Detections
Analytics

Revision 1.2Jan 27, 2021

Functional Update
  • 1.10 Ensure GDM is removed or login is configured - banner message text
  • 1.4.2 Ensure filesystem integrity is regularly checked
  • 1.5.2 Ensure permissions on bootloader config are configured - user.cfg
  • 1.7.1.6 Ensure no unconfined services exist
  • 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
  • 2.2.2 Ensure X11 Server components are not installed
  • 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked
  • 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind
  • 2.5 Ensure nonessential services are removed or masked
  • 3.5.1.1 Ensure FirewallD is installed - firewalld
  • 3.5.1.1 Ensure FirewallD is installed - iptables
  • 3.5.1.2 Ensure iptables-services package is not installed
  • 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked
  • 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped
  • 3.5.1.4 Ensure firewalld service is enabled and running - enabled
  • 3.5.1.4 Ensure firewalld service is enabled and running - running
  • 3.5.1.5 Ensure default zone is set
  • 3.5.1.6 Ensure network interfaces are assigned to appropriate zone
  • 3.5.1.7 Ensure unnecessary services and ports are not accepted
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.10 Ensure nftables service is enabled
  • 3.5.2.11 Ensure nftables rules are permanent
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
  • 3.5.2.3 Ensure iptables-services package is not installed
  • 3.5.2.5 Ensure a table exists
  • 3.5.2.7 Ensure loopback traffic is configured - iif lo
  • 3.5.2.7 Ensure loopback traffic is configured - ip saddr
  • 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
  • 3.5.2.8 Ensure outbound and established connections are configured - input
  • 3.5.2.8 Ensure outbound and established connections are configured - output
  • 3.5.2.9 Ensure default deny firewall policy - forward
  • 3.5.2.9 Ensure default deny firewall policy - input
  • 3.5.2.9 Ensure default deny firewall policy - output
  • 3.5.3.1.2 Ensure nftables is not installed
  • 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - masked
  • 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - stopped
  • 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD
  • 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT
  • 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT
  • 3.5.3.2.2 Ensure loopback traffic is configured - input
  • 3.5.3.2.2 Ensure loopback traffic is configured - output
  • 3.5.3.2.3 Ensure outbound and established connections are configured
  • 3.5.3.2.4 Ensure firewall rules exist for all open ports
  • 3.5.3.2.5 Ensure iptables rules are saved
  • 3.5.3.2.6 Ensure iptables is enabled and running - enabled
  • 3.5.3.2.6 Ensure iptables is enabled and running - running
  • 3.5.3.3.1 Ensure IPv6 default deny firewall policy
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output
  • 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
  • 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
  • 3.5.3.3.5 Ensure ip6tables rules are saved
  • 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled
  • 5.2.10 Ensure SSH root login is disabled
  • 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
  • 5.2.12 Ensure SSH PermitUserEnvironment is disabled
  • 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
  • 5.2.16 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval
  • 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
  • 5.2.18 Ensure SSH warning banner is configured
  • 5.2.19 Ensure SSH PAM is enabled
  • 5.2.2 Ensure permissions on SSH private host key files are configured
  • 5.2.21 Ensure SSH MaxStartups is configured
  • 5.2.22 Ensure SSH MaxSessions is limited
  • 5.2.4 Ensure SSH access is limited
  • 5.2.5 Ensure SSH LogLevel is appropriate
  • 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.8 Ensure SSH IgnoreRhosts is enabled
  • 5.2.9 Ensure SSH HostbasedAuthentication is disabled
  • 5.3.3 Ensure password hashing algorithm is SHA-512 - password-auth
  • 5.3.3 Ensure password hashing algorithm is SHA-512 - system-auth
  • 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
  • 6.2.5 Ensure all users' home directories exist
  • 6.2.6 Ensure users' home directories permissions are 750 or more restrictive
  • 6.2.7 Ensure users own their home directories
  • 6.2.8 Ensure users' dot files are not group or world writable
Informational Update
  • 1.1.23 Disable Automounting
  • 1.1.3 Ensure noexec option set on /tmp partition
  • 1.3.3 Ensure sudo log file exists
  • 1.4.2 Ensure filesystem integrity is regularly checked
  • 1.5.1 Ensure bootloader password is set
  • 2.2.1.1 Ensure time synchronization is in use
  • 2.2.1.3 Ensure ntp is configured - -u ntp:ntp
  • 2.2.1.3 Ensure ntp is configured - restrict -4
  • 2.2.1.3 Ensure ntp is configured - restrict -6
  • 2.2.1.3 Ensure ntp is configured - server
  • 2.2.12 Ensure IMAP and POP3 server is not installed
  • 2.2.17 Ensure rsync is not installed or the rsyncd service is masked
  • 2.2.2 Ensure X11 Server components are not installed
  • 2.2.4 Ensure CUPS is not installed
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.1.2 Ensure wireless interfaces are disabled
  • 3.5.1.1 Ensure FirewallD is installed - firewalld
  • 3.5.1.1 Ensure FirewallD is installed - iptables
  • 3.5.1.2 Ensure iptables-services package is not installed
  • 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked
  • 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped
  • 3.5.1.4 Ensure firewalld service is enabled and running - enabled
  • 3.5.1.4 Ensure firewalld service is enabled and running - running
  • 3.5.1.6 Ensure network interfaces are assigned to appropriate zone
  • 3.5.1.7 Ensure unnecessary services and ports are not accepted
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked
  • 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped
  • 3.5.2.5 Ensure a table exists
  • 3.5.2.7 Ensure loopback traffic is configured - iif lo
  • 3.5.2.7 Ensure loopback traffic is configured - ip saddr
  • 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr
  • 3.5.2.8 Ensure outbound and established connections are configured - input
  • 3.5.2.8 Ensure outbound and established connections are configured - output
  • 3.5.2.9 Ensure default deny firewall policy - forward
  • 3.5.2.9 Ensure default deny firewall policy - input
  • 3.5.2.9 Ensure default deny firewall policy - output
  • 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured
  • 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports
  • 3.5.3.3.5 Ensure ip6tables rules are saved
  • 4.2.1.3 Ensure rsyslog default file permissions configured
  • 4.2.1.4 Ensure logging is configured
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - imtcp.so
  • 4.2.2.1 Ensure journald is configured to send logs to rsyslog
  • 5.2.19 Ensure SSH PAM is enabled
  • 6.2.10 Ensure no users have .netrc files
  • 6.2.12 Ensure no users have .rhosts files
  • 6.2.6 Ensure users' home directories permissions are 750 or more restrictive
  • 6.2.7 Ensure users own their home directories
  • 6.2.8 Ensure users' dot files are not group or world writable
  • 6.2.9 Ensure no users have .forward files
Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Added
  • 1.10 Ensure GDM is removed or login is configured - disable user list
  • 1.10 Ensure GDM is removed or login is configured - system-db:gdm
  • 1.10 Ensure GDM is removed or login is configured - user-db:user
  • 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration
  • 1.7.1.3 Ensure SELinux policy is configured - /etc/selinux/config
  • 1.7.1.3 Ensure SELinux policy is configured - sestatus
  • 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - /etc/selinux/config
  • 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - getenforce
  • 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctlc.conf sysctl.d
  • 3.2.1 Ensure IP forwarding is disabled - sysctlc.conf sysctl.d
  • 3.5.2.4 Ensure iptables are flushed - ip6tables
  • 3.5.2.4 Ensure iptables are flushed - iptables
  • 3.5.2.6 Ensure base chains exist - hook forward
  • 3.5.2.6 Ensure base chains exist - hook input
  • 3.5.2.6 Ensure base chains exist - hook output
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables-services
  • 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
  • 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain INPUT
  • 3.5.3.3.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - INPUT
  • 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - OUTPUT
  • 3.5.3.3.6 Ensure ip6tables is enabled and running
  • 5.1.8 Ensure cron is restricted to authorized users - /etc/cron.allow
  • 5.1.8 Ensure cron is restricted to authorized users - /etc/cron.deny
  • 5.1.9 Ensure at is restricted to authorized users - /etc/at.allow
  • 5.1.9 Ensure at is restricted to authorized users - /etc/at.deny
  • 5.2.13 Ensure only strong Ciphers are used - approved ciphers
  • 5.2.13 Ensure only strong Ciphers are used - weak ciphers
  • 5.2.14 Ensure only strong MAC algorithms are used - approved MACs
  • 5.2.14 Ensure only strong MAC algorithms are used - weak MACs
  • 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms
  • 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms
  • 5.3.2 Ensure lockout for failed password attempts is configured - password-auth
  • 5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_unix.so'
  • 5.3.2 Ensure lockout for failed password attempts is configured - system-auth
  • 5.3.2 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_unix.so'
  • 5.3.4 Ensure password reuse is limited
  • 5.4.1.2 Ensure minimum days between password changes is configured - /etc/login.defs
  • 5.4.1.2 Ensure minimum days between password changes is configured - /etc/shadow
  • 5.4.2 Ensure system accounts are secured - non-login shell
  • 5.4.2 Ensure system accounts are secured - unlocked non-root
  • 5.4.4 Ensure default user shell timeout is configured
  • 5.4.5 Ensure default user umask is configured - system wide default
  • 5.4.5 Ensure default user umask is configured - system wide umask
  • 6.2.18 Ensure shadow group is empty - /etc/group
  • 6.2.18 Ensure shadow group is empty - /etc/passwd
Removed
  • 1.10 Ensure GDM is removed or login is configured - system-db
  • 1.10 Ensure GDM is removed or login is configured - user-db
  • 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration - enforcing = 0
  • 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration - selinux = 0
  • 1.7.1.3 Ensure SELinux policy is configured
  • 1.7.1.4 Ensure the SELinux mode is enforcing or permissive
  • 1.7.1.4 Ensure the SELinux mode is enforcing or permissive - config
  • 3.2.1 Ensure IP forwarding is disabled - ipv4 files
  • 3.5.2.4 Ensure iptables are flushed - v4
  • 3.5.2.4 Ensure iptables are flushed - v6
  • 3.5.2.6 Ensure base chains exist - forward
  • 3.5.2.6 Ensure base chains exist - input
  • 3.5.2.6 Ensure base chains exist - output
  • 3.5.3.1.1 Ensure iptables packages are installed
  • 3.5.3.3.6 Ensure ip6tables is enabled and running - running
  • 5.1.8 Ensure cron is restricted to authorized users - cron.allow
  • 5.1.8 Ensure cron is restricted to authorized users - cron.deny
  • 5.1.9 Ensure at is restricted to authorized users - at.allow
  • 5.1.9 Ensure at is restricted to authorized users - at.deny
  • 5.2.13 Ensure only strong Ciphers are used
  • 5.2.14 Ensure only strong MAC algorithms are used
  • 5.2.15 Ensure only strong Key Exchange algorithms are used
  • 5.3.2 Ensure lockout for failed password attempts is configured - password-auth account
  • 5.3.2 Ensure lockout for failed password attempts is configured - password-auth deny
  • 5.3.2 Ensure lockout for failed password attempts is configured - password-auth unlock_time
  • 5.3.2 Ensure lockout for failed password attempts is configured - system-auth account
  • 5.3.2 Ensure lockout for failed password attempts is configured - system-auth deny
  • 5.3.2 Ensure lockout for failed password attempts is configured - system-auth unlock_time
  • 5.3.4 Ensure password reuse is limited - password-auth
  • 5.3.4 Ensure password reuse is limited - system-auth
  • 5.4.1.2 Ensure minimum days between password changes is configured - login.defs
  • 5.4.1.2 Ensure minimum days between password changes is configured - users
  • 5.4.2 Ensure system accounts are secured - password
  • 5.4.2 Ensure system accounts are secured - shell
  • 5.4.4 Ensure default user shell timeout is configured - /etc/bashrc
  • 5.4.4 Ensure default user shell timeout is configured - /etc/profile
  • 5.4.5 Ensure default user umask is configured - profiles
  • 5.4.5 Ensure default user umask is configured - system wide
  • 6.2.18 Ensure shadow group is empty