May 5, 2021 Miscellaneous- Audit deprecated.
- Metadata updated.
|
Feb 11, 2021 Functional Update- 3.5.4.1.1 Ensure default deny firewall policy - 'Chain FORWARD'
- 3.5.4.1.1 Ensure default deny firewall policy - 'Chain INPUT'
- 3.5.4.1.1 Ensure default deny firewall policy - 'Chain OUTPUT'
- 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain FORWARD'
- 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain INPUT'
- 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain OUTPUT'
- 5.2.13 Ensure only strong Ciphers are used - approved ciphers
- 5.2.13 Ensure only strong Ciphers are used - weak ciphers
- 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
- 5.2.14 Ensure only strong MAC algorithms are used - weak MACs
- 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
- 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms
Informational Update- 4.2.1.3 Ensure logging is configured - '*.emerg :omusrmsg:*'
Miscellaneous- Metadata updated.
- Platform check updated.
- References updated.
|
Dec 2, 2020 Added- 1.8.1.1 Ensure message of the day is configured properly - banner
- 1.8.1.1 Ensure message of the day is configured properly - platform flags
- 1.8.1.2 Ensure local login warning banner is configured properly - banner
- 1.8.1.2 Ensure local login warning banner is configured properly - platform flags
- 1.8.1.3 Ensure remote login warning banner is configured properly - banner
- 1.8.1.3 Ensure remote login warning banner is configured properly - platform flags
Removed- 1.8.1.1 Ensure message of the day is configured properly
- 1.8.1.2 Ensure local login warning banner is configured properly
- 1.8.1.3 Ensure remote login warning banner is configured properly
|
Oct 14, 2020 Functional Update- 4.2.3 Ensure permissions on all logfiles are configured
|
Oct 5, 2020 |
Sep 30, 2020 Functional Update- 6.2.10 Ensure users' dot files are not group or world writable
|
Sep 29, 2020 |
Aug 25, 2020 Functional Update- 5.4.1.1 Ensure password expiration is 365 days or less - users
|
Aug 10, 2020 Functional Update- 1.8.1.1 Ensure message of the day is configured properly
- 1.8.1.2 Ensure local login warning banner is configured properly
- 1.8.1.3 Ensure remote login warning banner is configured properly
- 2.2.1.1 Ensure time synchronization is in use
- 2.2.1.2 Ensure systemd-timesyncd is configured - FallbackNTP
- 2.2.1.2 Ensure systemd-timesyncd is configured - NTP
- 2.2.1.2 Ensure systemd-timesyncd is configured - RootDistanceMaxSec
- 2.2.1.3 Ensure chrony is configured - server
- 2.2.1.3 Ensure chrony is configured - uid
- 2.2.1.4 Ensure ntp is configured - restrict -4
- 2.2.1.4 Ensure ntp is configured - restrict -6
- 2.2.1.4 Ensure ntp is configured - server
- 2.2.1.4 Ensure ntp is configured - user
- 4.2.1.1 Ensure rsyslog is installed
- 4.2.1.2 Ensure rsyslog Service is enabled
- 4.2.1.3 Ensure logging is configured - '*.*;mail.none;news.none -/var/log/messages'
- 4.2.1.3 Ensure logging is configured - '*.=warning;*.=err -/var/log/warn'
- 4.2.1.3 Ensure logging is configured - '*.crit /var/log/warn'
- 4.2.1.3 Ensure logging is configured - '*.emerg :omusrmsg:*'
- 4.2.1.3 Ensure logging is configured - 'auth,authpriv.* /var/log/auth.log'
- 4.2.1.3 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local2,local3.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local6,local7.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'mail.* -/var/log/mail'
- 4.2.1.3 Ensure logging is configured - 'mail.err /var/log/mail.err'
- 4.2.1.3 Ensure logging is configured - 'mail.info -/var/log/mail.info'
- 4.2.1.3 Ensure logging is configured - 'mail.warning -/var/log/mail.warn'
- 4.2.1.3 Ensure logging is configured - 'news.crit -/var/log/news/news.crit'
- 4.2.1.3 Ensure logging is configured - 'news.err -/var/log/news/news.err'
- 4.2.1.3 Ensure logging is configured - 'news.notice -/var/log/news/news.notice'
- 4.2.1.4 Ensure rsyslog default file permissions configured
- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
- 5.2.10 Ensure SSH root login is disabled
- 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
- 5.2.12 Ensure SSH PermitUserEnvironment is disabled
- 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
- 5.2.14 Ensure only strong MAC algorithms are used - weak MACs
- 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
- 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - 'ClientAliveCountMax'
- 5.2.16 Ensure SSH Idle Timeout Interval is configured - 'ClientAliveInterval'
- 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
- 5.2.18 Ensure SSH access is limited
- 5.2.19 Ensure SSH warning banner is configured
- 5.2.20 Ensure SSH PAM is enabled
- 5.2.22 Ensure SSH MaxStartups is configured
- 5.2.23 Ensure SSH MaxSessions is set to 4 or less
- 5.2.4 Ensure SSH Protocol is not set to 1
- 5.2.5 Ensure SSH LogLevel is appropriate
- 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
- 5.2.8 Ensure SSH IgnoreRhosts is enabled
- 5.2.9 Ensure SSH HostbasedAuthentication is disabled
Informational Update- 4.2.1.1 Ensure rsyslog is installed
- 4.2.1.2 Ensure rsyslog Service is enabled
- 4.2.1.3 Ensure logging is configured - '*.*;mail.none;news.none -/var/log/messages'
- 4.2.1.3 Ensure logging is configured - '*.=warning;*.=err -/var/log/warn'
- 4.2.1.3 Ensure logging is configured - '*.crit /var/log/warn'
- 4.2.1.3 Ensure logging is configured - '*.emerg :omusrmsg:*'
- 4.2.1.3 Ensure logging is configured - 'auth,authpriv.* /var/log/auth.log'
- 4.2.1.3 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local2,local3.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'local6,local7.* -/var/log/localmessages'
- 4.2.1.3 Ensure logging is configured - 'mail.* -/var/log/mail'
- 4.2.1.3 Ensure logging is configured - 'mail.err /var/log/mail.err'
- 4.2.1.3 Ensure logging is configured - 'mail.info -/var/log/mail.info'
- 4.2.1.3 Ensure logging is configured - 'mail.warning -/var/log/mail.warn'
- 4.2.1.3 Ensure logging is configured - 'news.crit -/var/log/news/news.crit'
- 4.2.1.3 Ensure logging is configured - 'news.err -/var/log/news/news.err'
- 4.2.1.3 Ensure logging is configured - 'news.notice -/var/log/news/news.notice'
- 4.2.1.4 Ensure rsyslog default file permissions configured
- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
- 5.3.2 Ensure lockout for failed password attempts is configured - account pam_deny.so
- 5.3.2 Ensure lockout for failed password attempts is configured - auth pam_tally2.so
Miscellaneous- Platform check updated.
- References updated.
- Variables updated.
Added- 4.2.1.3 ensure logging is configured - '*.*;mail.none;news.none -/var/log/messages'
- 4.2.1.3 ensure logging is configured - '*.=warning;*.=err -/var/log/warn'
- 4.2.1.3 ensure logging is configured - '*.crit /var/log/warn'
- 4.2.1.3 ensure logging is configured - '*.emerg :omusrmsg:*'
- 4.2.1.3 ensure logging is configured - 'local0,local1.* -/var/log/localmessages'
- 4.2.1.3 ensure logging is configured - 'local2,local3.* -/var/log/localmessages'
- 4.2.1.3 ensure logging is configured - 'local4,local5.* -/var/log/localmessages'
- 4.2.1.3 ensure logging is configured - 'local6,local7.* -/var/log/localmessages'
- 4.2.1.3 ensure logging is configured - 'mail.* -/var/log/mail'
- 4.2.1.3 ensure logging is configured - 'mail.err /var/log/mail.err'
- 4.2.1.3 ensure logging is configured - 'mail.info -/var/log/mail.info'
- 4.2.1.3 ensure logging is configured - 'mail.warning -/var/log/mail.warn'
- 4.2.1.3 ensure logging is configured - 'news.crit -/var/log/news/news.crit'
- 4.2.1.3 ensure logging is configured - 'news.err -/var/log/news/news.err'
- 4.2.1.3 ensure logging is configured - 'news.notice -/var/log/news/news.notice'
- 5.3.2 Ensure lockout for failed password attempts is configured - account pam_tally2.so
Removed- 5.3.2 Ensure lockout for failed password attempts is configured - account pam_tally.so
|
Aug 4, 2020 Functional Update- 4.2.3 Ensure permissions on all logfiles are configured
|