Nov 25, 2025 Informational Update- 1.1.12 Ensure /var/tmp partition includes the noexec option
- 1.1.13 Ensure /var/tmp partition includes the nodev option
- 1.1.14 Ensure /var/tmp partition includes the nosuid option
- 1.1.2 Ensure /tmp is configured
- 1.1.3 Ensure noexec option set on /tmp partition
- 1.1.4 Ensure nodev option set on /tmp partition
- 1.1.5 Ensure nosuid option set on /tmp partition
- 1.2.3 Ensure gpgcheck is globally activated
- 1.4.2 Ensure permissions on bootloader config are configured
- 1.4.3 Ensure authentication required for single user mode
- 1.7.1 Ensure message of the day is configured properly
- 1.7.2 Ensure local login warning banner is configured properly
- 1.7.4 Ensure remote login warning banner is configured properly
- 2.2.1.2 Ensure chrony is configured
- 2.2.1.3 Ensure ntp is configured
- 2.2.10 Ensure IMAP and POP3 server is not installed
- 2.2.13 Ensure net-snmp is not installed
- 2.2.16 Ensure mail transfer agent is configured for local-only mode
- 2.2.9 Ensure HTTP server is not installed
- 2.3.2 Ensure rsh client is not installed
- 3.5.1.2 Ensure iptables-services not installed with firewalld
- 3.5.1.5 Ensure firewalld default zone is set
- 3.5.2.1 Ensure nftables is installed
- 3.5.2.3 Ensure iptables-services not installed with nftables
- 3.5.2.9 Ensure nftables default deny firewall policy
- 3.5.3.2.3 Ensure iptables rules exist for all open ports
- 3.5.3.2.6 Ensure iptables is enabled and running
- 3.5.3.3.6 Ensure ip6tables is enabled and running
- 4.2.1.1 Ensure rsyslog is installed
- 4.2.1.3 Ensure rsyslog default file permissions configured
- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.
- 4.2.2.1 Ensure journald is configured to send logs to rsyslog
- 4.2.3 Ensure logrotate is configured
- 5.1.7 Ensure permissions on /etc/cron.d are configured
- 5.1.8 Ensure cron is restricted to authorized users
- 5.1.9 Ensure at is restricted to authorized users
- 5.3.10 Ensure SSH IgnoreRhosts is enabled
- 5.3.11 Ensure SSH HostbasedAuthentication is disabled
- 5.3.12 Ensure SSH root login is disabled
- 5.3.14 Ensure SSH PermitUserEnvironment is disabled
- 5.3.15 Ensure only strong Ciphers are used
- 5.3.17 Ensure only strong MAC algorithms are used
- 5.3.19 Ensure SSH Idle Timeout Interval is configured
- 5.3.3 Ensure permissions on /etc/ssh/sshd_config are configured
- 5.3.4 Ensure permissions on SSH private host key files are configured
- 5.3.8 Ensure SSH X11 forwarding is disabled
- 5.4.1 Ensure password creation requirements are configured
- 5.4.2 Ensure lockout for failed password attempts is configured
- 5.4.3 Ensure password hashing algorithm is SHA-512
- 5.4.4 Ensure password reuse is limited
- 5.5.1.1 Ensure password expiration is 365 days or less
- 5.5.2 Ensure system accounts are secured
- 5.5.4 Ensure default user shell timeout is configured
- 5.5.5 Ensure default user umask is configured
- 5.7 Ensure access to the su command is restricted
- 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
- 6.2.15 Ensure no users have .forward files
- 6.2.16 Ensure no users have .netrc files
- 6.2.17 Ensure no users have .rhosts files
- 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
- 6.2.5 Ensure no duplicate user names exist
- 6.2.6 Ensure no duplicate group names exist
Miscellaneous- Metadata updated.
- Platform check updated.
- References updated.
Added- CIS_Amazon_Linux_2_STIG_v2.0.0_L1_Workstation.audit from CIS Amazon Linux 2 STIG v2.0.0
Removed- CIS_Amazon_Linux_2_STIG_v2.0.0_L1_Workstation.audit from CIS Amazon Linux 2 STIG Benchmark v2.0.0
|
Oct 30, 2025 Functional Update- 5.3.8 Ensure SSH X11 forwarding is disabled
|
