Nov 17, 2021 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jun 17, 2021 Miscellaneous- Metadata updated.
- References updated.
|
May 10, 2021 Functional Update- 1.4.2 Ensure filesystem integrity is regularly checked
- 3.2.1 Ensure IP forwarding is disabled - ipv6 files
- 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctl
- 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctlc.conf sysctl.d
- 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.all.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.default.accept_source_route = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0'
- 3.5.2.1 Ensure nftables is installed
- 3.5.2.10 Ensure nftables service is enabled
- 3.5.2.11 Ensure nftables rules are permanent
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.2.3 Ensure iptables-services package is not installed
- 3.5.2.4 Ensure iptables are flushed - ip6tables
- 3.5.2.4 Ensure iptables are flushed - iptables
- 3.5.2.5 Ensure a table exists
- 3.5.2.6 Ensure base chains exist - hook forward
- 3.5.2.6 Ensure base chains exist - hook input
- 3.5.2.6 Ensure base chains exist - hook output
- 3.5.2.7 Ensure loopback traffic is configured - iif lo
- 3.5.2.7 Ensure loopback traffic is configured - ip saddr
- 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
- 3.5.2.8 Ensure outbound and established connections are configured - input
- 3.5.2.8 Ensure outbound and established connections are configured - output
- 3.5.2.9 Ensure default deny firewall policy - forward
- 3.5.2.9 Ensure default deny firewall policy - input
- 3.5.2.9 Ensure default deny firewall policy - output
- 3.5.3.1.1 Ensure iptables packages are installed - iptables
- 3.5.3.1.1 Ensure iptables packages are installed - iptables-services
- 3.5.3.1.2 Ensure nftables is not installed
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD
- 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT
- 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT
- 3.5.3.2.2 Ensure loopback traffic is configured - input
- 3.5.3.2.2 Ensure loopback traffic is configured - output
- 3.5.3.2.3 Ensure outbound and established connections are configured
- 3.5.3.2.4 Ensure firewall rules exist for all open ports
- 3.5.3.2.5 Ensure iptables rules are saved
- 3.5.3.2.6 Ensure iptables is enabled and running - enabled
- 3.5.3.2.6 Ensure iptables is enabled and running - running
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain INPUT
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - INPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - OUTPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output
- 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
- 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
- 3.5.3.3.5 Ensure ip6tables rules are saved
- 3.5.3.3.6 Ensure ip6tables is enabled and running
- 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled
- 5.2.10 Ensure SSH root login is disabled
- 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
- 5.2.12 Ensure SSH PermitUserEnvironment is disabled
- 5.2.13 Ensure only strong Ciphers are used - approved ciphers
- 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
- 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval
- 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.18 Ensure SSH warning banner is configured
- 5.2.19 Ensure SSH PAM is enabled
- 5.2.21 Ensure SSH MaxStartups is configured
- 5.2.22 Ensure SSH MaxSessions is limited
- 5.2.4 Ensure SSH access is limited
- 5.2.6 Ensure SSH X11 forwarding is disabled
- 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.8 Ensure SSH IgnoreRhosts is enabled
- 5.2.9 Ensure SSH HostbasedAuthentication is disabled
|
May 3, 2021 Functional Update- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
|
Apr 13, 2021 Functional Update- 6.2.10 Ensure no users have .netrc files
- 6.2.11 Ensure users' .netrc Files are not group or world accessible
- 6.2.12 Ensure no users have .rhosts files
- 6.2.5 Ensure all users' home directories exist
- 6.2.6 Ensure users' home directories permissions are 750 or more restrictive
- 6.2.7 Ensure users own their home directories
- 6.2.8 Ensure users' dot files are not group or world writable
- 6.2.9 Ensure no users have .forward files
|
Jan 27, 2021 Functional Update- 1.10 Ensure GDM is removed or login is configured - banner message text
- 1.4.2 Ensure filesystem integrity is regularly checked
- 1.5.2 Ensure permissions on bootloader config are configured - user.cfg
- 1.7.1.6 Ensure no unconfined services exist
- 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
- 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked
- 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind
- 2.5 Ensure nonessential services are removed or masked
- 3.5.1.1 Ensure FirewallD is installed - firewalld
- 3.5.1.1 Ensure FirewallD is installed - iptables
- 3.5.1.2 Ensure iptables-services package is not installed
- 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked
- 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped
- 3.5.1.4 Ensure firewalld service is enabled and running - enabled
- 3.5.1.4 Ensure firewalld service is enabled and running - running
- 3.5.1.5 Ensure default zone is set
- 3.5.1.6 Ensure network interfaces are assigned to appropriate zone
- 3.5.1.7 Ensure unnecessary services and ports are not accepted
- 3.5.2.1 Ensure nftables is installed
- 3.5.2.10 Ensure nftables service is enabled
- 3.5.2.11 Ensure nftables rules are permanent
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.2.3 Ensure iptables-services package is not installed
- 3.5.2.5 Ensure a table exists
- 3.5.2.7 Ensure loopback traffic is configured - iif lo
- 3.5.2.7 Ensure loopback traffic is configured - ip saddr
- 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
- 3.5.2.8 Ensure outbound and established connections are configured - input
- 3.5.2.8 Ensure outbound and established connections are configured - output
- 3.5.2.9 Ensure default deny firewall policy - forward
- 3.5.2.9 Ensure default deny firewall policy - input
- 3.5.2.9 Ensure default deny firewall policy - output
- 3.5.3.1.2 Ensure nftables is not installed
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD
- 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT
- 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT
- 3.5.3.2.2 Ensure loopback traffic is configured - input
- 3.5.3.2.2 Ensure loopback traffic is configured - output
- 3.5.3.2.3 Ensure outbound and established connections are configured
- 3.5.3.2.4 Ensure firewall rules exist for all open ports
- 3.5.3.2.5 Ensure iptables rules are saved
- 3.5.3.2.6 Ensure iptables is enabled and running - enabled
- 3.5.3.2.6 Ensure iptables is enabled and running - running
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output
- 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
- 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
- 3.5.3.3.5 Ensure ip6tables rules are saved
- 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled
- 5.2.10 Ensure SSH root login is disabled
- 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
- 5.2.12 Ensure SSH PermitUserEnvironment is disabled
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval
- 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.18 Ensure SSH warning banner is configured
- 5.2.19 Ensure SSH PAM is enabled
- 5.2.2 Ensure permissions on SSH private host key files are configured
- 5.2.21 Ensure SSH MaxStartups is configured
- 5.2.22 Ensure SSH MaxSessions is limited
- 5.2.4 Ensure SSH access is limited
- 5.2.5 Ensure SSH LogLevel is appropriate
- 5.2.6 Ensure SSH X11 forwarding is disabled
- 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.8 Ensure SSH IgnoreRhosts is enabled
- 5.2.9 Ensure SSH HostbasedAuthentication is disabled
- 5.3.3 Ensure password hashing algorithm is SHA-512 - password-auth
- 5.3.3 Ensure password hashing algorithm is SHA-512 - system-auth
- 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
- 6.2.5 Ensure all users' home directories exist
- 6.2.6 Ensure users' home directories permissions are 750 or more restrictive
- 6.2.7 Ensure users own their home directories
- 6.2.8 Ensure users' dot files are not group or world writable
Informational Update- 1.1.3 Ensure noexec option set on /tmp partition
- 1.3.3 Ensure sudo log file exists
- 1.4.2 Ensure filesystem integrity is regularly checked
- 1.5.1 Ensure bootloader password is set
- 2.2.1.1 Ensure time synchronization is in use
- 2.2.1.3 Ensure ntp is configured - -u ntp:ntp
- 2.2.1.3 Ensure ntp is configured - restrict -4
- 2.2.1.3 Ensure ntp is configured - restrict -6
- 2.2.1.3 Ensure ntp is configured - server
- 2.2.12 Ensure IMAP and POP3 server is not installed
- 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
- 2.3.1 Ensure NIS Client is not installed
- 2.3.2 Ensure rsh client is not installed
- 2.3.3 Ensure talk client is not installed
- 2.3.4 Ensure telnet client is not installed
- 2.3.5 Ensure LDAP client is not installed
- 3.5.1.1 Ensure FirewallD is installed - firewalld
- 3.5.1.1 Ensure FirewallD is installed - iptables
- 3.5.1.2 Ensure iptables-services package is not installed
- 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked
- 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped
- 3.5.1.4 Ensure firewalld service is enabled and running - enabled
- 3.5.1.4 Ensure firewalld service is enabled and running - running
- 3.5.1.6 Ensure network interfaces are assigned to appropriate zone
- 3.5.1.7 Ensure unnecessary services and ports are not accepted
- 3.5.2.1 Ensure nftables is installed
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.2.5 Ensure a table exists
- 3.5.2.7 Ensure loopback traffic is configured - iif lo
- 3.5.2.7 Ensure loopback traffic is configured - ip saddr
- 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
- 3.5.2.8 Ensure outbound and established connections are configured - input
- 3.5.2.8 Ensure outbound and established connections are configured - output
- 3.5.2.9 Ensure default deny firewall policy - forward
- 3.5.2.9 Ensure default deny firewall policy - input
- 3.5.2.9 Ensure default deny firewall policy - output
- 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
- 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
- 3.5.3.3.5 Ensure ip6tables rules are saved
- 4.2.1.3 Ensure rsyslog default file permissions configured
- 4.2.1.4 Ensure logging is configured
- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 514
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - imtcp.so
- 4.2.2.1 Ensure journald is configured to send logs to rsyslog
- 5.2.19 Ensure SSH PAM is enabled
- 5.2.6 Ensure SSH X11 forwarding is disabled
- 6.2.10 Ensure no users have .netrc files
- 6.2.12 Ensure no users have .rhosts files
- 6.2.6 Ensure users' home directories permissions are 750 or more restrictive
- 6.2.7 Ensure users own their home directories
- 6.2.8 Ensure users' dot files are not group or world writable
- 6.2.9 Ensure no users have .forward files
Miscellaneous- Metadata updated.
- References updated.
- Variables updated.
Added- 1.10 Ensure GDM is removed or login is configured - disable user list
- 1.10 Ensure GDM is removed or login is configured - system-db:gdm
- 1.10 Ensure GDM is removed or login is configured - user-db:user
- 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration
- 1.7.1.3 Ensure SELinux policy is configured - /etc/selinux/config
- 1.7.1.3 Ensure SELinux policy is configured - sestatus
- 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - /etc/selinux/config
- 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - getenforce
- 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctlc.conf sysctl.d
- 3.2.1 Ensure IP forwarding is disabled - sysctlc.conf sysctl.d
- 3.5.2.4 Ensure iptables are flushed - ip6tables
- 3.5.2.4 Ensure iptables are flushed - iptables
- 3.5.2.6 Ensure base chains exist - hook forward
- 3.5.2.6 Ensure base chains exist - hook input
- 3.5.2.6 Ensure base chains exist - hook output
- 3.5.3.1.1 Ensure iptables packages are installed - iptables
- 3.5.3.1.1 Ensure iptables packages are installed - iptables-services
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain INPUT
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - INPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - OUTPUT
- 3.5.3.3.6 Ensure ip6tables is enabled and running
- 5.1.8 Ensure cron is restricted to authorized users - /etc/cron.allow
- 5.1.8 Ensure cron is restricted to authorized users - /etc/cron.deny
- 5.1.9 Ensure at is restricted to authorized users - /etc/at.allow
- 5.1.9 Ensure at is restricted to authorized users - /etc/at.deny
- 5.2.13 Ensure only strong Ciphers are used - approved ciphers
- 5.2.13 Ensure only strong Ciphers are used - weak ciphers
- 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
- 5.2.14 Ensure only strong MAC algorithms are used - weak MACs
- 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
- 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms
- 5.3.2 Ensure lockout for failed password attempts is configured - password-auth
- 5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_unix.so'
- 5.3.2 Ensure lockout for failed password attempts is configured - system-auth
- 5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_unix.so'
- 5.3.4 Ensure password reuse is limited
- 5.4.1.2 Ensure minimum days between password changes is configured - /etc/login.defs
- 5.4.1.2 Ensure minimum days between password changes is configured - /etc/shadow
- 5.4.2 Ensure system accounts are secured - non-login shell
- 5.4.2 Ensure system accounts are secured - unlocked non-root
- 5.4.4 Ensure default user shell timeout is configured
- 5.4.5 Ensure default user umask is configured - system wide default
- 5.4.5 Ensure default user umask is configured - system wide umask
- 6.2.18 Ensure shadow group is empty - /etc/group
- 6.2.18 Ensure shadow group is empty - /etc/passwd
Removed- 1.10 Ensure GDM is removed or login is configured - system-db
- 1.10 Ensure GDM is removed or login is configured - user-db
- 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration - enforcing = 0
- 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration - selinux = 0
- 1.7.1.3 Ensure SELinux policy is configured
- 1.7.1.4 Ensure the SELinux mode is enforcing or permissive
- 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - config
- 3.2.1 Ensure IP forwarding is disabled - ipv4 files
- 3.5.2.4 Ensure iptables are flushed - v4
- 3.5.2.4 Ensure iptables are flushed - v6
- 3.5.2.6 Ensure base chains exist - forward
- 3.5.2.6 Ensure base chains exist - input
- 3.5.2.6 Ensure base chains exist - output
- 3.5.3.1.1 Ensure iptables packages are installed
- 3.5.3.3.6 Ensure ip6tables is enabled and running - running
- 5.1.8 Ensure cron is restricted to authorized users - cron.allow
- 5.1.8 Ensure cron is restricted to authorized users - cron.deny
- 5.1.9 Ensure at is restricted to authorized users - at.allow
- 5.1.9 Ensure at is restricted to authorized users - at.deny
- 5.2.13 Ensure only strong Ciphers are used
- 5.2.14 Ensure only strong MAC algorithms are used
- 5.2.15 Ensure only strong Key Exchange algorithms are used
- 5.3.2 Ensure lockout for failed password attempts is configured - password-auth account
- 5.3.2 Ensure lockout for failed password attempts is configured - password-auth deny
- 5.3.2 Ensure lockout for failed password attempts is configured - password-auth unlock_time
- 5.3.2 Ensure lockout for failed password attempts is configured - system-auth account
- 5.3.2 Ensure lockout for failed password attempts is configured - system-auth deny
- 5.3.2 Ensure lockout for failed password attempts is configured - system-auth unlock_time
- 5.3.4 Ensure password reuse is limited - password-auth
- 5.3.4 Ensure password reuse is limited - system-auth
- 5.4.1.2 Ensure minimum days between password changes is configured - login.defs
- 5.4.1.2 Ensure minimum days between password changes is configured - users
- 5.4.2 Ensure system accounts are secured - password
- 5.4.2 Ensure system accounts are secured - shell
- 5.4.4 Ensure default user shell timeout is configured - /etc/bashrc
- 5.4.4 Ensure default user shell timeout is configured - /etc/profile
- 5.4.5 Ensure default user umask is configured - profiles
- 5.4.5 Ensure default user umask is configured - system wide
- 6.2.18 Ensure shadow group is empty
|
Oct 20, 2020 Added- 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked
- 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped
- 3.5.2.7 Ensure loopback traffic is configured - iif lo
- 3.5.2.7 Ensure loopback traffic is configured - ip saddr
- 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
- 3.5.2.8 Ensure outbound and established connections are configured - input
- 3.5.2.8 Ensure outbound and established connections are configured - output
- 3.5.2.9 Ensure default deny firewall policy - forward
- 3.5.2.9 Ensure default deny firewall policy - input
- 3.5.2.9 Ensure default deny firewall policy - output
Removed- 3.5.3.1.2 Ensure nftables is not installed or stopped and masked - masked
- 3.5.3.1.2 Ensure nftables is not installed or stopped and masked - stopped
- 3.5.3.2.1 Ensure default deny firewall policy - forward
- 3.5.3.2.1 Ensure default deny firewall policy - input
- 3.5.3.2.1 Ensure default deny firewall policy - output
- 3.5.3.2.2 Ensure loopback traffic is configured - iif lo
- 3.5.3.2.2 Ensure loopback traffic is configured - ip saddr
- 3.5.3.2.2 Ensure loopback traffic is configured - ip6 saddr
- 3.5.3.2.3 Ensure outbound and established connections are configured - input
- 3.5.3.2.3 Ensure outbound and established connections are configured - output
|