Oct 3, 2023 Informational Update- 5.5.5 Ensure default user umask is 027 or more restrictive - default user umask
- 5.5.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
|
Jun 3, 2022 Functional Update- 6.2.7 Ensure users' home directories permissions are 750 or more restrictive
Added- 1.4.2 Ensure filesystem integrity is regularly checked - cron
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer
Removed- 1.4.2 Ensure filesystem integrity is regularly checked
|
Jun 1, 2022 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
May 11, 2022 Functional Update- 2.2.10 Ensure FTP Server is not enabled
- 2.2.11 Ensure DNS Server is not enabled
- 2.2.12 Ensure NFS is not enabled
- 2.2.13 Ensure RPC is not enabled
- 2.2.14 Ensure LDAP server is not enabled
- 2.2.15 Ensure DHCP Server is not enabled
- 2.2.17 Ensure NIS Server is not enabled
- 2.2.4 Ensure Avahi Server is not enabled - avahi-daemon.service
- 2.2.4 Ensure Avahi Server is not enabled - avahi-daemon.socket
- 2.2.6 Ensure HTTP Proxy Server is not enabled
- 2.2.7 Ensure Samba is not enabled
- 2.2.8 Ensure IMAP and POP3 server is not enabled
- 2.2.9 Ensure HTTP server is not enabled
|
Apr 25, 2022 |
Mar 29, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Mar 18, 2022 Functional Update- 1.8.2 Ensure GDM login banner is configured - banner message enabled
- 1.8.2 Ensure GDM login banner is configured - banner message text
Miscellaneous- Metadata updated.
- References updated.
- Variables updated.
|
Aug 24, 2021 Functional Update- 1.10 Ensure system-wide crypto policy is not legacy
- 1.3.2 Ensure sudo commands use pty
- 1.3.3 Ensure sudo log file exists
- 1.6.1 Ensure core dumps are restricted - /etc/security/limits.d/*
- 1.6.1 Ensure core dumps are restricted - /etc/sysctl.d/*
- 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv4
- 3.1.1 Ensure IP forwarding is disabled - sysctl.conf ipv6
- 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
- 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
- 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
- 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
- 3.2.5 Ensure broadcast ICMP requests are ignored - 'net.ipv4.icmp_echo_ignore_broadcasts = 0'
- 3.2.6 Ensure bogus ICMP responses are ignored - 'net.ipv4.icmp_ignore_bogus_error_responses = 0'
- 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 0
- 3.2.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1
- 3.2.8 Ensure TCP SYN Cookies is enabled - net.ipv4.tcp_syncookies = 1
- 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0
- 3.2.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0
- 3.4.3.7 Ensure nftables service is enabled
- 4.2.1.1 Ensure rsyslog is installed
- 5.3.2 Select authselect profile
- 5.4.1 Ensure password creation requirements are configured - password complexity
- 5.4.2 Ensure lockout for failed password attempts is configured
- 5.5.1.2 Ensure minimum days between password changes is 7 or more - login.defs
Added- 5.2.5 Ensure SSH LogLevel is appropriate - sshd output
Removed- 5.2.5 Ensure SSH LogLevel is appropriate
|
