Detections
Analytics
Revision 1.11Oct 24, 2025
Functional Update
- 1.5.5 Ensure Automatic Error Reporting is not enabled
- 1.6.1.1 Ensure AppArmor is installed
- 1.7.2 Ensure local login warning banner is configured properly
- 1.7.3 Ensure remote login warning banner is configured properly
- 1.8.4 Ensure GDM screen locks when the user is idle
- 2.1.1.1 Ensure a single time synchronization daemon is in use
- 2.1.3.2 Ensure systemd-timesyncd is enabled and running
- 2.1.4.2 Ensure ntp is configured with authorized timeserver
- 2.1.4.4 Ensure ntp is enabled and running
- 2.2.10 Ensure IMAP and POP3 server are not installed
- 3.3.1 Ensure ip forwarding is disabled
- 3.3.10 Ensure tcp syn cookies is enabled
- 3.3.11 Ensure ipv6 router advertisements are not accepted
- 3.3.2 Ensure packet redirect sending is disabled
- 3.3.3 Ensure bogus icmp responses are ignored
- 3.3.4 Ensure broadcast icmp requests are ignored
- 3.3.5 Ensure icmp redirects are not accepted
- 3.3.6 Ensure secure icmp redirects are not accepted
- 3.3.7 Ensure reverse path filtering is enabled
- 3.3.8 Ensure source routed packets are not accepted
- 3.3.9 Ensure suspicious packets are logged
- 3.4.1.3 Ensure ufw service is enabled
- 3.4.1.6 Ensure ufw firewall rules exist for all open ports
- 3.4.2.5 Ensure nftables base chains exist
- 3.4.2.6 Ensure nftables loopback traffic is configured
- 3.4.2.8 Ensure nftables default deny firewall policy
- 3.4.3.2.2 Ensure iptables loopback traffic is configured
- 3.4.3.3.4 Ensure ip6tables firewall rules exist for all open ports
- 4.2.15 Ensure sshd MaxAuthTries is configured
- 4.2.16 Ensure sshd MaxSessions is configured
- 4.2.18 Ensure sshd PermitEmptyPasswords is disabled
- 4.2.19 Ensure sshd PermitRootLogin is disabled
- 4.2.20 Ensure sshd PermitUserEnvironment is disabled
- 4.2.21 Ensure sshd UsePAM is enabled
- 4.2.5 Ensure sshd Ciphers are configured
- 4.2.6 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- 4.2.9 Ensure sshd HostbasedAuthentication is disabled
- 4.3.2 Ensure sudo commands use pty
- 4.5.1.4 Ensure inactive password lock is 30 days or less
- 4.5.1.5 Ensure all users last password change date is in the past
- 4.5.5 Ensure default user shell timeout is configured
- 5.1.1.1.1 Ensure systemd-journal-remote is installed
- 5.1.1.1.3 Ensure systemd-journal-remote is enabled
- 5.1.2.1 Ensure rsyslog is installed
- 5.1.2.2 Ensure rsyslog service is enabled
- 5.1.2.3 Ensure journald is configured to send logs to rsyslog
- 5.1.2.4 Ensure rsyslog default file permissions are configured
- 5.1.2.5 Ensure logging is configured
- 5.1.2.6 Ensure rsyslog is configured to send logs to a remote log host
- 5.1.2.7 Ensure rsyslog is not configured to receive logs from a remote client
Informational Update
- 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
- 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
- 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
- 1.1.1.4 Ensure mounting of hfs filesystems is disabled
- 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
- 1.1.2.1 Ensure /tmp is a separate partition
- 1.4.1 Ensure bootloader password is set
- 1.5.1 Ensure ptrace_scope is restricted
- 1.5.2 Ensure core dumps are restricted
- 1.5.3 Ensure address space layout randomization (ASLR) is enabled
- 1.7.1 Ensure message of the day is configured properly
- 1.7.2 Ensure local login warning banner is configured properly
- 1.7.3 Ensure remote login warning banner is configured properly
- 1.8.2 Ensure GDM login banner is configured
- 1.8.3 Ensure GDM disable-user-list option is enabled
- 1.8.4 Ensure GDM screen locks when the user is idle
- 1.8.5 Ensure GDM screen locks cannot be overridden
- 1.8.8 Ensure GDM autorun-never is enabled
- 1.8.9 Ensure GDM autorun-never is not overridden
- 2.1.1.1 Ensure a single time synchronization daemon is in use
- 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
- 3.3.1 Ensure ip forwarding is disabled
- 3.3.10 Ensure tcp syn cookies is enabled
- 3.3.11 Ensure ipv6 router advertisements are not accepted
- 3.3.2 Ensure packet redirect sending is disabled
- 3.3.3 Ensure bogus icmp responses are ignored
- 3.3.4 Ensure broadcast icmp requests are ignored
- 3.3.5 Ensure icmp redirects are not accepted
- 3.3.6 Ensure secure icmp redirects are not accepted
- 3.3.7 Ensure reverse path filtering is enabled
- 3.3.8 Ensure source routed packets are not accepted
- 3.3.9 Ensure suspicious packets are logged
- 3.4.1.1 Ensure ufw is installed
- 3.4.1.2 Ensure iptables-persistent is not installed with ufw
- 3.4.1.3 Ensure ufw service is enabled
- 3.4.1.4 Ensure ufw loopback traffic is configured
- 3.4.1.5 Ensure ufw outbound connections are configured
- 3.4.1.6 Ensure ufw firewall rules exist for all open ports
- 3.4.1.7 Ensure ufw default deny firewall policy
- 3.4.2.1 Ensure nftables is installed
- 3.4.2.10 Ensure nftables rules are permanent
- 3.4.2.2 Ensure ufw is uninstalled or disabled with nftables
- 3.4.2.3 Ensure iptables are flushed with nftables
- 3.4.2.4 Ensure a nftables table exists
- 3.4.2.5 Ensure nftables base chains exist
- 3.4.2.6 Ensure nftables loopback traffic is configured
- 3.4.2.7 Ensure nftables outbound and established connections are configured
- 3.4.2.8 Ensure nftables default deny firewall policy
- 3.4.2.9 Ensure nftables service is enabled
- 3.4.3.1.1 Ensure iptables packages are installed
- 3.4.3.1.2 Ensure nftables is not installed with iptables
- 3.4.3.1.3 Ensure ufw is uninstalled or disabled with iptables
- 3.4.3.2.1 Ensure iptables default deny firewall policy
- 3.4.3.2.2 Ensure iptables loopback traffic is configured
- 3.4.3.2.3 Ensure iptables outbound and established connections are configured
- 3.4.3.2.4 Ensure iptables firewall rules exist for all open ports
- 3.4.3.3.1 Ensure ip6tables default deny firewall policy
- 3.4.3.3.2 Ensure ip6tables loopback traffic is configured
- 3.4.3.3.3 Ensure ip6tables outbound and established connections are configured
- 3.4.3.3.4 Ensure ip6tables firewall rules exist for all open ports
- 4.1.8 Ensure cron is restricted to authorized users
- 4.1.9 Ensure at is restricted to authorized users
- 4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
- 4.2.14 Ensure sshd MACs are configured
- 4.2.2 Ensure access to SSH key files is configured
- 4.2.5 Ensure sshd Ciphers are configured
- 4.4.2 Ensure lockout for failed password attempts is configured
- 4.4.5 Ensure all current passwords uses the configured hashing algorithm
- 4.5.2 Ensure system accounts are secured
- 4.5.4 Ensure default user umask is 027 or more restrictive
- 4.5.5 Ensure default user shell timeout is configured
- 5.1.1.1.1 Ensure systemd-journal-remote is installed
- 5.1.1.1.2 Ensure systemd-journal-remote is configured
- 5.1.1.1.3 Ensure systemd-journal-remote is enabled
- 5.1.1.1.4 Ensure journald is not configured to receive logs from a remote client
- 5.1.1.2 Ensure journald service is enabled
- 5.1.1.3 Ensure journald is configured to compress large log files
- 5.1.1.4 Ensure journald is configured to write logfiles to persistent disk
- 5.1.1.5 Ensure journald is not configured to send logs to rsyslog
- 5.1.1.6 Ensure journald log rotation is configured per site policy
- 5.1.1.7 Ensure journald default file permissions configured
- 5.1.2.1 Ensure rsyslog is installed
- 5.1.2.2 Ensure rsyslog service is enabled
- 5.1.2.3 Ensure journald is configured to send logs to rsyslog
- 5.1.2.4 Ensure rsyslog default file permissions are configured
- 5.1.2.5 Ensure logging is configured
- 5.1.2.6 Ensure rsyslog is configured to send logs to a remote log host
- 5.1.2.7 Ensure rsyslog is not configured to receive logs from a remote client
- 5.1.3 Ensure all logfiles have appropriate access configured
- 6.1.10 Ensure world writable files and directories are secured
- 6.2.10 Ensure local interactive user dot files access is configured
- 6.2.4 Ensure shadow group is empty
- 6.2.9 Ensure local interactive user home directories are configured
Miscellaneous
- Metadata updated.
- Variables updated.