Detections
Analytics

Revision 1.34

Feb 1, 2024
Functional Update
  • 1.1.10 Disable USB Storage - blacklist
  • 1.1.10 Disable USB Storage - lsmod
  • 1.1.3.2 Ensure nodev option set on /var partition
  • 1.1.3.3 Ensure nosuid option set on /var partition
  • 1.1.4.2 Ensure noexec option set on /var/tmp partition
  • 1.1.4.3 Ensure nosuid option set on /var/tmp partition
  • 1.1.4.4 Ensure nodev option set on /var/tmp partition
  • 1.1.5.2 Ensure nodev option set on /var/log partition
  • 1.1.5.3 Ensure noexec option set on /var/log partition
  • 1.1.5.4 Ensure nosuid option set on /var/log partition
  • 1.1.6.2 Ensure noexec option set on /var/log/audit partition
  • 1.1.6.3 Ensure nodev option set on /var/log/audit partition
  • 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
  • 1.1.7.2 Ensure nodev option set on /home partition
  • 1.1.7.3 Ensure nosuid option set on /home partition
  • 1.1.8.1 Ensure nodev option set on /dev/shm partition
  • 1.1.8.2 Ensure noexec option set on /dev/shm partition
  • 1.1.8.3 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Disable Automounting
  • 1.5.1 Ensure address space layout randomization (ASLR) is enabled - config
  • 1.5.3 Ensure Automatic Error Reporting is not enabled
  • 1.5.4 Ensure core dumps are restricted - limits config
  • 1.5.4 Ensure core dumps are restricted - sysctl config
  • 1.8.4 Ensure GDM screen locks when the user is idle - idle-delay
  • 1.8.4 Ensure GDM screen locks when the user is idle - lock-delay
  • 1.8.5 Ensure GDM screen locks cannot be overridden - idle-delay
  • 1.8.5 Ensure GDM screen locks cannot be overridden - lock-delay
  • 1.9 Ensure updates, patches, and additional security software are installed
  • 2.1.2.2 Ensure chrony is running as user _chrony
  • 2.1.4.3 Ensure ntp is running as user ntp - user
  • 2.2.1 Ensure X Window System is not installed
  • 2.2.15 Ensure mail transfer agent is configured for local-only mode
  • 3.1.1 Ensure system is checked to determine if IPv6 is enabled
  • 3.1.2 Ensure wireless interfaces are disabled
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.all.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv4.conf.default.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.all.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.1 Ensure source routed packets are not accepted - net.ipv6.conf.default.accept_source_route (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.all.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv4.conf.default.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.all.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.2 Ensure ICMP redirects are not accepted - net.ipv6.conf.default.accept_redirects (sysctl.conf/sysctl.d)
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects' (sysctl.conf/sysctl.d)
  • 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects' (sysctl.conf/sysctl.d)
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians' (sysctl.conf/sysctl.d)
  • 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians' (sysctl.conf/sysctl.d)
  • 3.3.5 Ensure broadcast ICMP requests are ignored - sysctl.conf/sysctl.d
  • 3.3.6 Ensure bogus ICMP responses are ignored - (sysctl.conf/sysctl.d)
  • 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter' (sysctl.conf/sysctl.d)
  • 3.3.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter' (sysctl.conf/sysctl.d)
  • 3.3.8 Ensure TCP SYN Cookies is enabled - sysctl.conf/sysctl.d
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra' (sysctl.conf/sysctl.d)
  • 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra' (sysctl.conf/sysctl.d)
  • 3.5.2.10 Ensure nftables rules are permanent - hook forward
  • 3.5.2.10 Ensure nftables rules are permanent - hook input
  • 3.5.2.10 Ensure nftables rules are permanent - hook output
  • 3.5.2.6 Ensure nftables loopback traffic is configured - lo
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v4
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v6
  • 4.2.1.1.4 Ensure journald is not configured to receive logs from a remote client
  • 4.2.2.1 Ensure rsyslog is installed
  • 4.2.2.2 Ensure rsyslog service is enabled
  • 4.2.2.3 Ensure journald is configured to send logs to rsyslog
  • 4.2.2.4 Ensure rsyslog default file permissions are configured
  • 4.2.2.5 Ensure logging is configured
  • 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 5.2.10 Ensure SSH PermitUserEnvironment is disabled
  • 5.2.11 Ensure SSH IgnoreRhosts is enabled
  • 5.2.13 Ensure only strong Ciphers are used
  • 5.2.14 Ensure only strong MAC algorithms are used
  • 5.2.15 Ensure only strong Key Exchange algorithms are used
  • 5.2.17 Ensure SSH warning banner is configured
  • 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.19 Ensure SSH MaxStartups is configured
  • 5.2.20 Ensure SSH MaxSessions is set to 10 or less
  • 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
  • 5.2.22 Ensure SSH Idle Timeout Interval is configured
  • 5.2.4 Ensure SSH access is limited
  • 5.2.5 Ensure SSH LogLevel is appropriate
  • 5.2.6 Ensure SSH PAM is enabled
  • 5.2.7 Ensure SSH root login is disabled
  • 5.2.8 Ensure SSH HostbasedAuthentication is disabled
  • 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
  • 5.3.2 Ensure sudo commands use pty
  • 5.3.3 Ensure sudo log file exists
  • 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
  • 5.3.6 Ensure sudo authentication timeout is configured correctly
  • 5.3.7 Ensure access to the su command is restricted
  • 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
  • 5.5.1.1 Ensure minimum days between password changes is configured - users
  • 5.5.1.5 Ensure all users last password change date is in the past
  • 5.5.2 Ensure system accounts are secured
  • 5.5.4 Ensure default user umask is 027 or more restrictive - Default user umask
  • 5.5.4 Ensure default user umask is 027 or more restrictive - Restrictive system umask
  • 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
  • 6.2.2 Ensure /etc/shadow password fields are not empty
  • 6.2.4 Ensure shadow group is empty
  • 6.2.9 Ensure root PATH Integrity
Informational Update
  • 1.1.10 Disable USB Storage - blacklist
  • 1.1.10 Disable USB Storage - lsmod
  • 1.1.10 Disable USB Storage - modprobe
  • 2.1.2.2 Ensure chrony is running as user _chrony
  • 2.1.4.3 Ensure ntp is running as user ntp
  • 2.1.4.3 Ensure ntp is running as user ntp - RUNASUSER
  • 2.1.4.3 Ensure ntp is running as user ntp - user
Miscellaneous
  • References updated.
Added
  • 5.4.1 Ensure password creation requirements are configured
Removed
  • 5.4.1 Ensure password creation requirements are configured - 'dcredit'
  • 5.4.1 Ensure password creation requirements are configured - 'lcredit'
  • 5.4.1 Ensure password creation requirements are configured - 'minlen'
  • 5.4.1 Ensure password creation requirements are configured - 'ocredit'
  • 5.4.1 Ensure password creation requirements are configured - 'ucredit'
  • 5.4.1 Ensure password creation requirements are configured - retry