Detections
Analytics

CIS Fedora 28 Family Linux Server L1 v2.0.0

Audit Details

Name: CIS Fedora 28 Family Linux Server L1 v2.0.0

Updated: 7/9/2024

Authority: CIS

Plugin: Unix

Revision: 1.27

Estimated Item Count: 229

File Details

Filename: CIS_Fedora_28_Family_Linux_Server_L1_v2.0.0.audit

Size: 812 kB

MD5: 40bf89cf526c0a1e38948c756f312720
SHA256: 66d1c88f4065f487c90556de5e7b7e4cd623c3ceb07e628250e10441a818290c

Audit Changelog

Ā 
Revision 1.27

Jul 9, 2024

Functional Update
  • 5.1.9 Ensure at is restricted to authorized users
Revision 1.26

Jun 17, 2024

Miscellaneous
  • Metadata updated.
Revision 1.25

Jun 6, 2024

Functional Update
  • 1.1.2.2 Ensure nodev option set on /tmp partition
  • 1.1.2.3 Ensure noexec option set on /tmp partition
  • 1.1.2.4 Ensure nosuid option set on /tmp partition
  • 1.1.3.2 Ensure nodev option set on /var partition
  • 1.1.3.3 Ensure noexec option set on /var partition
  • 1.1.3.4 Ensure nosuid option set on /var partition
  • 1.1.4.2 Ensure noexec option set on /var/tmp partition
  • 1.1.4.3 Ensure nosuid option set on /var/tmp partition
  • 1.1.4.4 Ensure nodev option set on /var/tmp partition
  • 1.1.5.2 Ensure nodev option set on /var/log partition
  • 1.1.5.3 Ensure noexec option set on /var/log partition
  • 1.1.5.4 Ensure nosuid option set on /var/log partition
  • 1.1.6.2 Ensure noexec option set on /var/log/audit partition
  • 1.1.6.3 Ensure nodev option set on /var/log/audit partition
  • 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
  • 1.1.7.2 Ensure nodev option set on /home partition
  • 1.1.7.3 Ensure nosuid option set on /home partition
  • 1.1.7.4 Ensure usrquota option set on /home partition
  • 1.1.7.5 Ensure grpquota option set on /home partition
  • 1.1.8.1 Ensure nodev option set on /dev/shm partition
  • 1.1.8.2 Ensure noexec option set on /dev/shm partition
  • 1.1.8.3 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Disable Automounting
  • 1.10 Ensure system-wide crypto policy is not legacy
  • 1.2.3 Ensure package manager repositories are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure bootloader password is set
  • 1.4.2 Ensure permissions on bootloader config are configured
  • 1.5.1 Ensure core dump storage is disabled
  • 1.5.2 Ensure core dump backtraces are disabled
  • 1.6.1.1 Ensure SELinux is installed
  • 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration
  • 1.6.1.6 Ensure no unconfined services exist
  • 1.6.1.7 Ensure SETroubleshoot is not installed
  • 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed
  • 1.7.1 Ensure message of the day is configured properly
  • 1.7.2 Ensure local login warning banner is configured properly
  • 1.7.3 Ensure remote login warning banner is configured properly
  • 1.7.4 Ensure permissions on /etc/motd are configured
  • 1.7.5 Ensure permissions on /etc/issue are configured
  • 1.7.6 Ensure permissions on /etc/issue.net are configured
  • 1.8.4 Ensure XDMCP is not enabled
  • 1.8.5 Ensure automatic mounting of removable media is disabled
  • 1.9 Ensure updates, patches, and additional security software are installed
  • 2.1.1 Ensure time synchronization is in use
  • 2.2.1 Ensure xinetd is not installed
  • 2.2.12 Ensure Samba is not installed
  • 2.2.13 Ensure HTTP Proxy Server is not installed
  • 2.2.14 Ensure net-snmp is not installed
  • 2.2.15 Ensure NIS server is not installed
  • 2.2.16 Ensure telnet-server is not installed
  • 2.2.17 Ensure mail transfer agent is configured for local-only mode
  • 2.2.2 Ensure xorg-x11-server-common is not installed
  • 2.2.20 Ensure rsync is not installed or the rsyncd service is masked
  • 2.2.4 Ensure CUPS is not installed
  • 2.2.5 Ensure DHCP Server is not installed
  • 2.2.6 Ensure DNS Server is not installed
  • 2.2.7 Ensure FTP Server is not installed
  • 2.2.8 Ensure VSFTP Server is not installed
  • 2.2.9 Ensure TFTP Server is not installed
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 2.3.6 Ensure TFTP client is not installed
  • 2.4 Ensure nonessential services are removed or masked
  • 3.1.1 Verify if IPv6 is enabled on the system
  • 3.1.4 Ensure wireless interfaces are disabled
  • 3.2.1 Ensure IP forwarding is disabled
  • 3.3.5 Ensure broadcast ICMP requests are ignored
  • 3.3.6 Ensure bogus ICMP responses are ignored
  • 3.3.8 Ensure TCP SYN Cookies is enabled
  • 3.4.1.2 Ensure iptables-services not installed with firewalld
  • 3.4.1.5 Ensure firewalld default zone is set
  • 3.4.1.6 Ensure network interfaces are assigned to appropriate zone
  • 3.4.1.7 Ensure firewalld drops unnecessary services and ports
  • 3.4.2.1 Ensure nftables is installed
  • 3.4.2.10 Ensure nftables service is enabled
  • 3.4.2.3 Ensure iptables-services not installed with nftables
  • 3.4.2.5 Ensure an nftables table exists
  • 3.4.3.1.1 Ensure iptables packages are installed
  • 3.4.3.1.2 Ensure nftables is not installed with iptables
  • 3.4.3.2.2 Ensure iptables outbound and established connections are configured
  • 3.4.3.2.3 Ensure iptables rules exist for all open ports
  • 3.4.3.2.5 Ensure iptables rules are saved
  • 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured
  • 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports
  • 3.4.3.3.5 Ensure ip6tables rules are saved
  • 4.2.1.1 Ensure rsyslog is installed
  • 4.2.1.2 Ensure rsyslog service is enabled
  • 4.2.1.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.1.4 Ensure rsyslog default file permissions are configured
  • 4.2.1.5 Ensure logging is configured
  • 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 4.2.2.1.1 Ensure systemd-journal-remote is installed
  • 4.2.2.1.3 Ensure systemd-journal-remote is enabled
  • 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client
  • 4.2.2.2 Ensure journald service is enabled
  • 4.2.2.3 Ensure journald is configured to compress large log files
  • 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk
  • 4.2.2.5 Ensure journald is not configured to send logs to rsyslog
  • 4.2.2.6 Ensure journald log rotation is configured per site policy
  • 4.2.2.7 Ensure journald default file permissions configured
  • 4.2.3 Ensure permissions on all logfiles are configured
  • 5.1.1 Ensure cron daemon is enabled
  • 5.1.2 Ensure permissions on /etc/crontab are configured
  • 5.1.3 Ensure permissions on /etc/cron.hourly are configured
  • 5.1.8 Ensure cron is restricted to authorized users
  • 5.1.9 Ensure at is restricted to authorized users
  • 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
  • 5.2.14 Ensure system-wide crypto policy is not over-ridden
  • 5.2.15 Ensure SSH warning banner is configured
  • 5.2.2 Ensure permissions on SSH private host key files are configured
  • 5.2.3 Ensure permissions on SSH public host key files are configured
  • 5.3.1 Ensure sudo is installed
  • 5.3.2 Ensure sudo commands use pty
  • 5.3.3 Ensure sudo log file exists
  • 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
  • 5.3.6 Ensure sudo authentication timeout is configured correctly
  • 5.3.7 Ensure access to the su command is restricted
  • 5.4.1 Ensure custom authselect profile is used
  • 5.5.3 Ensure password reuse is limited
  • 5.6.1.5 Ensure all users last password change date is in the past
  • 5.6.3 Ensure default user shell timeout is 900 seconds or less
  • 5.6.4 Ensure default group for the root account is GID 0
  • 6.1.10 Ensure permissions on /etc/gshadow- are configured
  • 6.1.11 Ensure no world writable files exist
  • 6.1.12 Ensure no unowned files or directories exist
  • 6.1.13 Ensure no ungrouped files or directories exist
  • 6.1.2 Ensure sticky bit is set on all world-writable directories
  • 6.1.3 Ensure permissions on /etc/passwd are configured
  • 6.1.4 Ensure permissions on /etc/shadow are configured
  • 6.1.5 Ensure permissions on /etc/group are configured
  • 6.1.6 Ensure permissions on /etc/gshadow are configured
  • 6.1.7 Ensure permissions on /etc/passwd- are configured
  • 6.1.8 Ensure permissions on /etc/shadow- are configured
  • 6.1.9 Ensure permissions on /etc/group- are configured
  • 6.2.1 Ensure password fields are not empty
  • 6.2.10 Ensure users own their home directories
  • 6.2.11 Ensure users' home directories permissions are 750 or more restrictive
  • 6.2.12 Ensure users' dot files are not group or world writable
  • 6.2.13 Ensure users' .netrc Files are not group or world accessible
  • 6.2.14 Ensure no users have .forward files
  • 6.2.15 Ensure no users have .netrc files
  • 6.2.16 Ensure no users have .rhosts files
  • 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group
  • 6.2.3 Ensure no duplicate UIDs exist
  • 6.2.4 Ensure no duplicate GIDs exist
  • 6.2.5 Ensure no duplicate user names exist
  • 6.2.6 Ensure no duplicate group names exist
  • 6.2.7 Ensure root PATH Integrity
  • 6.2.8 Ensure root is the only UID 0 account
  • 6.2.9 Ensure all users' home directories exist
Informational Update
  • 1.1.2.2 Ensure nodev option set on /tmp partition
  • 1.1.2.3 Ensure noexec option set on /tmp partition
  • 1.1.2.4 Ensure nosuid option set on /tmp partition
  • 1.1.3.2 Ensure nodev option set on /var partition
  • 1.1.3.3 Ensure noexec option set on /var partition
  • 1.1.3.4 Ensure nosuid option set on /var partition
  • 1.1.4.2 Ensure noexec option set on /var/tmp partition
  • 1.1.4.3 Ensure nosuid option set on /var/tmp partition
  • 1.1.4.4 Ensure nodev option set on /var/tmp partition
  • 1.1.5.2 Ensure nodev option set on /var/log partition
  • 1.1.5.3 Ensure noexec option set on /var/log partition
  • 1.1.5.4 Ensure nosuid option set on /var/log partition
  • 1.1.6.2 Ensure noexec option set on /var/log/audit partition
  • 1.1.6.3 Ensure nodev option set on /var/log/audit partition
  • 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
  • 1.1.7.2 Ensure nodev option set on /home partition
  • 1.1.7.3 Ensure nosuid option set on /home partition
  • 1.1.7.4 Ensure usrquota option set on /home partition
  • 1.1.7.5 Ensure grpquota option set on /home partition
  • 1.1.8.1 Ensure nodev option set on /dev/shm partition
  • 1.1.8.2 Ensure noexec option set on /dev/shm partition
  • 1.1.8.3 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Disable Automounting
  • 1.10 Ensure system-wide crypto policy is not legacy
  • 1.2.3 Ensure package manager repositories are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure bootloader password is set
  • 1.4.2 Ensure permissions on bootloader config are configured
  • 1.5.1 Ensure core dump storage is disabled
  • 1.5.2 Ensure core dump backtraces are disabled
  • 1.6.1.1 Ensure SELinux is installed
  • 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration
  • 1.6.1.6 Ensure no unconfined services exist
  • 1.6.1.7 Ensure SETroubleshoot is not installed
  • 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed
  • 1.7.1 Ensure message of the day is configured properly
  • 1.7.2 Ensure local login warning banner is configured properly
  • 1.7.3 Ensure remote login warning banner is configured properly
  • 1.7.4 Ensure permissions on /etc/motd are configured
  • 1.7.5 Ensure permissions on /etc/issue are configured
  • 1.7.6 Ensure permissions on /etc/issue.net are configured
  • 1.8.4 Ensure XDMCP is not enabled
  • 1.8.5 Ensure automatic mounting of removable media is disabled
  • 1.9 Ensure updates, patches, and additional security software are installed
  • 2.1.1 Ensure time synchronization is in use
  • 2.2.1 Ensure xinetd is not installed
  • 2.2.12 Ensure Samba is not installed
  • 2.2.13 Ensure HTTP Proxy Server is not installed
  • 2.2.14 Ensure net-snmp is not installed
  • 2.2.15 Ensure NIS server is not installed
  • 2.2.16 Ensure telnet-server is not installed
  • 2.2.17 Ensure mail transfer agent is configured for local-only mode
  • 2.2.2 Ensure xorg-x11-server-common is not installed
  • 2.2.20 Ensure rsync is not installed or the rsyncd service is masked
  • 2.2.4 Ensure CUPS is not installed
  • 2.2.5 Ensure DHCP Server is not installed
  • 2.2.6 Ensure DNS Server is not installed
  • 2.2.7 Ensure FTP Server is not installed
  • 2.2.8 Ensure VSFTP Server is not installed
  • 2.2.9 Ensure TFTP Server is not installed
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 2.3.6 Ensure TFTP client is not installed
  • 2.4 Ensure nonessential services are removed or masked
  • 3.1.1 Verify if IPv6 is enabled on the system
  • 3.1.4 Ensure wireless interfaces are disabled
  • 3.2.1 Ensure IP forwarding is disabled
  • 3.3.5 Ensure broadcast ICMP requests are ignored
  • 3.3.6 Ensure bogus ICMP responses are ignored
  • 3.3.8 Ensure TCP SYN Cookies is enabled
  • 3.4.1.2 Ensure iptables-services not installed with firewalld
  • 3.4.1.5 Ensure firewalld default zone is set
  • 3.4.1.6 Ensure network interfaces are assigned to appropriate zone
  • 3.4.1.7 Ensure firewalld drops unnecessary services and ports
  • 3.4.2.1 Ensure nftables is installed
  • 3.4.2.10 Ensure nftables service is enabled
  • 3.4.2.3 Ensure iptables-services not installed with nftables
  • 3.4.2.5 Ensure an nftables table exists
  • 3.4.3.1.1 Ensure iptables packages are installed
  • 3.4.3.1.2 Ensure nftables is not installed with iptables
  • 3.4.3.2.2 Ensure iptables outbound and established connections are configured
  • 3.4.3.2.3 Ensure iptables rules exist for all open ports
  • 3.4.3.2.5 Ensure iptables rules are saved
  • 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured
  • 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports
  • 3.4.3.3.5 Ensure ip6tables rules are saved
  • 4.2.1.1 Ensure rsyslog is installed
  • 4.2.1.2 Ensure rsyslog service is enabled
  • 4.2.1.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.1.4 Ensure rsyslog default file permissions are configured
  • 4.2.1.5 Ensure logging is configured
  • 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 4.2.2.1.1 Ensure systemd-journal-remote is installed
  • 4.2.2.1.3 Ensure systemd-journal-remote is enabled
  • 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client
  • 4.2.2.2 Ensure journald service is enabled
  • 4.2.2.3 Ensure journald is configured to compress large log files
  • 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk
  • 4.2.2.5 Ensure journald is not configured to send logs to rsyslog
  • 4.2.2.6 Ensure journald log rotation is configured per site policy
  • 4.2.2.7 Ensure journald default file permissions configured
  • 4.2.3 Ensure permissions on all logfiles are configured
  • 4.3 Ensure logrotate is configured
  • 5.1.1 Ensure cron daemon is enabled
  • 5.1.2 Ensure permissions on /etc/crontab are configured
  • 5.1.3 Ensure permissions on /etc/cron.hourly are configured
  • 5.1.4 Ensure permissions on /etc/cron.daily are configured
  • 5.1.5 Ensure permissions on /etc/cron.weekly are configured
  • 5.1.6 Ensure permissions on /etc/cron.monthly are configured
  • 5.1.7 Ensure permissions on /etc/cron.d are configured
  • 5.1.8 Ensure cron is restricted to authorized users
  • 5.1.9 Ensure at is restricted to authorized users
  • 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
  • 5.2.14 Ensure system-wide crypto policy is not over-ridden
  • 5.2.15 Ensure SSH warning banner is configured
  • 5.2.2 Ensure permissions on SSH private host key files are configured
  • 5.2.3 Ensure permissions on SSH public host key files are configured
  • 5.3.1 Ensure sudo is installed
  • 5.3.2 Ensure sudo commands use pty
  • 5.3.3 Ensure sudo log file exists
  • 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
  • 5.3.6 Ensure sudo authentication timeout is configured correctly
  • 5.3.7 Ensure access to the su command is restricted
  • 5.4.1 Ensure custom authselect profile is used
  • 5.5.3 Ensure password reuse is limited
  • 5.6.1.5 Ensure all users last password change date is in the past
  • 5.6.3 Ensure default user shell timeout is 900 seconds or less
  • 5.6.4 Ensure default group for the root account is GID 0
  • 6.1.10 Ensure permissions on /etc/gshadow- are configured
  • 6.1.11 Ensure no world writable files exist
  • 6.1.12 Ensure no unowned files or directories exist
  • 6.1.13 Ensure no ungrouped files or directories exist
  • 6.1.14 Audit SUID executables
  • 6.1.15 Audit SGID executables
  • 6.1.2 Ensure sticky bit is set on all world-writable directories
  • 6.1.3 Ensure permissions on /etc/passwd are configured
  • 6.1.4 Ensure permissions on /etc/shadow are configured
  • 6.1.5 Ensure permissions on /etc/group are configured
  • 6.1.6 Ensure permissions on /etc/gshadow are configured
  • 6.1.7 Ensure permissions on /etc/passwd- are configured
  • 6.1.8 Ensure permissions on /etc/shadow- are configured
  • 6.1.9 Ensure permissions on /etc/group- are configured
  • 6.2.1 Ensure password fields are not empty
  • 6.2.10 Ensure users own their home directories
  • 6.2.11 Ensure users' home directories permissions are 750 or more restrictive
  • 6.2.12 Ensure users' dot files are not group or world writable
  • 6.2.13 Ensure users' .netrc Files are not group or world accessible
  • 6.2.14 Ensure no users have .forward files
  • 6.2.15 Ensure no users have .netrc files
  • 6.2.16 Ensure no users have .rhosts files
  • 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group
  • 6.2.3 Ensure no duplicate UIDs exist
  • 6.2.4 Ensure no duplicate GIDs exist
  • 6.2.5 Ensure no duplicate user names exist
  • 6.2.6 Ensure no duplicate group names exist
  • 6.2.7 Ensure root PATH Integrity
  • 6.2.8 Ensure root is the only UID 0 account
  • 6.2.9 Ensure all users' home directories exist
Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Added
  • 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
  • 1.1.10 Disable USB Storage
  • 1.1.2.1 Ensure /tmp is a separate partition
  • 1.2.1 Ensure GPG keys are configured
  • 1.2.2 Ensure gpgcheck is globally activated
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 1.4.3 Ensure authentication is required when booting into rescue mode
  • 1.5.3 Ensure address space layout randomization (ASLR) is enabled
  • 1.6.1.3 Ensure SELinux policy is configured
  • 1.6.1.4 Ensure the SELinux mode is not disabled
  • 1.8.2 Ensure GDM login banner is configured
  • 1.8.3 Ensure last logged in user display is disabled
  • 2.1.2 Ensure chrony is configured
  • 2.2.10 Ensure a web server is not installed
  • 2.2.11 Ensure IMAP and POP3 server is not installed
  • 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked
  • 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked
  • 2.2.3 Ensure Avahi Server is not installed
  • 3.2.2 Ensure packet redirect sending is disabled
  • 3.3.1 Ensure source routed packets are not accepted
  • 3.3.2 Ensure ICMP redirects are not accepted
  • 3.3.3 Ensure secure ICMP redirects are not accepted
  • 3.3.4 Ensure suspicious packets are logged
  • 3.3.7 Ensure Reverse Path Filtering is enabled
  • 3.3.9 Ensure IPv6 router advertisements are not accepted
  • 3.4.1.1 Ensure firewalld is installed
  • 3.4.1.3 Ensure nftables either not installed or masked with firewalld
  • 3.4.1.4 Ensure firewalld service enabled and running
  • 3.4.2.11 Ensure nftables rules are permanent
  • 3.4.2.2 Ensure firewalld is either not installed or masked with nftables
  • 3.4.2.4 Ensure iptables are flushed with nftables
  • 3.4.2.6 Ensure nftables base chains exist
  • 3.4.2.7 Ensure nftables loopback traffic is configured
  • 3.4.2.8 Ensure nftables outbound and established connections are configured
  • 3.4.2.9 Ensure nftables default deny firewall policy
  • 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables
  • 3.4.3.2.1 Ensure iptables loopback traffic is configured
  • 3.4.3.2.4 Ensure iptables default deny firewall policy
  • 3.4.3.2.6 Ensure iptables is enabled and active
  • 3.4.3.3.1 Ensure ip6tables loopback traffic is configured
  • 3.4.3.3.4 Ensure ip6tables default deny firewall policy
  • 3.4.3.3.6 Ensure ip6tables is enabled and active
  • 4.2.2.1.2 Ensure systemd-journal-remote is configured
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled
  • 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.17 Ensure SSH MaxStartups is configured
  • 5.2.18 Ensure SSH MaxSessions is set to 10 or less
  • 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured
  • 5.2.4 Ensure SSH access is limited
  • 5.2.5 Ensure SSH LogLevel is appropriate
  • 5.2.6 Ensure SSH PAM is enabled
  • 5.2.7 Ensure SSH root login is disabled
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
  • 5.4.2 Ensure authselect includes with-faillock
  • 5.5.1 Ensure password creation requirements are configured
  • 5.5.2 Ensure lockout for failed password attempts is configured
  • 5.5.4 Ensure password hashing algorithm is SHA-512
  • 5.6.1.1 Ensure password expiration is 365 days or less
  • 5.6.1.2 Ensure minimum days between password changes is 7 or more
  • 5.6.1.3 Ensure password expiration warning days is 7 or more
  • 5.6.1.4 Ensure inactive password lock is 30 days or less
  • 5.6.2 Ensure system accounts are secured
  • 5.6.5 Ensure default user umask is 027 or more restrictive
Removed
  • 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - blacklist
  • 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod
  • 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe
  • 1.1.10 Disable USB Storage - lsmod
  • 1.1.10 Disable USB Storage - modprobe
  • 1.1.2.1 Ensure /tmp is a separate partition - config check
  • 1.1.2.1 Ensure /tmp is a separate partition - mount check
  • 1.2.1 Ensure GPG keys are configured - gpgkey
  • 1.2.1 Ensure GPG keys are configured - show rpm keys
  • 1.2.2 Ensure gpgcheck is globally activated - /etc/yum.repos.d/*
  • 1.2.2 Ensure gpgcheck is globally activated - dnf.conf
  • 1.3.2 Ensure filesystem integrity is regularly checked - cron
  • 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service
  • 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer
  • 1.3.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer
  • 1.4.3 Ensure authentication is required when booting into rescue mode - /etc/systemd/system/rescue.service.d
  • 1.4.3 Ensure authentication is required when booting into rescue mode - /usr/lib/systemd/system/rescue.service
  • 1.5.3 Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.d/*
  • 1.6.1.3 Ensure SELinux policy is configured - /etc/selinux/config
  • 1.6.1.3 Ensure SELinux policy is configured - sestatus
  • 1.6.1.4 Ensure the SELinux mode is not disabled - /etc/selinux/config
  • 1.6.1.4 Ensure the SELinux mode is not disabled - getenforce
  • 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm greeter-dconf-defaults
  • 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm system-db
  • 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm user-db
  • 1.8.2 Ensure GDM login banner is configured - banner message enabled
  • 1.8.2 Ensure GDM login banner is configured - banner message text
  • 1.8.3 Ensure last logged in user display is disabled - disable user list
  • 1.8.3 Ensure last logged in user display is disabled - file-db
  • 1.8.3 Ensure last logged in user display is disabled - system-db:gdm
  • 1.8.3 Ensure last logged in user display is disabled - user-db:user
  • 2.1.2 Ensure chrony is configured - ntp server
  • 2.1.2 Ensure chrony is configured - user
  • 2.2.10 Ensure a web server is not installed - httpd
  • 2.2.10 Ensure a web server is not installed - nginx
  • 2.2.11 Ensure IMAP and POP3 server is not installed - cyrus-imapd
  • 2.2.11 Ensure IMAP and POP3 server is not installed - dovecot
  • 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked
  • 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind
  • 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind.socket
  • 2.2.3 Ensure Avahi Server is not installed - avahi
  • 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd
  • 3.2.1 Ensure IP forwarding is disabled - ipv6
  • 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects
  • 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects
  • 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
  • 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
  • 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
  • 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
  • 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
  • 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
  • 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
  • 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
  • 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.all.secure_redirects
  • 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.secure_redirects
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
  • 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1
  • 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0
  • 3.4.1.1 Ensure firewalld is installed - firewalld
  • 3.4.1.1 Ensure firewalld is installed - iptables
  • 3.4.1.3 Ensure nftables either not installed or masked with firewalld - inactive
  • 3.4.1.3 Ensure nftables either not installed or masked with firewalld - installed
  • 3.4.1.3 Ensure nftables either not installed or masked with firewalld - masked
  • 3.4.1.4 Ensure firewalld service enabled and running - enabled
  • 3.4.1.4 Ensure firewalld service enabled and running - running
  • 3.4.2.11 Ensure nftables rules are permanent - forward
  • 3.4.2.11 Ensure nftables rules are permanent - input
  • 3.4.2.11 Ensure nftables rules are permanent - output
  • 3.4.2.2 Ensure firewalld is either not installed or masked with nftables - masked
  • 3.4.2.2 Ensure firewalld is either not installed or masked with nftables - stopped
  • 3.4.2.4 Ensure iptables are flushed with nftables - ip6tables
  • 3.4.2.4 Ensure iptables are flushed with nftables - iptables
  • 3.4.2.6 Ensure nftables base chains exist - hook forward
  • 3.4.2.6 Ensure nftables base chains exist - hook input
  • 3.4.2.6 Ensure nftables base chains exist - hook output
  • 3.4.2.7 Ensure nftables loopback traffic is configured - 'iif lo accept'
  • 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip saddr'
  • 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip sddr'
  • 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip6 saddr'
  • 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip6 sddr'
  • 3.4.2.8 Ensure nftables outbound and established connections are configured - input
  • 3.4.2.8 Ensure nftables outbound and established connections are configured - output
  • 3.4.2.9 Ensure nftables default deny firewall policy - hook forward
  • 3.4.2.9 Ensure nftables default deny firewall policy - hook input
  • 3.4.2.9 Ensure nftables default deny firewall policy - hook output
  • 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables - masked
  • 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables - stopped
  • 3.4.3.2.1 Ensure iptables loopback traffic is configured - INPUT
  • 3.4.3.2.1 Ensure iptables loopback traffic is configured - OUTPUT
  • 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain FORWARD
  • 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain INPUT
  • 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain OUTPUT
  • 3.4.3.2.6 Ensure iptables is enabled and active - active
  • 3.4.3.2.6 Ensure iptables is enabled and active - enabled
  • 3.4.3.3.1 Ensure ip6tables loopback traffic is configured - INPUT
  • 3.4.3.3.1 Ensure ip6tables loopback traffic is configured - OUTPUT
  • 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain FORWARD
  • 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain INPUT
  • 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain OUTPUT
  • 3.4.3.3.6 Ensure ip6tables is enabled and active - active
  • 3.4.3.3.6 Ensure ip6tables is enabled and active - enabled
  • 4.2.2.1.2 Ensure systemd-journal-remote is configured - Cert
  • 4.2.2.1.2 Ensure systemd-journal-remote is configured - Key
  • 4.2.2.1.2 Ensure systemd-journal-remote is configured - Trusted Cert
  • 4.2.2.1.2 Ensure systemd-journal-remote is configured - URL
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd output
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd_config
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd output
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd_config
  • 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd output
  • 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd_config
  • 5.2.17 Ensure SSH MaxStartups is configured - sshd output
  • 5.2.17 Ensure SSH MaxStartups is configured - sshd_config
  • 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd output
  • 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd_config
  • 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd output
  • 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd_config
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd_config
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd output
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd_config
  • 5.2.4 Ensure SSH access is limited - sshd output
  • 5.2.4 Ensure SSH access is limited - sshd_config
  • 5.2.5 Ensure SSH LogLevel is appropriate - sshd output
  • 5.2.5 Ensure SSH LogLevel is appropriate - sshd_config
  • 5.2.6 Ensure SSH PAM is enabled - sshd output
  • 5.2.6 Ensure SSH PAM is enabled - sshd_config
  • 5.2.7 Ensure SSH root login is disabled - sshd output
  • 5.2.7 Ensure SSH root login is disabled - sshd_config
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd output
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd_config
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd output
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd_config
  • 5.4.2 Ensure authselect includes with-faillock - password-auth account required
  • 5.4.2 Ensure authselect includes with-faillock - password-auth auth required
  • 5.4.2 Ensure authselect includes with-faillock - system-auth account required
  • 5.4.2 Ensure authselect includes with-faillock - system-auth auth required
  • 5.5.1 Ensure password creation requirements are configured - enforce-for-root
  • 5.5.1 Ensure password creation requirements are configured - minlen
  • 5.5.1 Ensure password creation requirements are configured - password complexity
  • 5.5.1 Ensure password creation requirements are configured - retry
  • 5.5.1 Ensure password creation requirements are configured - try_first_pass
  • 5.5.2 Ensure lockout for failed password attempts is configured - <= 8.1 deny
  • 5.5.2 Ensure lockout for failed password attempts is configured - <= 8.1 unlock_time
  • 5.5.2 Ensure lockout for failed password attempts is configured - >= 8.2 deny
  • 5.5.2 Ensure lockout for failed password attempts is configured - >= 8.2 unlock_time
  • 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/libuser.conf
  • 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/login.defs
  • 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/pam.d/password-auth
  • 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/pam.d/system-auth
  • 5.6.1.1 Ensure password expiration is 365 days or less - login.defs
  • 5.6.1.1 Ensure password expiration is 365 days or less - users
  • 5.6.1.2 Ensure minimum days between password changes is 7 or more - login.defs
  • 5.6.1.2 Ensure minimum days between password changes is 7 or more - users
  • 5.6.1.3 Ensure password expiration warning days is 7 or more - login.defs
  • 5.6.1.3 Ensure password expiration warning days is 7 or more - users
  • 5.6.1.4 Ensure inactive password lock is 30 days or less - useradd
  • 5.6.1.4 Ensure inactive password lock is 30 days or less - users
  • 5.6.2 Ensure system accounts are secured - lock not root
  • 5.6.2 Ensure system accounts are secured - non login
  • 5.6.5 Ensure default user umask is 027 or more restrictive - default user umask
  • 5.6.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
Revision 1.24

Apr 22, 2024

Functional Update
  • 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.23

Jan 22, 2024

Functional Update
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
Miscellaneous
  • Metadata updated.
Revision 1.22

Dec 27, 2023

Functional Update
  • 5.5.2 Ensure lockout for failed password attempts is configured - >= 8.2 unlock_time
Revision 1.21

Nov 17, 2023

Functional Update
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd output
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd output
  • 5.2.15 Ensure SSH warning banner is configured
  • 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd output
  • 5.2.17 Ensure SSH MaxStartups is configured - sshd output
  • 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd output
  • 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd output
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
  • 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd output
  • 5.2.4 Ensure SSH access is limited - sshd output
  • 5.2.5 Ensure SSH LogLevel is appropriate - sshd output
  • 5.2.6 Ensure SSH PAM is enabled - sshd output
  • 5.2.7 Ensure SSH root login is disabled - sshd output
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd output
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd output
Revision 1.20

Nov 6, 2023

Functional Update
  • 5.4.1 Ensure custom authselect profile is used
Revision 1.19

Oct 27, 2023

Functional Update
  • 1.6.1.4 Ensure the SELinux mode is not disabled - getenforce
  • 4.2.1.1 Ensure rsyslog is installed
  • 4.2.1.2 Ensure rsyslog service is enabled
  • 4.2.1.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.1.4 Ensure rsyslog default file permissions are configured
  • 4.2.1.5 Ensure logging is configured
  • 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 5.4.1 Ensure custom authselect profile is used
  • 5.6.1.2 Ensure minimum days between password changes is 7 or more - login.defs
Revision 1.18

Oct 3, 2023

Functional Update
  • 5.6.1.5 Ensure all users last password change date is in the past
Informational Update
  • 5.6.5 Ensure default user umask is 027 or more restrictive - default user umask
  • 5.6.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask