Detections
Analytics

Revision 1.1

Aug 24, 2021
Functional Update
  • 1.10 Ensure system-wide crypto policy is not legacy
  • 1.3.2 Ensure sudo commands use pty
  • 1.3.3 Ensure sudo log file exists
  • 1.6.1 Ensure core dumps are restricted - /etc/security/limits.d/*
  • 1.6.1 Ensure core dumps are restricted - /etc/sysctl.d/*
  • 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv4
  • 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv6
  • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
  • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
  • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
  • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
  • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
  • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
  • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
  • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
  • 3.2.5 Ensure broadcast ICMP requests are ignored - 'net.ipv4.icmp_echo_ignore_broadcasts = 0'
  • 3.2.6 Ensure bogus ICMP responses are ignored - 'net.ipv4.icmp_ignore_bogus_error_responses = 0'
  • 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 0
  • 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1
  • 3.2.8 Ensure TCP SYN Cookies is enabled - net.ipv4.tcp_syncookies = 1
  • 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0
  • 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0
  • 3.4.2.2 Ensure iptables service is not enabled with firewalld - inactive
  • 3.4.4.1.5 Ensure iptables is enabled and active - enabled
  • 3.4.4.1.6 Ensure iptables is enabled and active - enabled
  • 3.4.4.2.5 Ensure ip6tables is enabled and active - enabled
  • 5.4.1 Ensure password creation requirements are configured - password complexity
  • 5.4.2 Ensure lockout for failed password attempts is configured
Miscellaneous
  • References updated.
Added
  • 3.4.3.4 Ensure nftables loopback traffic is configured - 'ip saddr'