.1.2 Ensure permissions on /etc/passwd- are configured 6.1.3 Ensure permissions on /etc/group are configured 6.1.4 Ensure permissions on /etc/group- are configured 6.1.5 Ensure permissions on /etc/shadow are configured 6.1.6 Ensure permissions on /etc/shadow- are configured 6.1.7 Ensure permissions on /etc/gshadow are configured 6.1.8 Ensure permissions on /etc/gshadow- are configured 6.1.9 Ensure no world writable files exist 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords 6.2.10 Ensure local interactive user home directories exist 6.2.11 Ensure local interactive users own their home directories 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive 6.2.13 Ensure no local interactive user has .netrc files 6.2.14 Ensure no local interactive user has .forward files 6.2.15 Ensure no local interactive user has .rhosts files 6.2.16 Ensure local interactive user dot files are not group or world writable 6.2.2 Ensure /etc/shadow password fields are not empty 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group 6.2.4 Ensure no duplicate UIDs exist 6.2.5 Ensure no duplicate GIDs exist 6.2.6 Ensure no duplicate user names exist 6.2.7 Ensure no duplicate group names exist 6.2.8 Ensure root PATH Integrity 6.2.9 Ensure root is the only UID 0 account Miscellaneous Metadata updated. References updated. Variables updated. Added 1.1.2.1 Ensure /tmp is a separate partition 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure gpgcheck is globally activated 1.3.2 Ensure filesystem integrity is regularly checked 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools 1.4.2 Ensure permissions on bootloader config are configured 1.6.1.3 Ensure SELinux policy is configured 1.6.1.4 Ensure the SELinux mode is not disabled 2.1.2 Ensure chrony is configured 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked 2.2.8 Ensure a web server is not installed 2.2.9 Ensure IMAP and POP3 server is not installed 3.2.2 Ensure packet redirect sending is disabled 3.3.1 Ensure source routed packets are not accepted 3.3.2 Ensure ICMP redirects are not accepted 3.3.3 Ensure secure ICMP redirects are not accepted 3.3.4 Ensure suspicious packets are logged 3.3.7 Ensure Reverse Path Filtering is enabled 3.3.9 Ensure IPv6 router advertisements are not accepted 3.4.1.1 Ensure nftables is installed 3.4.1.2 Ensure a single firewall configuration utility is in use 3.4.2.1 Ensure firewalld default zone is set 3.4.2.2 Ensure at least one nftables table exists 3.4.2.3 Ensure nftables base chains exist 3.4.2.4 Ensure host based firewall loopback traffic is configured 3.4.2.5 Ensure firewalld drops unnecessary services and ports 3.4.2.6 Ensure nftables established connections are configured 3.4.2.7 Ensure nftables default deny firewall policy 5.2.10 Ensure SSH PermitUserEnvironment is disabled 5.2.11 Ensure SSH IgnoreRhosts is enabled 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less 5.2.17 Ensure SSH MaxStartups is configured 5.2.18 Ensure SSH MaxSessions is set to 10 or less 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less 5.2.20 Ensure SSH Idle Timeout Interval is configured 5.2.4 Ensure SSH access is limited 5.2.5 Ensure SSH LogLevel is appropriate 5.2.6 Ensure SSH PAM is enabled 5.2.7 Ensure SSH root login is disabled 5.2.8 Ensure SSH HostbasedAuthentication is disabled 5.2.9 Ensure SSH PermitEmptyPasswords is disabled 5.4.2 Ensure authselect includes with-faillock 5.5.1 Ensure password creation requirements are configured 5.5.2 Ensure lockout for failed password attempts is configured 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt 5.6.1.1 Ensure password expiration is 365 days or less 5.6.1.2 Ensure minimum days between password changes is configured 5.6.1.3 Ensure password expiration warning days is 7 or more 5.6.1.4 Ensure inactive password lock is 30 days or less 5.6.2 Ensure system accounts are secured 5.6.5 Ensure default user umask is 027 or more restrictive Removed 1.1.2.1 Ensure /tmp is a separate partition - config check 1.1.2.1 Ensure /tmp is a separate partition - mount check 1.2.1 Ensure GPG keys are configured - gpgkey 1.2.1 Ensure GPG keys are configured - show rpm keys 1.2.2 Ensure gpgcheck is globally activated - /etc/yum.repos.d/* 1.2.2 Ensure gpgcheck is globally activated - dnf.conf 1.3.2 Ensure filesystem integrity is regularly checked - cron 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer 1.3.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - auditctl 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - auditd 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - augenrules 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - aureport 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - ausearch 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - autrace 1.4.2 Ensure permissions on bootloader config are configured - grub.cfg 1.4.2 Ensure permissions on bootloader config are configured - grubenv 1.4.2 Ensure permissions on bootloader config are configured - user.cfg 1.6.1.3 Ensure SELinux policy is configured - /etc/selinux/config 1.6.1.3 Ensure SELinux policy is configured - sestatus 1.6.1.4 Ensure the SELinux mode is not disabled - /etc/selinux/config 1.6.1.4 Ensure the SELinux mode is not disabled - getenforce 2.1.2 Ensure chrony is configured - ntp server 2.1.2 Ensure chrony is configured - user 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind.socket 2.2.8 Ensure a web server is not installed - httpd 2.2.8 Ensure a web server is not installed - nginx 2.2.9 Ensure IMAP and POP3 server is not installed - cyrus-imapd 2.2.9 Ensure IMAP and POP3 server is not installed - dovecot 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0' 3.3.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.all.secure_redirects 3.3.3 Ensure secure ICMP redirects are not accepted - net.ipv4.conf.default.secure_redirects 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1' 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1' 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0 3.4.1.1 Ensure nftables is installed - firewall misconfigured 3.4.1.1 Ensure nftables is installed - firewalld 3.4.1.1 Ensure nftables is installed - nftables 3.4.1.2 Ensure a single firewall configuration utility is in use - firewall misconfigured 3.4.1.2 Ensure a single firewall configuration utility is in use - firewalld 3.4.1.2 Ensure a single firewall configuration utility is in use - nftables 3.4.2.1 Ensure firewalld default zone is set - firewall misconfigured 3.4.2.1 Ensure firewalld default zone is set - firewalld 3.4.2.1 Ensure firewalld default zone is set - nftables 3.4.2.2 Ensure at least one nftables table exists - firewall misconfigured 3.4.2.2 Ensure at least one nftables table exists - firewalld 3.4.2.2 Ensure at least one nftables table exists - nftables 3.4.2.3 Ensure nftables base chains exist - firewall misconfigured 3.4.2.3 Ensure nftables base chains exist - firewalld 3.4.2.3 Ensure nftables base chains exist - nftables 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewall misconfigured 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewalld 3.4.2.4 Ensure host based firewall loopback traffic is configured - nftables 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewall misconfigured 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewalld 3.4.2.5 Ensure firewalld drops unnecessary services and ports - nftables 3.4.2.6 Ensure nftables established connections are configured - firewall misconfigured 3.4.2.6 Ensure nftables established connections are configured - firewalld 3.4.2.6 Ensure nftables established connections are configured - nftables 3.4.2.7 Ensure nftables default deny firewall policy - firewall misconfigured 3.4.2.7 Ensure nftables default deny firewall policy - firewalld 3.4.2.7 Ensure nftables default deny firewall policy - nftables 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd output 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd_config 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd output 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd_config 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd output 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd_config 5.2.17 Ensure SSH MaxStartups is configured - sshd output 5.2.17 Ensure SSH MaxStartups is configured - sshd_config 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd output 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd_config 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd output 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd_config 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd_config 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd output 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd_config 5.2.4 Ensure SSH access is limited - sshd output 5.2.4 Ensure SSH access is limited - sshd_config 5.2.5 Ensure SSH LogLevel is appropriate - sshd output 5.2.5 Ensure SSH LogLevel is appropriate - sshd_config 5.2.6 Ensure SSH PAM is enabled - sshd output 5.2.6 Ensure SSH PAM is enabled - sshd_config 5.2.7 Ensure SSH root login is disabled - sshd output 5.2.7 Ensure SSH root login is disabled - sshd_config 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd output 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd_config 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd output 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd_config 5.4.2 Ensure authselect includes with-faillock - password-auth account required 5.4.2 Ensure authselect includes with-faillock - password-auth auth required 5.4.2 Ensure authselect includes with-faillock - system-auth account required 5.4.2 Ensure authselect includes with-faillock - system-auth auth required 5.5.1 Ensure password creation requirements are configured - minlen 5.5.1 Ensure password creation requirements are configured - password complexity 5.5.1 Ensure password creation requirements are configured - retry /etc/pam.d/password-auth 5.5.1 Ensure password creation requirements are configured - retry /etc/pam.d/system-auth 5.5.1 Ensure password creation requirements are configured - try_first_pass /etc/pam.d/password-auth 5.5.1 Ensure password creation requirements are configured - try_first_pass /etc/pam.d/system-auth 5.5.2 Ensure lockout for failed password attempts is configured - deny 5.5.2 Ensure lockout for failed password attempts is configured - unlock_time 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt - /etc/libuser.conf 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt - /etc/login.defs 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt - /etc/pam.d/password-auth 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt - /etc/pam.d/system-auth 5.6.1.1 Ensure password expiration is 365 days or less - login.defs 5.6.1.1 Ensure password expiration is 365 days or less - users 5.6.1.2 Ensure minimum days between password changes is configured - login.defs 5.6.1.2 Ensure minimum days between password changes is configured - users 5.6.1.3 Ensure password expiration warning days is 7 or more - login.defs 5.6.1.3 Ensure password expiration warning days is 7 or more - users 5.6.1.4 Ensure inactive password lock is 30 days or less - useradd 5.6.1.4 Ensure inactive password lock is 30 days or less - users 5.6.2 Ensure system accounts are secured - lock not root 5.6.2 Ensure system accounts are secured - non login 5.6.5 Ensure default user umask is 027 or more restrictive - default user umask 5.6.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
Revision 1.27 Apr 22, 2024 Functional Update 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.26 Mar 18, 2024 Functional Update 3.1.2 Ensure wireless interfaces are disabled 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.3 Ensure permissions on SSH public host key files are configured Added 4.2.3 Ensure all logfiles have appropriate permissions and ownership Removed 4.2.3 Ensure all logfiles have appropriate access configured
Revision 1.25 Feb 14, 2024 Added 3.4.1.1 Ensure nftables is installed - firewall misconfigured 3.4.1.1 Ensure nftables is installed - firewalld 3.4.1.1 Ensure nftables is installed - nftables 3.4.1.2 Ensure a single firewall configuration utility is in use - firewall misconfigured 3.4.1.2 Ensure a single firewall configuration utility is in use - firewalld 3.4.1.2 Ensure a single firewall configuration utility is in use - nftables 3.4.2.1 Ensure firewalld default zone is set - firewall misconfigured 3.4.2.1 Ensure firewalld default zone is set - firewalld 3.4.2.1 Ensure firewalld default zone is set - nftables 3.4.2.2 Ensure at least one nftables table exists - firewall misconfigured 3.4.2.2 Ensure at least one nftables table exists - firewalld 3.4.2.2 Ensure at least one nftables table exists - nftables 3.4.2.3 Ensure nftables base chains exist - firewall misconfigured 3.4.2.3 Ensure nftables base chains exist - firewalld 3.4.2.3 Ensure nftables base chains exist - nftables 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewall misconfigured 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewalld 3.4.2.4 Ensure host based firewall loopback traffic is configured - nftables 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewall misconfigured 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewalld 3.4.2.5 Ensure firewalld drops unnecessary services and ports - nftables 3.4.2.6 Ensure nftables established connections are configured - firewall misconfigured 3.4.2.6 Ensure nftables established connections are configured - firewalld 3.4.2.6 Ensure nftables established connections are configured - nftables 3.4.2.7 Ensure nftables default deny firewall policy - firewall misconfigured 3.4.2.7 Ensure nftables default deny firewall policy - firewalld 3.4.2.7 Ensure nftables default deny firewall policy - nftables Removed 3.4.1.1 Ensure nftables is installed 3.4.1.2 Ensure a single firewall configuration utility is in use 3.4.2.1 Ensure firewalld default zone is set 3.4.2.2 Ensure at least one nftables table exists 3.4.2.3 Ensure nftables base chains exist - hook forward 3.4.2.3 Ensure nftables base chains exist - hook input 3.4.2.3 Ensure nftables base chains exist - hook output 3.4.2.4 Ensure host based firewall loopback traffic is configured 3.4.2.5 Ensure firewalld drops unnecessary services and ports 3.4.2.6 Ensure nftables established connections are configured 3.4.2.7 Ensure nftables default deny firewall policy - hook forward 3.4.2.7 Ensure nftables default deny firewall policy - hook input
Revision 1.24 Feb 5, 2024 Functional Update 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
Revision 1.23 Jan 22, 2024 Functional Update 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output Miscellaneous Metadata updated.
Revision 1.22 Dec 27, 2023 Functional Update 3.4.2.5 Ensure firewalld drops unnecessary services and ports 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured 5.3.2 Ensure sudo commands use pty 5.5.2 Ensure lockout for failed password attempts is configured - unlock_time
Revision 1.21 Dec 8, 2023 Functional Update 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.3 Ensure journald is configured to send logs to rsyslog 4.2.1.4 Ensure rsyslog default file permissions are configured 4.2.1.5 Ensure logging is configured 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured

Detections

Analytics

CIS AlmaLinux OS 9 Server L1 v1.0.0

Audit Details

File Details

Audit Changelog

Revision 1.30

Functional Update

Revision 1.29

Miscellaneous

Revision 1.28

Functional Update

Informational Update

Miscellaneous

Added

Removed

Revision 1.27

Functional Update

Revision 1.26

Functional Update

Added

Removed

Revision 1.25

Added

Removed

Revision 1.24

Functional Update

Revision 1.23

Functional Update

Miscellaneous

Revision 1.22

Functional Update

Revision 1.21

Functional Update

Detections

Analytics

CIS AlmaLinux OS 9 Server L1 v1.0.0 Download File

Audit Details

File Details

Audit Changelog

Functional Update

Miscellaneous

Functional Update

Informational Update

Miscellaneous

Added

Removed

Functional Update

Functional Update

Added

Removed

Added

Removed

Functional Update

Functional Update

Miscellaneous

Functional Update

Functional Update

CIS AlmaLinux OS 9 Server L1 v1.0.0