CIS FreeBSD v1.0.5

Audit Details

Name: CIS FreeBSD v1.0.5

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.40

Estimated Item Count: 118

File Details

Filename: CIS_FreeBSD_105.audit

Size: 98.9 kB

MD5: 3573fcd2660cf65079a12b04e2f350e7
SHA256: 53f091c87c396f6266be7eb0b8849d24bc7a6554f0bc9277e52d69987c0e2580

Audit Items

DescriptionCategories
1.2 Enable SSH (/etc/ssh/sshd_config)

CONFIGURATION MANAGEMENT

1.2 Enable SSH (Banner)

ACCESS CONTROL

1.2 Enable SSH (PermitRootLogin)

ACCESS CONTROL

1.2 Enable SSH (Protocol 2)
1.2 Enable SSH (sshd_enable)

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Enable TCP Wrappers and a host based firewall (/etc/hosts.allow)

CONFIGURATION MANAGEMENT

1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Disable all inetd daemons

CONFIGURATION MANAGEMENT

2.2 Only enable telnetd if absolutely necessary

CONFIGURATION MANAGEMENT

2.3 Only enable ftpd if absolutely necessary

CONFIGURATION MANAGEMENT

2.4 Only enable rlogin/rsh/rcp if absolutely necessary (login)

CONFIGURATION MANAGEMENT

2.4 Only enable rlogin/rsh/rcp if absolutely necessary (shell)

CONFIGURATION MANAGEMENT

2.5 Only enable TFTP if absolutely necessary

CONFIGURATION MANAGEMENT

2.6 Only enable finger if absolutely necessary

CONFIGURATION MANAGEMENT

2.7 Only enable Kerberos-related daemons if absolutely necessary (kadmind5_server_enable)

CONFIGURATION MANAGEMENT

2.7 Only enable Kerberos-related daemons if absolutely necessary (kerberos5_enable)

CONFIGURATION MANAGEMENT

2.7 Only enable Kerberos-related daemons if absolutely necessary (kpasswdd_server_enable)

CONFIGURATION MANAGEMENT

2.8 Minimize the inetd.conf file
3.1 Disable login prompts on serial ports (ttyd0)

CONFIGURATION MANAGEMENT

3.1 Disable login prompts on serial ports (ttyd1)

CONFIGURATION MANAGEMENT

3.1 Disable login prompts on serial ports (ttyd2)

CONFIGURATION MANAGEMENT

3.1 Disable login prompts on serial ports (ttyd3)

CONFIGURATION MANAGEMENT

3.2 Set password on single user console

ACCESS CONTROL

3.3 Set daemon umask (/etc/* umask)

ACCESS CONTROL

3.3 Set daemon umask (/etc/periodic/* umask)

ACCESS CONTROL

3.3 Set daemon umask (/usr/local/etc/rc.d umask)

ACCESS CONTROL

3.3 Set daemon umask (/usr/local/etc/rc.d/* umask)

ACCESS CONTROL

3.4 Prevent syslogd from accepting messages from the network

CONFIGURATION MANAGEMENT

3.5 Disable the email server if possible (sendmail_enable)

CONFIGURATION MANAGEMENT

3.5 Disable the email server if possible (sendmail_msp_queue_enable)

CONFIGURATION MANAGEMENT

3.5 Disable the email server if possible (sendmail_outbound_enable)

CONFIGURATION MANAGEMENT

3.5 Disable the email server if possible (sendmail_submit_enable)

CONFIGURATION MANAGEMENT

3.6 Only enable BIND if absolutely necessary

CONFIGURATION MANAGEMENT

3.7 Only enable other RPC-based services if absolutely necessary (rpc_lockd_enable)

CONFIGURATION MANAGEMENT

3.7 Only enable other RPC-based services if absolutely necessary (rpc_statd_enable)

CONFIGURATION MANAGEMENT

3.7 Only enable other RPC-based services if absolutely necessary (rpcbind_enable)

CONFIGURATION MANAGEMENT

3.8 Only enable the NFS server if absolutely necessary (mountd_enable)

CONFIGURATION MANAGEMENT

3.8 Only enable the NFS server if absolutely necessary (nfs_server_enable)

CONFIGURATION MANAGEMENT

3.9 Only enable NFS client processes if absolutely necessary

CONFIGURATION MANAGEMENT

3.10 Block NFS connections to non-privileged ports

CONFIGURATION MANAGEMENT

3.11 Block non-privileged mountd requests

ACCESS CONTROL

3.12 Only enable NIS if absolutely necessary (nis_server_enable)

CONFIGURATION MANAGEMENT

3.12 Only enable NIS if absolutely necessary (nis_yppasswdd_enable)

CONFIGURATION MANAGEMENT

3.12 Only enable NIS if absolutely necessary (nis_ypxfrd_enable)

CONFIGURATION MANAGEMENT

3.12 Only enable NIS if absolutely necessary (rpc_ypupdated_enable)

CONFIGURATION MANAGEMENT

3.13 Only enable NIS client daemons if absolutely necessary (nis_client_enable)

CONFIGURATION MANAGEMENT

3.13 Only enable NIS client daemons if absolutely necessary (nis_ypset_enable)

CONFIGURATION MANAGEMENT