Oct 3, 2023 Informational Update- 5.5.5 Ensure default user umask is 027 or more restrictive - default user umask
- 5.5.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
|
Jun 3, 2022 Functional Update- 6.2.7 Ensure users' home directories permissions are 750 or more restrictive
|
Jun 1, 2022 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
May 11, 2022 Functional Update- 1.1.22 Disable Automounting
- 2.2.10 Ensure FTP Server is not enabled
- 2.2.11 Ensure DNS Server is not enabled
- 2.2.12 Ensure NFS is not enabled
- 2.2.13 Ensure RPC is not enabled
- 2.2.14 Ensure LDAP server is not enabled
- 2.2.15 Ensure DHCP Server is not enabled
- 2.2.16 Ensure CUPS is not enabled
- 2.2.17 Ensure NIS Server is not enabled
- 2.2.4 Ensure Avahi Server is not enabled - service
- 2.2.4 Ensure Avahi Server is not enabled - socket
- 2.2.5 Ensure SNMP Server is not enabled
- 2.2.6 Ensure HTTP Proxy Server is not enabled
- 2.2.7 Ensure Samba is not enabled
- 2.2.8 Ensure IMAP and POP3 server is not enabled
- 2.2.9 Ensure HTTP server is not enabled
|
Apr 25, 2022 |
Apr 5, 2022 Functional Update- 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe
- 1.1.1.3 Ensure mounting of squashfs filesystems is disabled - lsmod
- 1.1.1.3 Ensure mounting of squashfs filesystems is disabled - modprobe
- 1.1.1.4 Ensure mounting of udf filesystems is disabled - lsmod
- 1.1.1.4 Ensure mounting of udf filesystems is disabled - modprobe
- 1.1.23 Disable USB Storage - modprobe
- 4.2.1.3 Ensure rsyslog default file permissions configured
- 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less - sshd output
- 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less - sshd_config
|
Mar 29, 2022 Miscellaneous- Metadata updated.
- References updated.
|
Aug 24, 2021 Functional Update- 1.1.1.3 Ensure mounting of squashfs filesystems is disabled - modprobe
- 1.1.1.4 Ensure mounting of udf filesystems is disabled - lsmod
- 1.1.1.4 Ensure mounting of udf filesystems is disabled - modprobe
- 1.10 Ensure system-wide crypto policy is not legacy
- 1.3.2 Ensure sudo commands use pty
- 1.3.3 Ensure sudo log file exists
- 1.4.2 Ensure filesystem integrity is regularly checked - cron
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer
- 1.4.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer
- 1.6.1 Ensure core dumps are restricted - limits.conf limits.d
- 1.6.1 Ensure core dumps are restricted - sysctl.conf sysctl.d
- 1.6.2 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d
- 3.1.1 Ensure IP forwarding is disabled - ipv4 /etc/sysctl.conf /etc/sysctl.d/*
- 3.1.1 Ensure IP forwarding is disabled - ipv6 /etc/sysctl.conf /etc/sysctl.d/*
- 3.1.1 Ensure IP forwarding is disabled - ipv6 sysctl
- 3.1.2 Ensure packet redirect sending is disabled - files 'net.ipv4.conf.all.send_redirects = 0'
- 3.1.2 Ensure packet redirect sending is disabled - files 'net.ipv4.conf.default.send_redirects = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - files 'net.ipv4.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - files 'net.ipv4.conf.default.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.default.accept_source_route = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - files 'net.ipv4.conf.all.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - files 'net.ipv4.conf.default.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - sysctl 'net.ipv6.conf.all.accept_redirects'
- 3.2.2 Ensure ICMP redirects are not accepted - sysctl 'net.ipv6.conf.default.accept_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - files 'net.ipv4.conf.all.secure_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - files 'net.ipv4.conf.default.secure_redirects = 0'
- 3.2.4 Ensure suspicious packets are logged - files 'net.ipv4.conf.all.log_martians = 1'
- 3.2.4 Ensure suspicious packets are logged - files 'net.ipv4.conf.default.log_martians = 1'
- 3.2.5 Ensure broadcast ICMP requests are ignored - sysctl.conf sysctl.d
- 3.2.6 Ensure bogus ICMP responses are ignored - /etc/sysctl.conf /etc/sysctl.d/*
- 3.2.7 Ensure Reverse Path Filtering is enabled - files 'net.ipv4.conf.all.rp_filter = 1'
- 3.2.7 Ensure Reverse Path Filtering is enabled - files 'net.ipv4.conf.default.rp_filter = 1'
- 3.2.8 Ensure TCP SYN Cookies is enabled - sysctl.conf sysctl.d
- 3.2.9 Ensure IPv6 router advertisements are not accepted - 'grep net.ipv6.conf.all.accept_ra = 0'
- 3.2.9 Ensure IPv6 router advertisements are not accepted - 'grep net.ipv6.conf.default.accept_ra = 0'
- 3.2.9 Ensure IPv6 router advertisements are not accepted - 'sysctl net.ipv6.conf.all.accept_ra = 0'
- 3.2.9 Ensure IPv6 router advertisements are not accepted - 'sysctl net.ipv6.conf.default.accept_ra = 0'
- 3.4.3.1 Ensure iptables are flushed with nftables - ipv4
- 3.4.3.1 Ensure iptables are flushed with nftables - ipv6
- 3.4.3.2 Ensure an nftables table exists
- 3.4.3.3 Ensure nftables base chains exist - 'hook forward'
- 3.4.3.3 Ensure nftables base chains exist - 'hook input'
- 3.4.3.3 Ensure nftables base chains exist - 'hook output'
- 3.4.3.4 Ensure nftables loopback traffic is configured
- 3.4.3.4 Ensure nftables loopback traffic is configured - ip6 saddr
- 3.4.3.5 Ensure nftables outbound and established connections are configured - incoming, established
- 3.4.3.5 Ensure nftables outbound and established connections are configured - outgoing, established
- 3.4.3.6 Ensure nftables default deny firewall policy - Chain FORWARD
- 3.4.3.6 Ensure nftables default deny firewall policy - Chain INPUT
- 3.4.3.6 Ensure nftables default deny firewall policy - Chain OUTPUT
- 3.4.3.7 Ensure nftables service is enabled
- 3.4.3.8 Ensure nftables rules are permanent - forward
- 3.4.3.8 Ensure nftables rules are permanent - input
- 3.4.3.8 Ensure nftables rules are permanent - output
- 3.4.4.1.1 Ensure iptables default deny firewall policy - Chain FORWARD
- 3.4.4.1.1 Ensure iptables default deny firewall policy - Chain INPUT
- 3.4.4.1.1 Ensure iptables default deny firewall policy - Chain OUTPUT
- 3.4.4.1.2 Ensure iptables loopback traffic is configured - Input accept all lo
- 3.4.4.1.2 Ensure iptables loopback traffic is configured - Input drop all
- 3.4.4.1.2 Ensure iptables loopback traffic is configured - Output accept all lo
- 3.4.4.1.3 Ensure iptables outbound and established connections are configured
- 3.4.4.1.4 Ensure iptables firewall rules exist for all open ports
- 3.4.4.2.1 Ensure ip6tables default deny firewall policy - 'Chain FORWARD'
- 3.4.4.2.1 Ensure ip6tables default deny firewall policy - 'Chain INPUT'
- 3.4.4.2.1 Ensure ip6tables default deny firewall policy - 'Chain OUTPUT'
- 3.4.4.2.2 Ensure ip6tables loopback traffic is configured
- 3.4.4.2.3 Ensure ip6tables outbound and established connections are configured
- 3.4.4.2.4 Ensure ip6tables firewall rules exist for all open ports - firewall rules
- 3.4.4.2.4 Ensure ip6tables firewall rules exist for all open ports - ports
- 3.4.4.2.5 Ensure ip6tables is enabled and active
- 4.2.2.1 Ensure journald is configured to send logs to rsyslog
- 4.2.2.2 Ensure journald is configured to compress large log files
- 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk
- 5.2.20 Ensure system-wide crypto policy is not over-ridden
- 5.3.1 Create custom authselect profile
- 5.4.2 Ensure lockout for failed password attempts is configured
- 5.5.5 Ensure default user umask is 027 or more restrictive - default user umask
- 6.2.12 Ensure users' .netrc Files are not group or world accessible
Added- 5.4.1 Ensure password creation requirements are configured - password complexity
Removed- 5.4.1 Ensure password creation requirements are configured - dcredit
- 5.4.1 Ensure password creation requirements are configured - lcredit
- 5.4.1 Ensure password creation requirements are configured - ocredit
- 5.4.1 Ensure password creation requirements are configured - ucredit
|
Jul 14, 2021 Functional Update- 1.1.10 Ensure noexec option set on /var/tmp partition
- 1.1.14 Ensure nodev option set on /home partition
- 1.1.15 Ensure nodev option set on /dev/shm partition
- 1.1.16 Ensure nosuid option set on /dev/shm partition
- 1.1.17 Ensure noexec option set on /dev/shm partition
- 1.1.3 Ensure nodev option set on /tmp partition
- 1.1.4 Ensure nosuid option set on /tmp partition
- 1.1.5 Ensure noexec option set on /tmp partition
- 1.1.8 Ensure nodev option set on /var/tmp partition
- 1.1.9 Ensure nosuid option set on /var/tmp partition
|
