Nov 25, 2025 Informational Update- 1.1.16 Ensure separate partition exists for /var/log/audit
- 1.1.2 Ensure /tmp is configured
- 1.1.28 Disable USB Storage
- 1.2.3 Ensure gpgcheck is globally activated
- 1.4.1 Ensure bootloader password is set
- 1.4.3 Ensure authentication required for single user mode
- 1.8.1 Ensure GDM login banner is configured
- 1.8.11 Ensure the screensaver idle-activation-enabled setting
- 1.8.7 Ensure screensaver lock-enabled is set
- 1.8.8 Ensure overriding the screensaver lock-delay setting is prevented
- 1.8.9 Ensure session idle-delay settings is enforced
- 2.2.24 Ensure NFS is configured to use RPCSEC_GSS
- 3.5.1.5 Ensure firewalld default zone is set
- 3.5.3.2.3 Ensure iptables rules exist for all open ports
- 4.1.2.13 Ensure off-loaded audit logs are labeled.
- 4.1.2.3 Ensure audit system is set to single when the disk is full.
- 4.1.2.6 Ensure audit system action is defined for sending errors
- 4.1.3.10 Ensure use of privileged commands is collected
- 4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected
- 4.1.3.12 Ensure discretionary access control permission modification events are collected
- 4.1.3.13 Ensure login and logout events are collected
- 4.1.3.14 Ensure events that modify user/group information are collected
- 4.1.3.7 Ensure kernel module loading and unloading is collected
- 4.1.3.8 Ensure changes to system administration scope (sudoers) is collected
- 4.1.3.9 Ensure file deletion events by users are collected
- 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
- 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.
- 5.1.8 Ensure cron is restricted to authorized users
- 5.3.10 Ensure SSH IgnoreRhosts is enabled
- 5.3.11 Ensure SSH HostbasedAuthentication is disabled
- 5.3.14 Ensure SSH PermitUserEnvironment is disabled
- 5.3.17 Ensure only strong MAC algorithms are used
- 5.3.19 Ensure SSH Idle Timeout Interval is configured
- 5.3.26 Ensure RSA rhosts authentication is not allowed
- 5.3.28 Ensure SSH IgnoreUserKnownHosts is enabled
- 5.3.36 Ensure no \".shosts\" files exist on the system
- 5.3.4 Ensure permissions on SSH private host key files are configured
- 5.3.8 Ensure SSH X11 forwarding is disabled
- 5.4.1 Ensure password creation requirements are configured
- 5.4.10 Ensure certificate status checking for PKI authentication
- 5.4.3 Ensure password hashing algorithm is SHA-512
- 5.4.8 Ensure date and time of last successful logon
- 5.4.9 Ensure multifactor authentication for access to privileged accounts
- 5.5.4 Ensure default user shell timeout is configured
- 5.5.7 Ensure multi-factor authentication is enable for users
- 6.1.1 Audit system file permissions
- 6.2.19 Ensure all local interactive user home directories are group-owned
- 6.2.20 Ensure that all files and directories contained in local interactive user home directories are owned by the user
- 6.2.21 Ensure local interactive user is a member of the group owner.
- 6.2.22 Ensure users' files and directories within the home directory permissions are 750 or more restrictive
- 6.2.23 Ensure local interactive users' dot files for are owned by the user or root.
- 6.2.24 Ensure local interactive users' dot files are group-owned by the users group or root.
- 6.2.25 Ensure users' dot files have 0740 or less set.
- 6.2.26 Ensure local interactive users' dot files executable paths resolve to the users home directory.
- 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
Miscellaneous- Metadata updated.
- Platform check updated.
- References updated.
- Variables updated.
Added- CIS_Amazon_Linux_2_STIG_v2.0.0_STIG.audit from CIS Amazon Linux 2 STIG v2.0.0
Removed- CIS_Amazon_Linux_2_STIG_v2.0.0_STIG.audit from CIS Amazon Linux 2 STIG Benchmark v2.0.0
|
Oct 30, 2025 Functional Update- 5.3.8 Ensure SSH X11 forwarding is disabled
|
Sep 23, 2025 Functional Update- 4.1.3.7 Ensure kernel module loading and unloading is collected
|
