Jun 17, 2024 |
May 15, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Apr 22, 2024 Functional Update- 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
|
Apr 1, 2024 |
Mar 18, 2024 Functional Update- 3.1.1 Ensure system is checked to determine if IPv6 is enabled
- 5.2.2 Ensure permissions on SSH private host key files are configured
Added- 4.2.3 Ensure all logfiles have appropriate permissions and ownership
Removed- 4.2.3 Ensure all logfiles have appropriate access configured
|
Feb 8, 2024 Functional Update- 2.4 Ensure nonessential services are removed or masked
- 3.1.1 Ensure system is checked to determine if IPv6 is enabled
- 3.5.2.10 Ensure nftables rules are permanent - hook forward
- 3.5.2.10 Ensure nftables rules are permanent - hook input
- 3.5.2.10 Ensure nftables rules are permanent - hook output
- 3.5.2.3 Ensure iptables are flushed with nftables
- 3.5.2.7 Ensure nftables outbound and established connections are configured
- 3.5.3.2.2 Ensure iptables loopback traffic is configured
- 3.5.3.2.3 Ensure iptables outbound and established connections are configured
- 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
- 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
- 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
- 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
- 4.2.1.6 Ensure journald log rotation is configured per site policy
|
Feb 1, 2024 Functional Update- 1.1.10 Disable USB Storage - blacklist
- 1.1.10 Disable USB Storage - lsmod
- 1.1.3.2 Ensure nodev option set on /var partition
- 1.1.3.3 Ensure nosuid option set on /var partition
- 1.1.4.2 Ensure noexec option set on /var/tmp partition
- 1.1.4.3 Ensure nosuid option set on /var/tmp partition
- 1.1.4.4 Ensure nodev option set on /var/tmp partition
- 1.1.5.2 Ensure nodev option set on /var/log partition
- 1.1.5.3 Ensure noexec option set on /var/log partition
- 1.1.5.4 Ensure nosuid option set on /var/log partition
- 1.1.6.2 Ensure noexec option set on /var/log/audit partition
- 1.1.6.3 Ensure nodev option set on /var/log/audit partition
- 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
- 1.1.7.2 Ensure nodev option set on /home partition
- 1.1.7.3 Ensure nosuid option set on /home partition
- 1.1.8.1 Ensure nodev option set on /dev/shm partition
- 1.1.8.2 Ensure noexec option set on /dev/shm partition
- 1.1.8.3 Ensure nosuid option set on /dev/shm partition
- 1.1.9 Disable Automounting
- 1.5.1 Ensure address space layout randomization (ASLR) is enabled - config
- 1.5.3 Ensure Automatic Error Reporting is not enabled
- 1.5.4 Ensure core dumps are restricted - limits config
- 1.5.4 Ensure core dumps are restricted - sysctl config
- 1.8.4 Ensure GDM screen locks when the user is idle - idle-delay
- 1.8.4 Ensure GDM screen locks when the user is idle - lock-delay
- 1.8.5 Ensure GDM screen locks cannot be overridden - idle-delay
- 1.8.5 Ensure GDM screen locks cannot be overridden - lock-delay
- 1.9 Ensure updates, patches, and additional security software are installed
- 2.1.2.2 Ensure chrony is running as user _chrony
- 2.1.4.3 Ensure ntp is running as user ntp - user
- 2.2.1 Ensure X Window System is not installed
- 2.2.15 Ensure mail transfer agent is configured for local-only mode
- 3.1.1 Ensure system is checked to determine if IPv6 is enabled
- 3.1.2 Ensure wireless interfaces are disabled
- 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route (sysctl.conf/sysctl.d)
- 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route (sysctl.conf/sysctl.d)
- 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route (sysctl.conf/sysctl.d)
- 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route (sysctl.conf/sysctl.d)
- 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects (sysctl.conf/sysctl.d)
- 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects (sysctl.conf/sysctl.d)
- 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects (sysctl.conf/sysctl.d)
- 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects (sysctl.conf/sysctl.d)
- 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects' (sysctl.conf/sysctl.d)
- 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects' (sysctl.conf/sysctl.d)
- 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians' (sysctl.conf/sysctl.d)
- 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians' (sysctl.conf/sysctl.d)
- 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d
- 3.3.6 Ensure bogus ICMP responses are ignored - (sysctl.conf/sysctl.d)
- 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d)
- 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d)
- 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra' (sysctl.conf/sysctl.d)
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra' (sysctl.conf/sysctl.d)
- 3.5.2.10 Ensure nftables rules are permanent - hook forward
- 3.5.2.10 Ensure nftables rules are permanent - hook input
- 3.5.2.10 Ensure nftables rules are permanent - hook output
- 3.5.2.6 Ensure nftables loopback traffic is configured - lo
- 3.5.2.6 Ensure nftables loopback traffic is configured - v4
- 3.5.2.6 Ensure nftables loopback traffic is configured - v6
- 4.2.1.1.4 Ensure journald is not configured to receive logs from a remote client
- 4.2.2.1 Ensure rsyslog is installed
- 4.2.2.2 Ensure rsyslog service is enabled
- 4.2.2.3 Ensure journald is configured to send logs to rsyslog
- 4.2.2.4 Ensure rsyslog default file permissions are configured
- 4.2.2.5 Ensure logging is configured
- 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
- 5.2.10 Ensure SSH PermitUserEnvironment is disabled
- 5.2.11 Ensure SSH IgnoreRhosts is enabled
- 5.2.13 Ensure only strong Ciphers are used
- 5.2.14 Ensure only strong MAC algorithms are used
- 5.2.15 Ensure only strong Key Exchange algorithms are used
- 5.2.17 Ensure SSH warning banner is configured
- 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.19 Ensure SSH MaxStartups is configured
- 5.2.20 Ensure SSH MaxSessions is set to 10 or less
- 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.22 Ensure SSH Idle Timeout Interval is configured
- 5.2.4 Ensure SSH access is limited
- 5.2.5 Ensure SSH LogLevel is appropriate
- 5.2.6 Ensure SSH PAM is enabled
- 5.2.7 Ensure SSH root login is disabled
- 5.2.8 Ensure SSH HostbasedAuthentication is disabled
- 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
- 5.3.2 Ensure sudo commands use pty
- 5.3.3 Ensure sudo log file exists
- 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
- 5.3.6 Ensure sudo authentication timeout is configured correctly
- 5.3.7 Ensure access to the su command is restricted
- 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
- 5.5.1.1 Ensure minimum days between password changes is configured - users
- 5.5.1.5 Ensure all users last password change date is in the past
- 5.5.2 Ensure system accounts are secured
- 5.5.4 Ensure default user umask is 027 or more restrictive - Default user umask
- 5.5.4 Ensure default user umask is 027 or more restrictive - Restrictive system umask
- 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
- 6.2.2 Ensure /etc/shadow password fields are not empty
- 6.2.4 Ensure shadow group is empty
- 6.2.9 Ensure root PATH Integrity
Informational Update- 1.1.10 Disable USB Storage - blacklist
- 1.1.10 Disable USB Storage - lsmod
- 1.1.10 Disable USB Storage - modprobe
- 2.1.2.2 Ensure chrony is running as user _chrony
- 2.1.4.3 Ensure ntp is running as user ntp
- 2.1.4.3 Ensure ntp is running as user ntp - RUNASUSER
- 2.1.4.3 Ensure ntp is running as user ntp - user
Added- 5.4.1 Ensure password creation requirements are configured
Removed- 5.4.1 Ensure password creation requirements are configured - 'dcredit'
- 5.4.1 Ensure password creation requirements are configured - 'lcredit'
- 5.4.1 Ensure password creation requirements are configured - 'minlen'
- 5.4.1 Ensure password creation requirements are configured - 'ocredit'
- 5.4.1 Ensure password creation requirements are configured - 'ucredit'
- 5.4.1 Ensure password creation requirements are configured - retry
|
Jan 22, 2024 Functional Update- 5.2.22 Ensure SSH Idle Timeout Interval is configured
|
Jan 3, 2024 Functional Update- 2.2.13 Ensure SNMP Server is not installed
|
Dec 27, 2023 Functional Update- 4.2.1.1.1 Ensure systemd-journal-remote is installed
- 4.2.1.1.2 Ensure systemd-journal-remote is configured
- 4.2.1.1.3 Ensure systemd-journal-remote is enabled
- 4.2.1.1.4 Ensure journald is not configured to receive logs from a remote client
- 4.2.1.2 Ensure journald service is enabled
- 4.2.1.3 Ensure journald is configured to compress large log files
- 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
- 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
- 4.2.1.6 Ensure journald log rotation is configured per site policy
- 4.2.1.7 Ensure journald default file permissions configured
- 4.2.2.1 Ensure rsyslog is installed
- 4.2.2.2 Ensure rsyslog service is enabled
- 4.2.2.3 Ensure journald is configured to send logs to rsyslog
- 4.2.2.4 Ensure rsyslog default file permissions are configured
- 4.2.2.5 Ensure logging is configured
- 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
|