Revision 1.5May 10, 2021
Functional Update
- 1.4.2 Ensure filesystem integrity is regularly checked
- 3.2.1 Ensure IP forwarding is disabled - ipv6 files
- 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctl
- 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctlc.conf sysctl.d
- 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.all.accept_source_route = 0'
- 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.default.accept_source_route = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0'
- 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0'
- 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0'
- 3.5.2.1 Ensure nftables is installed
- 3.5.2.10 Ensure nftables service is enabled
- 3.5.2.11 Ensure nftables rules are permanent
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.2.3 Ensure iptables-services package is not installed
- 3.5.2.4 Ensure iptables are flushed - ip6tables
- 3.5.2.4 Ensure iptables are flushed - iptables
- 3.5.2.5 Ensure a table exists
- 3.5.2.6 Ensure base chains exist - hook forward
- 3.5.2.6 Ensure base chains exist - hook input
- 3.5.2.6 Ensure base chains exist - hook output
- 3.5.2.7 Ensure loopback traffic is configured - iif lo
- 3.5.2.7 Ensure loopback traffic is configured - ip saddr
- 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
- 3.5.2.8 Ensure outbound and established connections are configured - input
- 3.5.2.8 Ensure outbound and established connections are configured - output
- 3.5.2.9 Ensure default deny firewall policy - forward
- 3.5.2.9 Ensure default deny firewall policy - input
- 3.5.2.9 Ensure default deny firewall policy - output
- 3.5.3.1.1 Ensure iptables packages are installed - iptables
- 3.5.3.1.1 Ensure iptables packages are installed - iptables-services
- 3.5.3.1.2 Ensure nftables is not installed
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - masked
- 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - stopped
- 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD
- 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT
- 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT
- 3.5.3.2.2 Ensure loopback traffic is configured - input
- 3.5.3.2.2 Ensure loopback traffic is configured - output
- 3.5.3.2.3 Ensure outbound and established connections are configured
- 3.5.3.2.4 Ensure firewall rules exist for all open ports
- 3.5.3.2.5 Ensure iptables rules are saved
- 3.5.3.2.6 Ensure iptables is enabled and running - enabled
- 3.5.3.2.6 Ensure iptables is enabled and running - running
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain INPUT
- 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - INPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - OUTPUT
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input
- 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output
- 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
- 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
- 3.5.3.3.5 Ensure ip6tables rules are saved
- 3.5.3.3.6 Ensure ip6tables is enabled and running
- 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled
- 5.2.10 Ensure SSH root login is disabled
- 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
- 5.2.12 Ensure SSH PermitUserEnvironment is disabled
- 5.2.13 Ensure only strong Ciphers are used - approved ciphers
- 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
- 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval
- 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.18 Ensure SSH warning banner is configured
- 5.2.19 Ensure SSH PAM is enabled
- 5.2.21 Ensure SSH MaxStartups is configured
- 5.2.22 Ensure SSH MaxSessions is limited
- 5.2.4 Ensure SSH access is limited
- 5.2.6 Ensure SSH X11 forwarding is disabled
- 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.8 Ensure SSH IgnoreRhosts is enabled
- 5.2.9 Ensure SSH HostbasedAuthentication is disabled