Oct 13, 2021 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jun 17, 2021 Miscellaneous- Metadata updated.
- References updated.
|
May 3, 2021 Functional Update- 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
|
Apr 7, 2021 Functional Update- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0 /sbin/sysctl'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0 /sbin/sysctl'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0 /sbin/sysctl'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0 /sbin/sysctl'
- 3.6.2 Ensure default deny firewall policy - Chain FORWARD
- 3.6.2 Ensure default deny firewall policy - Chain INPUT
- 3.6.2 Ensure default deny firewall policy - Chain OUTPUT
Informational Update- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0 /sbin/sysctl'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0 /sbin/sysctl'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0 /sbin/sysctl'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0 /etc/sysctl.conf /etc/sysctl.d/*'
- 3.3.2 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0 /sbin/sysctl'
|
Feb 1, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Oct 14, 2020 Functional Update- 4.2.4 Ensure permissions on all logfiles are configured
|
Oct 5, 2020 Functional Update- 1.1.10 Ensure noexec option set on /var/tmp partition
- 1.1.14 Ensure nodev option set on /home partition
- 1.1.3 Ensure nodev option set on /tmp partition
- 1.1.4 Ensure nosuid option set on /tmp partition
- 1.1.5 Ensure noexec option set on /tmp partition
- 1.1.8 Ensure nodev option set on /var/tmp partition
- 1.1.9 Ensure nosuid option set on /var/tmp partition
- 1.7.2 Ensure GDM login banner is configured - banner message enabled
- 1.7.2 Ensure GDM login banner is configured - banner message text
- 2.2.1.1 Ensure time synchronization is in use
- 2.2.1.2 Ensure ntp is configured - NTP Server
- 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
- 2.2.1.2 Ensure ntp is configured - restrict -4
- 2.2.1.2 Ensure ntp is configured - restrict -6
- 2.2.1.3 Ensure chrony is configured - NTP server
- 2.2.1.3 Ensure chrony is configured - OPTIONS
- 4.2.1.1 Ensure rsyslog Service is enabled
- 4.2.1.2 Ensure logging is configured
- 4.2.1.3 Ensure rsyslog default file permissions configured
- 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - $ModLoad imtcp
- 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
- 4.2.2.1 Ensure syslog-ng service is enabled
- 4.2.2.2 Ensure logging is configured
- 4.2.2.3 Ensure syslog-ng default file permissions configured
- 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver
- 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - log src
- 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts
- 4.2.3 Ensure rsyslog or syslog-ng is installed
|
Sep 30, 2020 Functional Update- 6.2.10 Ensure users' dot files are not group or world writable
|
Sep 29, 2020 |
Sep 23, 2020 Added- 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe
- 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - modprobe
- 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled - modprobe
- 1.1.1.4 Ensure mounting of hfs filesystems is disabled - modprobe
- 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled - modprobe
- 1.1.1.6 Ensure mounting of squashfs filesystems is disabled - modprobe
- 1.1.1.7 Ensure mounting of udf filesystems is disabled - modprobe
Removed- 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.4 Ensure mounting of hfs filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.6 Ensure mounting of squashfs filesystems is disabled - /etc/modprobe.d/CIS.conf
- 1.1.1.7 Ensure mounting of udf filesystems is disabled - /etc/modprobe.d/CIS.conf
|
