Tenable Fedora Linux Best Practices v2.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: Tenable Fedora Linux Best Practices v2.0.0

Updated: 3/1/2021

Authority: TNS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 346

Audit Items

Description	Categories
1.0 - The file permissions, ownership, and group membership of system files and commands must match the vendor values.	SYSTEM AND INFORMATION INTEGRITY
1.2 - The cryptographic hash of system files and commands must match vendor values.	SYSTEM AND INFORMATION INTEGRITY
1.3.0 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.	ACCESS CONTROL
1.4.0 - The system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.	ACCESS CONTROL
1.5.0 - The system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.	ACCESS CONTROL
1.6.0 - The system must enable a user session lock until that user re-establishes access using established ID and auth procedures.	ACCESS CONTROL
1.6.0 - The system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.	ACCESS CONTROL
1.6.1 - The operating system must uniquely identify and authenticate users using multifactor authentication via graphical logon.	IDENTIFICATION AND AUTHENTICATION
1.6.1 - The system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.	IDENTIFICATION AND AUTHENTICATION
1.6.2 - The system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.	ACCESS CONTROL
1.7 - The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.	ACCESS CONTROL
1.7 - The system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.	ACCESS CONTROL
1.8.1 - The system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.	ACCESS CONTROL
1.8.2 - The system must prevent a user from overriding the session idle-delay setting for the graphical user interface.	ACCESS CONTROL
1.9.0 - The system must have the screen package installed.	CONFIGURATION MANAGEMENT
1.100 - The system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.	ACCESS CONTROL
1.101 - The system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.	ACCESS CONTROL
1.110 - The system must initiate a session lock for graphical user interfaces when the screensaver is activated.	ACCESS CONTROL
1.118 - The system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.	IDENTIFICATION AND AUTHENTICATION
1.119 - When passwords are changed or new passwords are established, pwquality must be used.	ACCESS CONTROL
1.120 - When passwords are changed or new passwords are established, the new password must contain at least 1 upper-case character.	IDENTIFICATION AND AUTHENTICATION
1.130 - When passwords are changed or new passwords are established, the new password must contain at least 1 lower-case character.	IDENTIFICATION AND AUTHENTICATION
1.140 - When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.	IDENTIFICATION AND AUTHENTICATION
1.150 - When passwords are changed or new passwords are assigned, the new password must contain at least one special character.	IDENTIFICATION AND AUTHENTICATION
1.160 - When passwords are changed a minimum of eight of the total number of characters must be changed.	IDENTIFICATION AND AUTHENTICATION
1.170 - When passwords are changed a minimum of four character classes must be changed.	IDENTIFICATION AND AUTHENTICATION
1.180 - When passwords are changed the number of repeating consecutive characters must not be more than three characters.	IDENTIFICATION AND AUTHENTICATION
1.190 - When passwords are changed the number of repeating characters of the same class must not be more than 4 characters.	IDENTIFICATION AND AUTHENTICATION
1.200 - The PAM system service must be configured to store only encrypted representations of passwords.	IDENTIFICATION AND AUTHENTICATION
1.210 - The shadow file must be configured to store only encrypted representations of passwords.	SYSTEM AND COMMUNICATIONS PROTECTION
1.220 - User and group account administration utilities must be configured to store only encrypted representations of passwords.	SYSTEM AND COMMUNICATIONS PROTECTION
1.230 - Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.	IDENTIFICATION AND AUTHENTICATION
1.240 - Passwords must be restricted to a 24 hours/1 day minimum lifetime.	IDENTIFICATION AND AUTHENTICATION
1.250 - Passwords for new users must be restricted to a 60-day maximum lifetime.	IDENTIFICATION AND AUTHENTICATION
1.260 - Existing passwords must be restricted to a 60-day maximum lifetime.	IDENTIFICATION AND AUTHENTICATION
1.270 - Passwords must be prohibited from reuse for a minimum of five generations.	IDENTIFICATION AND AUTHENTICATION
1.280 - Passwords must be a minimum of 15 characters in length.	IDENTIFICATION AND AUTHENTICATION
1.290 - The system must not have accounts configured with blank or null passwords - password-auth	CONFIGURATION MANAGEMENT
1.290 - The system must not have accounts configured with blank or null passwords - system-auth	IDENTIFICATION AND AUTHENTICATION
1.300 - The SSH daemon must not allow authentication using an empty password.	IDENTIFICATION AND AUTHENTICATION
1.310 - The system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.	ACCESS CONTROL
1.320 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked - password-auth-ac [default=die]	ACCESS CONTROL
1.320 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked - password-auth-ac auth required	ACCESS CONTROL
1.320 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked - system-auth-ac [default=die]	ACCESS CONTROL
1.320 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked - system-auth-ac auth required	ACCESS CONTROL
1.330 - If 3 unsuccessful root logon attempts within 15 minutes occur the account must be locked - password-auth-ac [default=die]	ACCESS CONTROL
1.330 - If 3 unsuccessful root logon attempts within 15 minutes occur the account must be locked - password-auth-ac auth required	ACCESS CONTROL
1.330 - If 3 unsuccessful root logon attempts within 15 minutes occur the account must be locked - system-auth-ac [default=die]	ACCESS CONTROL
1.330 - If 3 unsuccessful root logon attempts within 15 minutes occur the account must be locked - system-auth-ac auth required	ACCESS CONTROL
1.340 - Users must provide a password for privilege escalation.	ACCESS CONTROL

Detections

Analytics

Tenable Fedora Linux Best Practices v2.0.0

Warning! Audit Deprecated

Audit Details

Audit Items