Control updates introduced for CIS AlmaLinux 9 Benchmark v2.0.0

SCE for Linux v2.5.0 introduces enforcement for Center for Internet Security (CIS) AlmaLinux 9 Benchmark v2.0.0. The transition from the previous CIS Benchmark, v1.0.0, to the new benchmark resulted in module updates.

For a full list of updates in the benchmark, go to the CIS Benchmarks List webpage, download the PDF file, and review the change history.

Added

The following controls are added to the module:

  • 1.1.1.3 - Ensure hfs kernel module is not available

  • 1.1.1.4 - Ensure hfsplus kernel module is not available

  • 1.1.1.5 - Ensure jffs2 kernel module is not available

  • 1.1.1.6 - Ensure squashfs kernel module is not available

  • 1.1.1.7 - Ensure udf kernel module is not available

  • 1.1.1.8 - Ensure usb-storage kernel module is not available

  • 1.1.1.9 - Ensure unused filesystems kernel modules are not available

  • 1.6.1 - Ensure system wide crypto policy is not set to legacy

  • 1.6.2 - Ensure system wide crypto policy is not set in sshd configuration

  • 1.6.3 - Ensure system wide crypto policy disables sha1 hash and signature support

  • 1.6.4 - Ensure system wide crypto policy disables macs less than 128 bits

  • 1.6.5 - Ensure system wide crypto policy disables cbc for ssh

  • 1.6.6 - Ensure system wide crypto policy disables chacha20-poly1305 for ssh

  • 1.6.7 - Ensure system wide crypto policy disables EtM for ssh

  • 2.1.3 - Ensure dhcp server services are not in use

  • 2.1.4 - Ensure dns server services are not in use

  • 2.1.5 - Ensure dnsmasq services are not in use

  • 2.1.6 - Ensure samba file server services are not in use

  • 2.1.7 - Ensure ftp server services are not in use

  • 2.1.8 - Ensure message access server services are not in use

  • 2.1.9 - Ensure network file system services are not in use

  • 2.1.10 - Ensure nis server services are not in use

  • 2.1.11 - Ensure print server services are not in use

  • 2.1.12 - Ensure rpcbind services are not in use

  • 2.1.13 - Ensure rsync services are not in use

  • 2.1.14 - Ensure snmp services are not in use

  • 2.1.15 - Ensure telnet server services are not in use

  • 2.1.16 - Ensure tftp server services are not in use

  • 2.1.17 - Ensure web proxy server services are not in use

  • 2.1.18 - Ensure web server services are not in use

  • 2.1.19 - Ensure xinetd services are not in use

  • 2.1.20 - Ensure X window server services are not in use

  • 2.1.21 - Ensure mail transfer agents are configured for local-only mode

  • 2.1.22 - Ensure only approved services are listening on a network interface

  • 2.4.1.1 - Ensure cron daemon is enabled and active

  • 2.4.1.8 - Ensure crontab is restricted to authorized users

  • 3.2.3 - Ensure rds kernel module is not available

  • 3.2.4 - Ensure sctp kernel module is not available

  • 3.3.10 - Ensure tcp syn cookies is enabled

  • 3.3.11 - Ensure ipv6 router advertisements are not accepted

  • 4.2.2 - Ensure firewalld loopback traffic is configured

  • 4.3.4 - Ensure nftables loopback traffic is configured

  • 5.1.10 - Ensure sshd DisableForwarding is enabled

  • 5.1.11 - Ensure sshd GSSAPIAuthentication is disabled

  • 5.1.12 - Ensure sshd HostbasedAuthentication is disabled

  • 5.1.13 - Ensure sshd IgnoreRhosts is enabled

  • 5.1.14 - Ensure sshd LoginGraceTime is configured

  • 5.1.15 - Ensure sshd LogLevel is configured

  • 5.1.16 - Ensure sshd MaxAuthTries is configured

  • 5.1.17 - Ensure sshd MaxStartups is configured

  • 5.1.18 - Ensure sshd MaxSessions is configured

  • 5.1.19 - Ensure sshd PermitEmptyPasswords is disabled

  • 5.1.20 - Ensure sshd PermitRootLogin is disabled

  • 5.1.21 - Ensure sshd PermitUserEnvironment is disabled

  • 5.1.22 - Ensure sshd UsePAM is enabled

  • 5.3.1.1 - Ensure latest version of pam is installed

  • 5.3.1.2 - Ensure latest version of authselect is installed

  • 5.3.1.3 - Ensure latest version of libpwquality is installed

  • 5.3.2.1 - Ensure active authselect profile includes pam modules

  • 5.3.2.2 - Ensure pam_faillock module is enabled

  • 5.3.2.3 - Ensure pam_pwquality module is enabled

  • 5.3.2.4 - Ensure pam_pwhistory module is enabled

  • 5.3.2.5 - Ensure pam_unix module is enabled

  • 5.3.3.1.1 - Ensure password failed attempts lockout is configured

  • 5.3.3.1.2 - Ensure password unlock time is configured

  • 5.3.3.1.3 - Ensure password failed attempts lockout includes root account

  • 5.3.3.2.1 - Ensure password number of changed characters is configured

  • 5.3.3.2.2 - Ensure password length is configured

  • 5.3.3.2.3 - Ensure password complexity is configured

  • 5.3.3.2.4 - Ensure password same consecutive characters is configured

  • 5.3.3.2.5 - Ensure password maximum sequential characters is configured

  • 5.3.3.2.6 - Ensure password dictionary check is enabled

  • 5.3.3.2.7 - Ensure password quality is enforced for the root user

  • 5.3.3.3.1 - Ensure password history remember is configured

  • 5.3.3.3.2 - Ensure password history is enforced for the root user

  • 5.3.3.3.3 - Ensure pam_pwhistory includes use_authtok

  • 5.3.3.4.1 - Ensure pam_unix does not include nullok

  • 5.3.3.4.2 - Ensure pam_unix does not include remember

  • 5.3.3.4.3 - Ensure pam_unix includes a strong password hashing algorithm

  • 5.3.3.4.4 - Ensure pam_unix includes use_authtok

  • 5.4.1.1 - Ensure password expiration is configured

  • 5.4.1.2 - Ensure minimum password days is configured

  • 5.4.1.3 - Ensure password expiration warning days is configured

  • 5.4.1.4 - Ensure strong password hashing algorithm is configured

  • 5.4.1.5 - Ensure inactive password lock is configured

  • 5.4.2.2 - Ensure root is the only GID 0 account

  • 5.4.2.3 - Ensure group root is the only GID 0 group

  • 5.4.2.4 - Ensure root account access is controlled

  • 5.4.2.5 - Ensure root path integrity

  • 5.4.2.6 - Ensure root user umask is configured

  • 5.4.2.7 - Ensure system accounts do not have a valid login shell

  • 5.4.2.8 - Ensure accounts without a valid login shell are locked

  • 5.4.3.1 - Ensure nologin is not listed in /etc/shells

  • 5.4.3.2 - Ensure default user shell timeout is configured

  • 5.4.3.3 - Ensure default user umask is configured

  • 6.2.1.1 - Ensure journald service is enabled and active

  • 6.2.1.2 - Ensure journald log file access is configured

  • 6.2.1.3 - Ensure journald log file rotation is configured

  • 6.2.1.4 - Ensure only one logging system is in use

  • 6.2.2.1.2 - Ensure systemd-journal-upload authentication is configured

  • 6.2.2.1.3 - Ensure systemd-journal-upload is enabled and active

  • 6.2.2.1.4 - Ensure systemd-journal-remote service is not in use

  • 6.2.2.2 - Ensure journald ForwardToSyslog is disabled

  • 6.2.2.3 - Ensure journald Compress is configured

  • 6.2.2.4 - Ensure journald Storage is configured

  • 6.2.3.2 - Ensure rsyslog service is enabled and active

  • 6.2.3.4 - Ensure rsyslog log file creation mode is configured

  • 6.2.3.5 - Ensure rsyslog logging is configured

  • 6.2.3.8 - Ensure rsyslog logrotate is configured

  • 6.2.4.1 - Ensure access to all logfiles has been configured

  • 6.3.1.1 - Ensure auditd packages are installed

  • 6.3.1.4 - Ensure auditd service is enabled and active

  • 6.3.2.4 - Ensure system warns when audit logs are low on space

  • 6.3.3.15 - Ensure successful and unsuccessful attempts to use the chcon command are collected

  • 6.3.3.16 - Ensure successful and unsuccessful attempts to use the setfacl command are collected

  • 6.3.3.17 - Ensure successful and unsuccessful attempts to use the chacl command are collected

  • 6.3.3.18 - Ensure successful and unsuccessful attempts to use the usermod command are collected

  • 6.3.4.1 - Ensure the audit log file directory mode is configured

  • 6.3.4.2 - Ensure audit log files mode is configured

  • 6.3.4.3 - Ensure audit log files owner is configured

  • 6.3.4.4 - Ensure audit log files group owner is configured

  • 6.3.4.5 - Ensure audit configuration files mode is configured

  • 6.3.4.6 - Ensure audit configuration files owner is configured

  • 6.3.4.7 - Ensure audit configuration files group owner is configured

  • 6.3.4.8 - Ensure audit tools mode is configured

  • 6.3.4.9 - Ensure audit tools owner is configured

  • 6.3.4.10 - Ensure audit tools group owner is configured

  • 7.1.9 - Ensure permissions on /etc/shells are configured

  • 7.1.10 - Ensure permissions on /etc/security/opasswd are configured

  • 7.1.11 - Ensure world writable files and directories are secured

  • 7.1.12 - Ensure no files or directories without an owner and a group exist

  • 7.1.13 - Ensure SUID and SGID files are reviewed

  • 7.2.8 - Ensure local interactive user home directories are configured

  • 7.2.9 - Ensure local interactive user dot files access is configured

Changed

The following controls are changed in the module. Most of the changes are updates in control numbers. In the following list, the previous control is listed first, followed by the new control:

  • 1.1.1.1 - Ensure mounting of squashfs filesystems is disabled -> 1.1.1.1 - Ensure cramfs kernel module is not available

  • 1.1.1.2 - Ensure mounting of udf filesystems is disabled -> 1.1.1.2 - Ensure freevxfs kernel module is not available

  • 1.1.2.1 - Ensure /tmp is a separate partition -> 1.1.2.1.1 - Ensure /tmp is a separate partition

  • 1.1.2.2 - Ensure nodev option set on /tmp partition -> 1.1.2.1.2 - Ensure nodev option set on /tmp partition

  • 1.1.2.3 - Ensure noexec option set on /tmp partition -> 1.1.2.1.4 - Ensure noexec option set on /tmp partition

  • 1.1.2.4 - Ensure nosuid option set on /tmp partition -> 1.1.2.1.3 - Ensure nosuid option set on /tmp partition

  • 1.1.3.1 - Ensure separate partition exists for /var -> 1.1.2.4.1 - Ensure separate partition exists for /var

  • 1.1.3.2 - Ensure nodev option set on /var partition -> 1.1.2.4.2 - Ensure nodev option set on /var partition

  • 1.1.3.3 - Ensure nosuid option set on /var partition -> 1.1.2.4.3 - Ensure nosuid option set on /var partition

  • 1.1.4.1 - Ensure separate partition exists for /var/tmp -> 1.1.2.5.1 - Ensure separate partition exists for /var/tmp

  • 1.1.4.2 - Ensure noexec option set on /var/tmp partition -> 1.1.2.5.4 - Ensure noexec option set on /var/tmp partition

  • 1.1.4.3 - Ensure nosuid option set on /var/tmp partition -> 1.1.2.5.3 - Ensure nosuid option set on /var/tmp partition

  • 1.1.4.4 - Ensure nodev option set on /var/tmp partition -> 1.1.2.5.2 - Ensure nodev option set on /var/tmp partition

  • 1.1.5.1 - Ensure separate partition exists for /var/log -> 1.1.2.6.1 - Ensure separate partition exists for /var/log

  • 1.1.5.2 - Ensure nodev option set on /var/log partition -> 1.1.2.6.2 - Ensure nodev option set on /var/log partition

  • 1.1.5.3 - Ensure noexec option set on /var/log partition -> 1.1.2.6.4 - Ensure noexec option set on /var/log partition

  • 1.1.5.4 - Ensure nosuid option set on /var/log partition -> 1.1.2.6.3 Ensure nosuid option set on /var/log partition

  • 1.1.6.1 - Ensure separate partition exists for /var/log/audit -> 1.1.2.7.1 - Ensure separate partition exists for /var/log/audit

  • 1.1.6.2 - Ensure noexec option set on /var/log/audit partition -> 1.1.2.7.4 - Ensure noexec option set on /var/log/audit partition

  • 1.1.6.3 - Ensure nodev option set on /var/log/audit partition -> 1.1.2.7.2 - Ensure nodev option set on /var/log/audit partition

  • 1.1.6.4 - Ensure nosuid option set on /var/log/audit partition -> 1.1.2.7.3 - Ensure nosuid option set on /var/log/audit partition

  • 1.1.7.1 - Ensure separate partition exists for /home -> 1.1.2.3.1 - Ensure separate partition exists for /home

  • 1.1.7.2 - Ensure nodev option set on /home partition -> 1.1.2.3.2 - Ensure nodev option set on /home partition

  • 1.1.7.3 - Ensure nosuid option set on /home partition -> 1.1.2.3.3 - Ensure nosuid option set on /home partition

  • 1.1.8.1 - Ensure /dev/shm is a separate partition -> 1.1.2.2.1 - Ensure /dev/shm is a separate partition

  • 1.1.8.2 - Ensure nodev option set on /dev/shm partition -> 1.1.2.2.2 - Ensure nodev option set on /dev/shm partition

  • 1.1.8.3 - Ensure noexec option set on /dev/shm partition -> 1.1.2.2.4 - Ensure noexec option set on /dev/shm partition

  • 1.1.8.4 - Ensure nosuid option set on /dev/shm partition -> 1.1.2.2.3 - Ensure nosuid option set on /dev/shm partition

  • 1.2.1 - Ensure GPG keys are configured -> 1.2.1.1 - Ensure GPG keys are configured

  • 1.2.2 - Ensure gpgcheck is globally activated -> 1.2.1.2 - Ensure gpgcheck is globally activated

  • 1.2.3 - Ensure package manager repositories are configured -> 1.2.1.4 - Ensure package manager repositories are configured

  • 1.2.4 - Ensure repo_gpgcheck is globally activated -> 1.2.1.3 - Ensure repo_gpgcheck is globally activated

  • 1.3.1 - Ensure AIDE is installed -> 6.1.1 - Ensure AIDE is installed

  • 1.3.2 - Ensure filesystem integrity is regularly checked -> 6.1.2 - Ensure filesystem integrity is regularly checked

  • 1.3.3 - Ensure cryptographic mechanisms are used to protect the integrity of audit tools -> 6.1.3 - Ensure cryptographic mechanisms are used to protect the integrity of audit tools

  • 1.4.2 - Ensure permissions on bootloader config are configured -> 1.4.2 - Ensure access to bootloader config is configured

  • 1.5.1 - Ensure core dump storage is disabled -> 1.5.4 - Ensure core dump storage is disabled

  • 1.5.1 - Ensure core dump storage is disabled -> 1.5.1 - Ensure address space layout randomization is enabled

  • 1.5.2 - Ensure core dump backtraces are disabled -> 1.5.2 - Ensure ptrace_scope is restricted

  • 1.5.2 - Ensure core dump backtraces are disabled -> 1.5.3 - Ensure core dump backtraces are disabled

  • 1.6.1.1 - Ensure SELinux is installed -> 1.3.1.1 - Ensure SELinux is installed

  • 1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration -> 1.3.1.2 - Ensure SELinux is not disabled in bootloader configuration

  • 1.6.1.3 - Ensure SELinux policy is configured -> 1.3.1.3 - Ensure SELinux policy is configured

  • 1.6.1.4 - Ensure the SELinux mode is not disabled -> 1.3.1.4 - Ensure the SELinux mode is not disabled

  • 1.6.1.5 - Ensure the SELinux mode is enforcing -> 1.3.1.5 - Ensure the SELinux mode is enforcing

  • 1.6.1.6 - Ensure no unconfined services exist -> 1.3.1.6 - Ensure no unconfined services exist

  • 1.6.1.7 - Ensure SETroubleshoot is not installed -> 1.3.1.8 - Ensure SETroubleshoot is not installed

  • 1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed -> 1.3.1.7 - Ensure the MCS Translation Service (mcstrans) is not installed

  • 1.7.4 - Ensure permissions on /etc/motd are configured -> 1.7.4 - Ensure access to /etc/motd is configured

  • 1.7.5 - Ensure permissions on /etc/issue are configured -> 1.7.5 - Ensure access to /etc/issue is configured

  • 1.7.6 - Ensure permissions on /etc/issue.net are configured -> 1.7.6 - Ensure access to /etc/issue.net is configured

  • 1.8.10 - Ensure XDCMP is not enabled -> 1.8.10 - Ensure XDMCP is not enabled

  • 1.9 - Ensure updates, patches, and additional security software are installed -> 1.2.2.1 - Ensure updates, patches, and additional security software are installed

  • 2.1.1 - Ensure time synchronization is in use -> 2.1.1 - Ensure autofs services are not in use

  • 2.1.1 - Ensure time synchronization is in use -> 2.3.1 - Ensure time synchronization is in use

  • 2.1.2 - Ensure chrony is configured -> 2.1.2 - Ensure avahi daemon services are not in use

  • 2.1.2 - Ensure chrony is configured -> 2.3.2 - Ensure chrony is configured

  • 2.2.1 - Ensure xorg-x11-server-common is not installed -> 2.2.1 - Ensure ftp client is not installed

  • 2.2.2 - Ensure Avahi Server is not installed -> 2.2.2 - Ensure ldap client is not installed

  • 2.2.3 - Ensure CUPS is not installed -> 2.2.3 - Ensure nis client is not installed

  • 2.2.4 - Ensure DHCP Server is not installed -> 2.2.4 - Ensure telnet client is not installed

  • 2.2.5 - Ensure DNS Server is not installed -> 2.2.5 - Ensure tftp client is not installed

  • 2.3.3 - Ensure TFTP client is not installed -> 2.3.3 - Ensure chrony is not run as the root user

  • 3.1.3 - Ensure TIPC is disabled -> 3.1.3 - Ensure bluetooth services are not in use

  • 3.2.1 - Ensure IP forwarding is disabled -> 3.2.1 - Ensure dccp kernel module is not available

  • 3.2.2 - Ensure packet redirect sending is disabled -> 3.2.2 - Ensure tipc kernel module is not available

  • 3.2.2 - Ensure packet redirect sending is disabled -> 3.3.2 - Ensure packet redirect sending is disabled

  • 3.3.1 - Ensure source routed packets are not accepted -> 3.3.1 - Ensure ip forwarding is disabled

  • 3.3.1 - Ensure source routed packets are not accepted -> 3.3.8 - Ensure source routed packets are not accepted

  • 3.3.3 - Ensure secure ICMP redirects are not accepted -> 3.3.3 - Ensure bogus icmp responses are ignored

  • 3.3.4 - Ensure suspicious packets are logged -> 3.3.4 - Ensure broadcast icmp requests are ignored

  • 3.3.4 - Ensure suspicious packets are logged -> 3.3.9 - Ensure suspicious packets are logged

  • 3.3.5 - Ensure broadcast ICMP requests are ignored -> 3.3.5 - Ensure icmp redirects are not accepted

  • 3.3.6 - Ensure bogus ICMP responses are ignored -> 3.3.6 - Ensure secure icmp redirects are not accepted

  • 3.3.7 - Ensure Reverse Path Filtering is enabled -> 3.3.7 - Ensure reverse path filtering is enabled

  • 3.4.1.1 - Ensure nftables is installed -> 4.1.1 - Ensure nftables is installed

  • 3.4.1.2 - Ensure a single firewall configuration utility is in use -> 4.1.2 - Ensure a single firewall configuration utility is in use

  • 3.4.2.3 - Ensure nftables base chains exist -> 4.3.1 - Ensure nftables base chains exist

  • 3.4.2.5 - Ensure firewalld drops unnecessary services and ports -> 4.2.1 - Ensure firewalld drops unnecessary services and ports

  • 3.4.2.6 - Ensure nftables established connections are configured -> 4.3.2 - Ensure nftables established connections are configured

  • 3.4.2.7 - Ensure nftables default deny firewall policy -> 4.3.3 - Ensure nftables default deny firewall policy

  • 4.1.1.2 - Ensure auditing for processes that start prior to auditd is enabled -> 6.3.1.2 - Ensure auditing for processes that start prior to auditd is enabled

  • 4.1.1.3 - Ensure audit_backlog_limit is sufficient -> 6.3.1.3 - Ensure audit_backlog_limit is sufficient

  • 4.1.2.1 - Ensure audit log storage size is configured -> 6.3.2.1 - Ensure audit log storage size is configured

  • 4.1.2.2 - Ensure audit logs are not automatically deleted -> 6.3.2.2 - Ensure audit logs are not automatically deleted

  • 4.1.2.3 - Ensure system is disabled when audit logs are full -> 6.3.2.3 - Ensure system is disabled when audit logs are full

  • 4.1.3.1 - Ensure changes to system administration scope (sudoers) is collected -> 6.3.3.1 - Ensure changes to system administration scope (sudoers) is collected

  • 4.1.3.2 - Ensure actions as another user are always logged -> 6.3.3.2 - Ensure actions as another user are always logged

  • 4.1.3.3 - Ensure events that modify the sudo log file are collected -> 6.3.3.3 - Ensure events that modify the sudo log file are collected

  • 4.1.3.4 - Ensure events that modify date and time information are collected -> 6.3.3.4 - Ensure events that modify date and time information are collected

  • 4.1.3.5 - Ensure events that modify the system's network environment are collected -> 6.3.3.5 - Ensure events that modify the system's network environment are collected

  • 4.1.3.6 - Ensure use of privileged commands are collected -> 6.3.3.6 - Ensure use of privileged commands are collected

  • 4.1.3.7 - Ensure unsuccessful file access attempts are collected -> 6.3.3.7 - Ensure unsuccessful file access attempts are collected

  • 4.1.3.8 - Ensure events that modify user/group information are collected -> 6.3.3.8 - Ensure events that modify user/group information are collected

  • 4.1.3.9 - Ensure discretionary access control permission modification events are collected -> 6.3.3.9 - Ensure discretionary access control permission modification events are collected

  • 4.1.3.10 - Ensure successful file system mounts are collected -> 6.3.3.10 - Ensure successful file system mounts are collected

  • 4.1.3.11 - Ensure session initiation information is collected -> 6.3.3.11 - Ensure session initiation information is collected

  • 4.1.3.12 - Ensure login and logout events are collected -> 6.3.3.12 - Ensure login and logout events are collected

  • 4.1.3.13 - Ensure file deletion events by users are collected -> 6.3.3.13 - Ensure file deletion events by users are collected

  • 4.1.3.14 - Ensure events that modify the system's Mandatory Access Controls are collected -> 6.3.3.14 - Ensure events that modify the system's Mandatory Access Controls are collected

  • 4.1.3.19 - Ensure kernel module loading unloading and modification is collected -> 6.3.3.19 - Ensure kernel module loading unloading and modification is collected

  • 4.1.3.20 - Ensure the audit configuration is immutable -> 6.3.3.20 - Ensure the audit configuration is immutable

  • 4.1.3.21 - Ensure the running and on disk configuration is the same -> 6.3.3.21 - Ensure the running and on disk configuration is the same

  • 4.2.1.1 - Ensure rsyslog is installed -> 6.2.3.1 - Ensure rsyslog is installed

  • 4.2.1.3 - Ensure journald is configured to send logs to rsyslog -> 6.2.3.3 - Ensure journald is configured to send logs to rsyslog

  • 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host -> 6.2.3.6 - Ensure rsyslog is configured to send logs to a remote log host

  • 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client -> 6.2.3.7 - Ensure rsyslog is not configured to receive logs from a remote client

  • 4.2.2.1.1 - Ensure systemd-journal-remote is installed -> 6.2.2.1.1 - Ensure systemd-journal-remote is installed

  • 5.1.1 - Ensure cron daemon is enabled -> 5.1.1 - Ensure permissions on /etc/ssh/sshd_config are configured

  • 5.1.2 - Ensure permissions on /etc/crontab are configured -> 5.1.2 - Ensure permissions on SSH private host key files are configured

  • 5.1.2 - Ensure permissions on /etc/crontab are configured -> 2.4.1.2 - Ensure permissions on /etc/crontab are configured

  • 5.1.3 - Ensure permissions on /etc/cron.hourly are configured -> 2.4.1.3 - Ensure permissions on /etc/cron.hourly are configured

  • 5.1.3 - Ensure permissions on /etc/cron.hourly are configured -> 5.1.3 - Ensure permissions on SSH public host key files are configured

  • 5.1.4 - Ensure permissions on /etc/cron.daily are configured -> 5.1.4 - Ensure sshd Ciphers are configured

  • 5.1.4 - Ensure permissions on /etc/cron.daily are configured -> 2.4.1.4 - Ensure permissions on /etc/cron.daily are configured

  • 5.1.5 - Ensure permissions on /etc/cron.weekly are configured -> 2.4.1.5 - Ensure permissions on /etc/cron.weekly are configured

  • 5.1.5 - Ensure permissions on /etc/cron.weekly are configured -> 5.1.5 - Ensure sshd KexAlgorithms is configured

  • 5.1.6 - Ensure permissions on /etc/cron.monthly are configured -> 5.1.6 - Ensure sshd MACs are configured

  • 5.1.6 - Ensure permissions on /etc/cron.monthly are configured -> 2.4.1.6 - Ensure permissions on /etc/cron.monthly are configured

  • 5.1.7 - Ensure permissions on /etc/cron.d are configured -> 2.4.1.7 - Ensure permissions on /etc/cron.d are configured

  • 5.1.7 - Ensure permissions on /etc/cron.d are configured -> 5.1.7 - Ensure sshd access is configured

  • 5.1.8 - Ensure cron is restricted to authorized users -> 5.1.8 - Ensure sshd Banner is configured

  • 5.1.9 - Ensure at is restricted to authorized users -> 5.1.9 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured

  • 5.1.9 - Ensure at is restricted to authorized users -> 2.4.2.1 - Ensure at is restricted to authorized users

  • 5.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured -> 5.2.1 - Ensure sudo is installed

  • 5.2.2 - Ensure permissions on SSH private host key files are configured -> 5.2.2 - Ensure sudo commands use pty

  • 5.2.3 - Ensure permissions on SSH public host key files are configured -> 5.2.3 - Ensure sudo log file exists

  • 5.2.4 - Ensure SSH access is limited -> 5.2.4 - Ensure users must provide password for escalation

  • 5.2.5 - Ensure SSH LogLevel is appropriate -> 5.2.5 - Ensure re-authentication for privilege escalation is not disabled globally

  • 5.2.6 - Ensure SSH PAM is enabled -> 5.2.6 - Ensure sudo authentication timeout is configured correctly

  • 5.2.7 - Ensure SSH root login is disabled -> 5.2.7 - Ensure access to the su command is restricted

  • 5.6.1.5 - Ensure all users last password change date is in the past -> 5.4.1.6 - Ensure all users last password change date is in the past

  • 6.1.1 - Ensure permissions on /etc/passwd are configured -> 7.1.1 - Ensure permissions on /etc/passwd are configured

  • 6.1.2 - Ensure permissions on /etc/passwd- are configured -> 7.1.2 - Ensure permissions on /etc/passwd- are configured

  • 6.1.3 - Ensure permissions on /etc/group are configured -> 7.1.3 - Ensure permissions on /etc/group are configured

  • 6.1.4 - Ensure permissions on /etc/group- are configured -> 7.1.4 - Ensure permissions on /etc/group- are configured

  • 6.1.5 - Ensure permissions on /etc/shadow are configured -> 7.1.5 - Ensure permissions on /etc/shadow are configured

  • 6.1.6 - Ensure permissions on /etc/shadow- are configured -> 7.1.6 - Ensure permissions on /etc/shadow- are configured

  • 6.1.7 - Ensure permissions on /etc/gshadow are configured -> 7.1.7 - Ensure permissions on /etc/gshadow are configured

  • 6.1.8 - Ensure permissions on /etc/gshadow- are configured -> 7.1.8 - Ensure permissions on /etc/gshadow- are configured

  • 6.2.1 - Ensure accounts in /etc/passwd use shadowed passwords -> 7.2.1 - Ensure accounts in /etc/passwd use shadowed passwords

  • 6.2.2 - Ensure /etc/shadow password fields are not empty -> 7.2.2 - Ensure /etc/shadow password fields are not empty

  • 6.2.3 - Ensure all groups in /etc/passwd exist in /etc/group -> 7.2.3 - Ensure all groups in /etc/passwd exist in /etc/group

  • 6.2.4 - Ensure no duplicate UIDs exist -> 7.2.4 - Ensure no duplicate UIDs exist

  • 6.2.5 - Ensure no duplicate GIDs exist -> 7.2.5 - Ensure no duplicate GIDs exist

  • 6.2.6 - Ensure no duplicate user names exist -> 7.2.6 - Ensure no duplicate user names exist

  • 6.2.7 - Ensure no duplicate group names exist -> 7.2.7 - Ensure no duplicate group names exist

  • 6.2.9 - Ensure root is the only UID 0 account -> 5.4.2.1 - Ensure root is the only UID 0 account

Removed

The following controls are removed from the module:

  • 1.1.9 - Disable USB Storage

  • 1.5.3 - Ensure address space layout randomization (ASLR) is enabled

  • 1.10 - Ensure system-wide crypto policy is not legacy

  • 2.2.6 - Ensure VSFTP Server is not installed

  • 2.2.7 - Ensure TFTP Server is not installed

  • 2.2.8 - Ensure a web server is not installed

  • 2.2.9 - Ensure IMAP and POP3 server is not installed

  • 2.2.10 - Ensure Samba is not installed

  • 2.2.11 - Ensure HTTP Proxy Server is not installed

  • 2.2.12 - Ensure net-snmp is not installed

  • 2.2.13 - Ensure telnet-server is not installed

  • 2.2.14 - Ensure dnsmasq is not installed

  • 2.2.15 - Ensure mail transfer agent is configured for local-only mode

  • 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked

  • 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked

  • 2.2.18 - Ensure rsync-daemon is not installed or the rsyncd service is masked

  • 2.3.1 - Ensure telnet client is not installed

  • 2.3.2 - Ensure LDAP client is not installed

  • 2.3.4 - Ensure FTP client is not installed

  • 2.4 - Ensure nonessential services listening on the system are or masked

  • 3.3.2 - Ensure ICMP redirects are not accepted

  • 3.3.8 - Ensure TCP SYN Cookies is enabled

  • 3.3.9 - Ensure IPv6 router advertisements are not accepted

  • 3.4.2.1 - Ensure firewalld default zone is set

  • 3.4.2.2 - Ensure at least one nftables table exists

  • 3.4.2.4 - Ensure host based firewall loopback traffic is configured

  • 4.1.1.1 - Ensure auditd is installed

  • 4.1.1.4 - Ensure auditd service is enabled

  • 4.1.3.15 - Ensure successful and unsuccessful attempts to use the chcon command are recorded

  • 4.1.3.16 - Ensure successful and unsuccessful attempts to use the setfacl command are recorded

  • 4.1.3.17 - Ensure successful and unsuccessful attempts to use the chacl command are recorded

  • 4.1.3.18 - Ensure successful and unsuccessful attempts to use the usermod command are recorded

  • 4.1.4.1 - Ensure audit log files are mode 0640 or less permissive

  • 4.1.4.2 - Ensure only authorized users own audit log files

  • 4.1.4.3 - Ensure only authorized groups are assigned ownership of audit log files

  • 4.1.4.4 - Ensure the audit log directory is 0750 or more restrictive

  • 4.1.4.5 - Ensure audit configuration files are 640 or more restrictive

  • 4.1.4.6 - Ensure audit configuration files are owned by root

  • 4.1.4.7 - Ensure audit configuration files belong to group root

  • 4.1.4.8 - Ensure audit tools are 755 or more restrictive

  • 4.1.4.9 - Ensure audit tools are owned by root

  • 4.1.4.10 - Ensure audit tools belong to group root

  • 4.2.1.2 - Ensure rsyslog service is enabled

  • 4.2.1.4 - Ensure rsyslog default file permissions are configured

  • 4.2.1.5 - Ensure logging is configured

  • 4.2.2.1.2 - Ensure systemd-journal-remote is configured

  • 4.2.2.1.3 - Ensure systemd-journal-remote is enabled

  • 4.2.2.1.4 - Ensure journald is not configured to receive logs from a remote client

  • 4.2.2.2 - Ensure journald service is enabled

  • 4.2.2.3 - Ensure journald is configured to compress large log files

  • 4.2.2.4 - Ensure journald is configured to write logfiles to persistent disk

  • 4.2.2.5 - Ensure journald is not configured to send logs to rsyslog

  • 4.2.2.6 - Ensure journald log rotation is configured per site policy

  • 4.2.2.7 - Ensure journald default file permissions configured

  • 4.2.3 - Ensure all logfiles have appropriate permissions and ownership

  • 4.3 - Ensure logrotate is configured

  • 5.2.8 - Ensure SSH HostbasedAuthentication is disabled

  • 5.2.9 - Ensure SSH PermitEmptyPasswords is disabled

  • 5.2.10 - Ensure SSH PermitUserEnvironment is disabled

  • 5.2.11 - Ensure SSH IgnoreRhosts is enabled

  • 5.2.12 - Ensure SSH X11 forwarding is disabled

  • 5.2.13 - Ensure SSH AllowTcpForwarding is disabled

  • 5.2.14 - Ensure system-wide crypto policy is not over-ridden

  • 5.2.15 - Ensure SSH warning banner is configured

  • 5.2.16 - Ensure SSH MaxAuthTries is set to 4 or less

  • 5.2.17 - Ensure SSH MaxStartups is configured

  • 5.2.18 - Ensure SSH MaxSessions is set to 10 or less

  • 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less

  • 5.2.20 - Ensure SSH Idle Timeout Interval is configured

  • 5.3.1 - Ensure sudo is installed

  • 5.3.2 - Ensure sudo commands use pty

  • 5.3.3 - Ensure sudo log file exists

  • 5.3.4 - Ensure users must provide password for escalation

  • 5.3.5 - Ensure re-authentication for privilege escalation is not disabled globally

  • 5.3.6 - Ensure sudo authentication timeout is configured correctly

  • 5.3.7 - Ensure access to the su command is restricted

  • 5.4.1 - Ensure custom authselect profile is used

  • 5.4.2 - Ensure authselect includes with-faillock

  • 5.5.1 - Ensure password creation requirements are configured

  • 5.5.2 - Ensure lockout for failed password attempts is configured

  • 5.5.3 - Ensure password reuse is limited

  • 5.5.4 - Ensure password hashing algorithm is SHA-512 or yescrypt

  • 5.6.1.1 - Ensure password expiration is 365 days or less

  • 5.6.1.2 - Ensure minimum days between password changes is configured

  • 5.6.1.3 - Ensure password expiration warning days is 7 or more

  • 5.6.1.4 - Ensure inactive password lock is 30 days or less

  • 5.6.2 - Ensure system accounts are secured

  • 5.6.3 - Ensure default user shell timeout is 900 seconds or less

  • 5.6.4 - Ensure default group for the root account is GID 0

  • 5.6.5 - Ensure default user umask is 027 or more restrictive

  • 5.6.6 - Ensure root password is set

  • 6.1.9 - Ensure no world writable files exist

  • 6.1.10 - Ensure no unowned files or directories exist

  • 6.1.11 - Ensure no ungrouped files or directories exist

  • 6.1.12 - Ensure sticky bit is set on all world-writable directories

  • 6.1.13 - Audit SUID executables

  • 6.1.14 - Audit SGID executables

  • 6.1.15 - Audit system file permissions

  • 6.2.8 - Ensure root PATH Integrity

  • 6.2.10 - Ensure local interactive user home directories exist

  • 6.2.11 - Ensure local interactive users own their home directories

  • 6.2.12 - Ensure local interactive user home directories are mode 750 or more restrictive

  • 6.2.13 - Ensure no local interactive user has .netrc files

  • 6.2.14 - Ensure no local interactive user has .forward files

  • 6.2.15 - Ensure no local interactive user has .rhosts files

  • 6.2.16 - Ensure local interactive user dot files are not group or world writable