Jul 23, 2024 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jul 19, 2024 Functional Update- 5.6.2 Ensure system accounts are secured
|
Jul 9, 2024 Functional Update- 5.1.9 Ensure at is restricted to authorized users
|
Jun 17, 2024 |
Jun 6, 2024 Miscellaneous- Metadata updated.
- References updated.
- Variables updated.
Added- 1.1.2.1 Ensure /tmp is a separate partition
- 1.2.1 Ensure GPG keys are configured
- 1.2.2 Ensure gpgcheck is globally activated
- 1.3.2 Ensure filesystem integrity is regularly checked
- 1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- 1.4.2 Ensure permissions on bootloader config are configured
- 1.6.1.3 Ensure SELinux policy is configured
- 1.6.1.4 Ensure the SELinux mode is not disabled
- 2.1.2 Ensure chrony is configured
- 2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked
- 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked
- 2.2.8 Ensure a web server is not installed
- 2.2.9 Ensure IMAP and POP3 server is not installed
- 3.2.2 Ensure packet redirect sending is disabled
- 3.3.1 Ensure source routed packets are not accepted
- 3.3.2 Ensure ICMP redirects are not accepted
- 3.3.3 Ensure secure ICMP redirects are not accepted
- 3.3.4 Ensure suspicious packets are logged
- 3.3.7 Ensure Reverse Path Filtering is enabled
- 3.3.9 Ensure IPv6 router advertisements are not accepted
- 3.4.1.1 Ensure nftables is installed
- 3.4.1.2 Ensure a single firewall configuration utility is in use
- 3.4.2.1 Ensure firewalld default zone is set
- 3.4.2.2 Ensure at least one nftables table exists
- 3.4.2.3 Ensure nftables base chains exist
- 3.4.2.4 Ensure host based firewall loopback traffic is configured
- 3.4.2.5 Ensure firewalld drops unnecessary services and ports
- 3.4.2.6 Ensure nftables established connections are configured
- 3.4.2.7 Ensure nftables default deny firewall policy
- 5.2.10 Ensure SSH PermitUserEnvironment is disabled
- 5.2.11 Ensure SSH IgnoreRhosts is enabled
- 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.17 Ensure SSH MaxStartups is configured
- 5.2.18 Ensure SSH MaxSessions is set to 10 or less
- 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.20 Ensure SSH Idle Timeout Interval is configured
- 5.2.4 Ensure SSH access is limited
- 5.2.5 Ensure SSH LogLevel is appropriate
- 5.2.6 Ensure SSH PAM is enabled
- 5.2.7 Ensure SSH root login is disabled
- 5.2.8 Ensure SSH HostbasedAuthentication is disabled
- 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
- 5.4.2 Ensure authselect includes with-faillock
- 5.5.1 Ensure password creation requirements are configured
- 5.5.2 Ensure lockout for failed password attempts is configured
- 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt
- 5.6.1.1 Ensure password expiration is 365 days or less
- 5.6.1.2 Ensure minimum days between password changes is configured
- 5.6.1.3 Ensure password expiration warning days is 7 or more
- 5.6.1.4 Ensure inactive password lock is 30 days or less
- 5.6.2 Ensure system accounts are secured
- 5.6.5 Ensure default user umask is 027 or more restrictive
|
Apr 22, 2024 Functional Update- 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
|
Mar 18, 2024 Functional Update- 3.1.2 Ensure wireless interfaces are disabled
- 5.2.2 Ensure permissions on SSH private host key files are configured
- 5.2.3 Ensure permissions on SSH public host key files are configured
Added- 4.2.3 Ensure all logfiles have appropriate permissions and ownership
Removed- 4.2.3 Ensure all logfiles have appropriate access configured
|
Feb 14, 2024 Added- 3.4.1.1 Ensure nftables is installed - firewall misconfigured
- 3.4.1.1 Ensure nftables is installed - firewalld
- 3.4.1.1 Ensure nftables is installed - nftables
- 3.4.1.2 Ensure a single firewall configuration utility is in use - firewall misconfigured
- 3.4.1.2 Ensure a single firewall configuration utility is in use - firewalld
- 3.4.1.2 Ensure a single firewall configuration utility is in use - nftables
- 3.4.2.1 Ensure firewalld default zone is set - firewall misconfigured
- 3.4.2.1 Ensure firewalld default zone is set - firewalld
- 3.4.2.1 Ensure firewalld default zone is set - nftables
- 3.4.2.2 Ensure at least one nftables table exists - firewall misconfigured
- 3.4.2.2 Ensure at least one nftables table exists - firewalld
- 3.4.2.2 Ensure at least one nftables table exists - nftables
- 3.4.2.3 Ensure nftables base chains exist - firewall misconfigured
- 3.4.2.3 Ensure nftables base chains exist - firewalld
- 3.4.2.3 Ensure nftables base chains exist - nftables
- 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewall misconfigured
- 3.4.2.4 Ensure host based firewall loopback traffic is configured - firewalld
- 3.4.2.4 Ensure host based firewall loopback traffic is configured - nftables
- 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewall misconfigured
- 3.4.2.5 Ensure firewalld drops unnecessary services and ports - firewalld
- 3.4.2.5 Ensure firewalld drops unnecessary services and ports - nftables
- 3.4.2.6 Ensure nftables established connections are configured - firewall misconfigured
- 3.4.2.6 Ensure nftables established connections are configured - firewalld
- 3.4.2.6 Ensure nftables established connections are configured - nftables
- 3.4.2.7 Ensure nftables default deny firewall policy - firewall misconfigured
- 3.4.2.7 Ensure nftables default deny firewall policy - firewalld
- 3.4.2.7 Ensure nftables default deny firewall policy - nftables
Removed- 3.4.1.1 Ensure nftables is installed
- 3.4.1.2 Ensure a single firewall configuration utility is in use
- 3.4.2.1 Ensure firewalld default zone is set
- 3.4.2.2 Ensure at least one nftables table exists
- 3.4.2.3 Ensure nftables base chains exist - hook forward
- 3.4.2.3 Ensure nftables base chains exist - hook input
- 3.4.2.3 Ensure nftables base chains exist - hook output
- 3.4.2.4 Ensure host based firewall loopback traffic is configured
- 3.4.2.5 Ensure firewalld drops unnecessary services and ports
- 3.4.2.6 Ensure nftables established connections are configured
- 3.4.2.7 Ensure nftables default deny firewall policy - hook forward
- 3.4.2.7 Ensure nftables default deny firewall policy - hook input
|
Feb 5, 2024 Functional Update- 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
|
Jan 22, 2024 Functional Update- 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output
|