Detections
Analytics

Revision 1.10

Jun 6, 2024
Functional Update
  • 1.1.1.1 Ensure mounting of squashfs filesystems is disabled
  • 1.1.10 Ensure separate partition exists for /var
  • 1.1.11 Ensure separate partition exists for /var/tmp
  • 1.1.15 Ensure separate partition exists for /var/log
  • 1.1.16 Ensure separate partition exists for /var/log/audit
  • 1.1.17 Ensure separate partition exists for /home
  • 1.1.23 Disable Automounting
  • 4.1.1.1 Ensure auditd is installed
  • 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
  • 4.1.11 Ensure use of privileged commands is collected
  • 4.1.17 Ensure the audit configuration is immutable
  • 4.1.2.1 Ensure audit log storage size is configured
  • 4.1.2.2 Ensure audit logs are not automatically deleted
  • 4.1.2.4 Ensure audit_backlog_limit is sufficient
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
  • 6.1.1 Audit system file permissions
Informational Update
  • 1.1.1.1 Ensure mounting of squashfs filesystems is disabled
  • 1.1.10 Ensure separate partition exists for /var
  • 1.1.11 Ensure separate partition exists for /var/tmp
  • 1.1.15 Ensure separate partition exists for /var/log
  • 1.1.16 Ensure separate partition exists for /var/log/audit
  • 1.1.17 Ensure separate partition exists for /home
  • 1.1.23 Disable Automounting
  • 4.1.1.1 Ensure auditd is installed
  • 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
  • 4.1.11 Ensure use of privileged commands is collected
  • 4.1.17 Ensure the audit configuration is immutable
  • 4.1.2.1 Ensure audit log storage size is configured
  • 4.1.2.2 Ensure audit logs are not automatically deleted
  • 4.1.2.4 Ensure audit_backlog_limit is sufficient
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
  • 6.1.1 Audit system file permissions
Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Added
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing
  • 2.2.3 Ensure Avahi Server is not installed
  • 3.1.1 Disable IPv6
  • 3.1.2 Ensure wireless interfaces are disabled
  • 3.4.1 Ensure DCCP is disabled
  • 3.4.2 Ensure SCTP is disabled
  • 4.1.1.2 Ensure auditd service is enabled and running
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected
  • 4.1.12 Ensure successful file system mounts are collected
  • 4.1.13 Ensure file deletion events by users are collected
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected
  • 4.1.15 Ensure system administrator actions (sudolog) are collected
  • 4.1.16 Ensure kernel module loading and unloading is collected
  • 4.1.2.3 Ensure system is disabled when audit logs are full
  • 4.1.3 Ensure events that modify date and time information are collected
  • 4.1.4 Ensure events that modify user/group information are collected
  • 4.1.5 Ensure events that modify the system's network environment are collected
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected
  • 4.1.7 Ensure login and logout events are collected
  • 4.1.8 Ensure session initiation information is collected
  • 4.1.9 Ensure discretionary access control permission modification events are collected
Removed
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - EFI
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod fat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod msdos
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod vfat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe fat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe msdos
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe vfat
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing - profiles enforce mode
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing - profiles loaded
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing - unconfined
  • 2.2.3 Ensure Avahi Server is not installed - avahi
  • 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd
  • 3.1.1 Disable IPv6 - grub.cfg
  • 3.1.1 Disable IPv6 - sysctl all disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl default disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl.conf all disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl.conf default disable_ipv6
  • 3.1.2 Ensure wireless interfaces are disabled - interfaces
  • 3.1.2 Ensure wireless interfaces are disabled - iw list
  • 3.4.1 Ensure DCCP is disabled - lsmod
  • 3.4.1 Ensure DCCP is disabled - modprobe
  • 3.4.2 Ensure SCTP is disabled - lsmod
  • 3.4.2 Ensure SCTP is disabled - modprobe
  • 4.1.1.2 Ensure auditd service is enabled and running - enabled
  • 4.1.1.2 Ensure auditd service is enabled and running - running
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EPERM
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b32 mount
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b64 mount
  • 4.1.12 Ensure successful file system mounts are collected - b32 mount
  • 4.1.12 Ensure successful file system mounts are collected - b64 mount
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b64 delete
  • 4.1.13 Ensure file deletion events by users are collected - b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - b64 delete
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl sudo log
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - sudo log
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b64 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - b64 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - rmmod
  • 4.1.2.3 Ensure system is disabled when audit logs are full - action_mail_acct
  • 4.1.2.3 Ensure system is disabled when audit logs are full - admin_space_left_action
  • 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b64 clock_settime
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b64 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b64 sethostname
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux
  • 4.1.7 Ensure login and logout events are collected - /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - /var/log/tallylog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog
  • 4.1.8 Ensure session initiation information is collected - /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - /var/run/utmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/run/utmp
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 xattr