Control updates introduced for CIS Oracle Linux 7 Benchmark v4.0.0

SCE for Linux v2.1.0 introduces enforcement for Center for Internet Security (CIS) Oracle Linux 7 Benchmark v4.0.0. The transition from the previous CIS Benchmark, v3.1.1, to the new benchmark resulted in module updates.

Added

The following controls are added to the module:

  • 1.1.1.2 - Ensure freevxfs kernel module is not available

  • 1.1.1.3 - Ensure hfs kernel module is not available

  • 1.1.1.4 - Ensure hfsplus kernel module is not available

  • 1.1.1.5 - Ensure jffs2 kernel module is not available

  • 1.1.2.3.2 - Ensure nodev option set on /home partition

  • 1.1.2.3.3 - Ensure nosuid option set on /home partition

  • 1.1.2.4.2 - Ensure nodev option set on /var partition

  • 1.1.2.4.3 - Ensure nosuid option set on /var partition

  • 1.1.2.5.2 - Ensure nodev option set on /var/tmp partition

  • 1.1.2.5.3 - Ensure nosuid option set on /var/tmp partition

  • 1.1.2.5.4 - Ensure noexec option set on /var/tmp partition

  • 1.1.2.6.2 - Ensure nodev option set on /var/log partition

  • 1.1.2.6.3 - Ensure nosuid option set on /var/log partition

  • 1.1.2.6.4 - Ensure noexec option set on /var/log partition

  • 1.1.2.7.2 - Ensure nodev option set on /var/log/audit partition

  • 1.1.2.7.3 - Ensure nosuid option set on /var/log/audit partition

  • 1.1.2.7.4 - Ensure noexec option set on /var/log/a

  • 1.4.2 - Ensure ptrace_scope is restricted

  • 1.4.3 - Ensure core dump backtraces are disabled

  • 1.4.4 - Ensure core dump storage is disabled

  • 1.7.1 - Ensure GNOME Display Manager is removed

  • 1.7.4 - Ensure GDM screen locks when the user is idle

  • 1.7.5 - Ensure GDM screen locks cannot be overridden

  • 1.7.6 - Ensure GDM automatic mounting of removable media is disabled

  • 1.7.7 - Ensure GDM disabling automatic mounting of removable media is not overridden

  • 1.7.8 - Ensure GDM autorun-never is enabled

  • 1.7.9 - Ensure GDM autorun-never is not overridden

  • 2.1.3 - Ensure chrony is not run as the root user

  • 2.2.5 - Ensure dnsmasq services are not in use

  • 2.2.16 - Ensure tftp server services are not in use

  • 2.3.1 - Ensure ftp client is not installed

  • 2.3.5 - Ensure tftp client is not installed

  • 3.1.3 - Ensure bluetooth services are not in use

  • 3.2.2 - Ensure tipc kernel module is not available

  • 3.2.3 - Ensure rds kernel module is not available

  • 3.4.1.2 - Ensure a single firewall configuration utility is in use

  • 4.2.9 - Ensure sshd GSSAPIAuthentication is disabled

  • 4.3.4 - Ensure users must provide password for escalation

  • 4.3.5 - Ensure re-authentication for privilege escalation is not disabled globally

  • 4.3.6 - Ensure sudo authentication timeout is configured correctly

  • 4.4.1.1 - Ensure latest version of pam is installed

  • 4.4.1.2 - Ensure libpwquality is installed

  • 4.4.2.1.1 - Ensure pam_faillock module is enabled

  • 4.4.2.1.3 - Ensure password unlock time is configured

  • 4.4.2.1.4 - Ensure password failed attempts lockout includes root account

  • 4.4.2.2.2 - Ensure password number of changed characters is configured

  • 4.4.2.2.3 - Ensure password length is configured

  • 4.4.2.2.4 - Ensure password complexity is configured

  • 4.4.2.2.5 - Ensure password same consecutive characters is configured

  • 4.4.2.2.6 - Ensure password maximum sequential characters is configured

  • 4.4.2.2.7 - Ensure password dictionary check is enabled

  • 4.4.2.3.1 - Ensure pam_pwhistory module is enabled

  • 4.4.2.3.2 - Ensure password history remember is configured

  • 4.4.2.3.4 - Ensure pam_pwhistory includes use_authtok

  • 4.4.2.4.1 - Ensure pam_unix does not include nullok

  • 4.4.2.4.2 - Ensure pam_unix does not include remember

  • 4.4.2.4.3 - Ensure pam_unix includes a strong password hashing algorithm

  • 4.4.2.4.4 - Ensure pam_unix includes use_authtok

  • 4.5.1.1 - Ensure strong password hashing algorithm is configured

  • 4.5.2.2 - Ensure root user umask is configured

  • 4.5.3.1 - Ensure nologin is not listed in /etc/shells

  • 5.1.1.7 - Ensure rsyslog is not configured to receive logs from a remote client

  • 5.1.2.1.1 - Ensure systemd-journal-remote is installed

  • 5.1.2.1.2 - Ensure systemd-journal-remote is configured

  • 5.1.2.1.3 - Ensure systemd-journal-remote is enabled

  • 5.1.2.1.4 - Ensure journald is not configured to receive logs from a remote client

  • 5.1.2.2 - Ensure journald service is enabled

  • 5.2.3.3 - Ensure events that modify the sudo log file are collected

  • 5.2.3.15 - Ensure successful and unsuccessful attempts to use the chcon command are recorded

  • 5.2.3.16 - Ensure successful and unsuccessful attempts to use the setfacl command are recorded

  • 5.2.3.17 - Ensure successful and unsuccessful attempts to use the chacl command are recorded

  • 5.2.3.18 - Ensure successful and unsuccessful attempts to use the usermod command are recorded

  • 5.2.4.1 - Ensure the audit log directory is 0750 or more restrictive

  • 5.2.4.2 - Ensure audit log files are mode 0640 or less permissive

  • 5.2.4.3 - Ensure only authorized users own audit log files

  • 5.2.4.4 - Ensure only authorized groups are assigned ownership of audit log files

  • 5.2.4.5 - Ensure audit configuration files are 640 or more restrictive

  • 5.2.4.6 - Ensure audit configuration files are owned by root

  • 5.2.4.7 - Ensure audit configuration files belong to group root

  • 5.2.4.8 - Ensure audit tools are 755 or more restrictive

  • 5.2.4.9 - Ensure audit tools are owned by root

  • 5.2.4.10 - Ensure audit tools belong to group root

  • 6.1.9 - Ensure permissions on /etc/shells are configured

  • 6.1.10 - Ensure permissions on /etc/security/opasswd are configured

  • 6.1.11 - Ensure world writable files and directories are secured

Changed

The following controls are changed in the module. For more detailed information, go to the CIS Benchmarks List webpage, download the PDF file, and review the change history. In the following list, the previous control numbers are listed first, followed by the new control numbers and names:

  • Control renamed from 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled - to Ensure cramfs kernel module is not available.

  • Control 1.1.1.2 - Ensure mounting of squashfs filesystems is disabled - is replaced by 1.1.1.6 - Ensure squashfs kernel module is not available.

  • Control 1.1.1.3 - Ensure mounting of udf filesystems is disabled - is replaced by 1.1.1.7 - Ensure udf kernel module is not available.

  • Control number changed from 1.1.3 to 1.1.2.1.4 - Ensure noexec option set on /tmp partition.

  • Control number changed from 1.1.4 to 1.1.2.1.2 - Ensure nodev option set on /tmp partition.

  • Control number changed from 1.1.5 to 1.1.2.1.3 - Ensure nosuid option set on /tmp partition.

  • Control number changed from 1.1.7 to 1.1.2.2.4 - Ensure noexec option set on /dev/shm partition.

  • Control number changed from 1.1.8 to 1.1.2.2.2 - Ensure nodev option set on /dev/shm partition.

  • Control number changed from 1.1.9 to 1.1.2.2.3 - Ensure nosuid option set on /dev/shm partition.

  • Control number changed from 1.1.10 to 1.1.2.4.1 - Ensure separate partition exists for /var.

  • Control number changed from 1.1.11 to 1.1.2.5.1 - Ensure separate partition exists for /var/tmp.

  • Control number changed from 1.1.15 to 1.1.2.6.1 - Ensure separate partition exists for /var/log.

  • Control number changed from 1.1.16 to 1.1.2.7.1 - Ensure separate partition exists for /var/log/audit.

  • Control number changed from 1.1.17 to 1.1.2.3.1 - Ensure separate partition exists for /home.

  • Control 1.1.23 - Disable Automounting - is replaced by 2.2.1 - Ensure autofs services are not in use.

  • Control 1.1.24 - Disable USB Storage - is replaced by 1.1.1.8 - Ensure usb-storage kernel module is not available.

  • Control number changed from 1.2.2 to 1.2.4 - Ensure package manager repositories are configured.

  • Control number changed from 1.2.3 to 1.2.2 - Ensure gpgcheck is globally activated.

  • Control number changed from 1.3.1 to 5.3.1 - Ensure AIDE is installed.

  • Control number changed from 1.3.2 to 5.3.2 - Ensure filesystem integrity is regularly checked.

  • Control number changed from 1.4.1 to 1.3.1 - Ensure bootloader password is set.

  • Control number changed from 1.4.2 to 1.3.2 - Ensure permissions on bootloader config are configured.

  • Control number changed from 1.4.3 to 1.3.3 - Ensure authentication required for single user mode.

  • Control number changed from 1.5.3 to 1.4.1 - Ensure address space layout randomization (ASLR) is enabled.

  • Control number changed from 1.6.1.1 to 1.5.1.1 - Ensure SELinux is installed.

  • Control number changed from 1.6.1.2 to 1.5.1.2 - Ensure SELinux is not disabled in bootloader configuration.

  • Control number changed from 1.6.1.3 to 1.5.1.3 - Ensure SELinux policy is configured.

  • Control 1.6.1.4 - Ensure the SELinux mode is enforcing or permissive - is replaced by 1.5.1.4 - Ensure the SELinux mode is not disabled.

  • Control number changed from 1.6.1.5 to 1.5.1.5 - Ensure the SELinux mode is enforcing.

  • Control number changed from 1.6.1.7 to 1.5.1.8 - Ensure SETroubleshoot is not installed.

  • Control number changed from 1.6.1.8 to 1.5.1.7 - Ensure the MCS Translation Service (mcstrans) is not installed.

  • Control number changed from 1.7.1 to 1.6.1 - Ensure message of the day is configured properly.

  • Control number changed from 1.7.2 to 1.6.2 - Ensure local login warning banner is configured properly.

  • Control number changed from 1.7.3 to 1.6.3 - Ensure remote login warning banner is configured properly.

  • Control 1.7.4 - Ensure permissions on /etc/motd are configured - is replaced by 1.6.4 - Ensure access to /etc/motd is configured.

  • Control 1.7.5 - Ensure permissions on /etc/issue are configured - is replaced by 1.6.5 - Ensure access to /etc/issue is configured.

  • Control 1.7.6 - Ensure permissions on /etc/issue.net are configured - is replaced by 1.6.6 - Ensure access to /etc/issue.net is configured.

  • Control number changed from 1.8.2 to 1.7.2 - Ensure GDM login banner is configured.

  • Control 1.8.3 - Ensure last logged in user display is disabled - is replaced by 1.7.3 - Ensure GDM disable-user-list option is enabled. Added a new parameter, disable_user_list_at_login_screen, with a default value of true.

  • Control number changed from 1.8.4 to 1.7.10 - Ensure XDMCP is not enabled.

  • Control 2.1.1 - Ensure xinetd is not installed - is replaced by 2.2.19 - Ensure xinetd services are not in use.

  • Control number changed from 2.2.1.1 to 2.1.1 - Ensure time synchronization is in use.

  • Control number changed from 2.2.1.2 to 2.1.2 - Ensure chrony is configured.

  • Control 2.2.2 - Ensure X11 Server components are not installed - is replaced by 2.2.20 - Ensure X window server services are not in use.

  • Control 2.2.3 - Ensure Avahi Server is not installed - is replaced by 2.2.2 - Ensure avahi daemon services are not in use.

  • Control 2.2.4 - Ensure CUPS is not installed - is replaced by 2.2.11 - Ensure print server services are not in use.

  • Control 2.2.5 - Ensure DHCP Server is not installed - is replaced by 2.2.3 - Ensure dhcp server services are not in use.

  • Control 2.2.7 - Ensure DNS Server is not installed - is replaced by 2.2.4 - Ensure dns server services are not in use.

  • Control 2.2.8 - Ensure FTP Server is not installed - is replaced by 2.2.7 - Ensure ftp server services are not in use.

  • Control 2.2.9 - Ensure HTTP server is not installed - is replaced by 2.2.18 - Ensure web server services are not in use.

  • Control 2.2.10 - Ensure IMAP and POP3 server is not installed - is replaced by 2.2.8 - Ensure message access server services are not in use.

  • Control 2.2.11 - Ensure Samba is not installed - is replaced by 2.2.6 - Ensure samba file server services are not in use.

  • Control 2.2.12 - Ensure HTTP Proxy Server is not installed - is replaced by 2.2.17 - Ensure web proxy server services are not in use.

  • Control 2.2.13 - Ensure net-snmp is not installed - is replaced by 2.2.14 - Ensure snmp services are not in use.

  • Control 2.2.14 - Ensure NIS server is not installed - is replaced by 2.2.10 - Ensure nis server services are not in use.

  • Control 2.2.15 - Ensure telnet-server is not installed - is replaced by 2.2.15 - Ensure telnet server services are not in use.

  • Control 2.2.16 - Ensure mail transfer agent is configured for local-only mode - is replaced by 2.2.21 - Ensure mail transfer agents are configured for local-only mode.

  • Control 2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked - is replaced by 2.2.9 - Ensure network file system services are not in use.

  • Control 2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked - is replaced by 2.2.12 - Ensure rpcbind services are not in use.

  • Control 2.2.19 - Ensure rsync is not installed or the rsyncd service is masked - is replaced by 2.2.13 - Ensure rsync services are not in use.

  • Control number changed from 2.3.1 to 2.3.3 - Ensure nis client is not installed.

  • Control number changed from 2.3.5 to 2.3.2 - Ensure ldap client is not installed.

  • Control 3.2.1 Ensure IP forwarding is disabled - is replaced by 4.3.1 - Ensure IP forwarding is disabled.

  • Control number changed from 3.2.2 to 3.3.2 - Ensure packet redirect sending is disabled.

  • Control number changed from 3.3.1 to 3.3.8 - Ensure source routed packets are not accepted.

  • Control number changed from 3.3.2 to 3.3.5 - Ensure icmp redirects are not accepted.

  • Control number changed from 3.3.3 to 3.3.6 - Ensure secure icmp redirects are not accepted.

  • Control number changed from 3.3.4 to 3.3.9 - Ensure suspicious packets are logged.

  • Control number changed from 3.3.5 to 3.3.4 - Ensure broadcast icmp requests are ignored.

  • Control number changed from 3.3.6 to 3.3.3 - Ensure bogus icmp responses are ignored.

  • Control 3.3.8 - Ensure TCP SYN Cookies is enabled - is replaced by 3.3.10 - Ensure tcp syn cookies is enabled.

  • Control 3.3.9 - Ensure IPv6 router advertisements are not accepted - is replaced by 3.3.11 - Ensure ipv6 router advertisements are not accepted.

  • Control 3.4.1 - Ensure DCCP is disabled - is replaced by 3.2.1 - Ensure dccp kernel module is not available.

  • Control 3.4.2 - Ensure SCTP is disabled - is replaced by 3.2.4 - Ensure sctp kernel module is not available.

  • Control number changed from 3.5.1.1 to 3.4.2.1 - Ensure firewalld is installed.

  • Control number changed from 3.5.1.4 to 3.4.2.2 - Ensure firewalld service enabled and running.

  • Controls 3.5.3.11, 3.5.3.2.1, 3.5.3.2.2, 3.5.3.2.3, 3.5.3.2.4, 3.5.3.2.5, 3.5.3.3.1, 3.5.3.3.2, 3.5.3.3.3, 3.5.3.3.4, and 3.5.3.3.5 are combined into a single control: 3.4.1.2 - Ensure a single firewall configuration utility is in use.

  • Control 3.5.3.2.6 - Ensure iptables is enabled and running - is replaced by 3.4.4.2.6 - Ensure iptables service is enabled and active.

  • Control 3.5.3.3.6 - Ensure ip6tables is enabled and running - is replaced by 3.4.4.3.6 - Ensure ip6tables is enabled and active.

  • Control 4.1.1.1 - Ensure auditd is installed - is replaced with 5.2.1.1 - Ensure audit is installed.

  • Control 4.1.1.2 - Ensure auditd service is enabled and running - is replaced by 5.2.1.4 - Ensure auditd service is enabled.

  • Control number changed from 4.1.1.3 to 5.2.1.2 - Ensure auditing for processes that start prior to auditd is enabled.

  • Control 4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected - is replaced by 5.2.3.7 - Ensure unsuccessful file access attempts are collected.

  • Control 4.1.11 - Ensure use of privileged commands is collected- is replaced by 5.2.3.6 - Ensure use of privileged commands are collected is added.

  • Control 4.1.15 - Ensure system administrator command executions (sudo) are collected - is replaced by 5.2.3.2 - Ensure actions as another user are always logged.

  • Control 4.1.16 - Ensure kernel module loading and unloading is collected - is replaced by 5.2.3.19 - Ensure kernel module loading unloading and modification is collected.

  • Control number changed from 4.1.2.1 to 5.2.2.1 - Ensure audit log storage size is configured.

  • Control number changed from 4.1.3 to 5.2.3.4 - Ensure events that modify date and time information are collected.

  • Control number changed from 4.1.4 to 5.2.3.8 - Ensure events that modify user/group information are collected.

  • Control number changed from 4.1.5 to 5.2.3.5 - Ensure events that modify the system's network environment are collected.

  • Control number changed from 4.1.6 to 5.2.3.14 - Ensure events that modify the system's Mandatory Access Controls are collected.

  • Control number changed from 4.1.7 to 5.2.3.12 - Ensure login and logout events are collected.

  • Control number changed from 4.1.8 to 5.2.3.11 - Ensure session initiation information is collected.

  • Control number changed from 4.1.9 to 5.2.3.9 - Ensure discretionary access control permission modification events are collected.

  • Control number changed from 4.1.12 to 5.2.3.10 - Ensure successful file system mounts are collected.

  • Control number changed from 4.1.13 to 5.2.3.13 - Ensure file deletion events by users are collected.

  • Control number changed from 4.1.14 to 5.2.3.1 - Ensure changes to system administration scope (sudoers) is collected.

  • Control number changed from 4.1.17 to 5.2.3.20 - Ensure the audit configuration is immutable.

  • Control number changed from 4.1.2.2 to 5.2.2.2 - Ensure audit logs are not automatically deleted.

  • Control 4.1.2.3 - Ensure system is disabled when audit logs are full - is replaced by 5.2.2.4 - Ensure system warns when audit logs are low on space. The default value of the space_left_action parameter is set to 'email'. The default value of the admin_space_left_action parameter is set to 'single'.

  • Control number changed from 4.1.2.4 to 5.2.1.3 - Ensure audit_backlog_limit is sufficient.

  • Control number changed from 4.2.1.1 to 5.1.1.1 - Ensure rsyslog is installed.

  • Control 4.2.1.2 - Ensure rsyslog Service is enabled and running - is replaced by 5.1.1.2 - Ensure rsyslog service is enabled.

  • Control 4.2.1.3 - Ensure rsyslog default file permissions configured - is replaced by 5.1.1.4 - Ensure rsyslog default file permissions are configured.

  • Control number changed from 4.2.1.4 to 5.1.1.5 - Ensure logging is configured.

  • Control number changed from 4.2.1.5 to 5.1.1.6 - Ensure rsyslog is configured to send logs to a remote log host.

  • Control number changed from 4.2.2.1 to 5.1.1.3 - Ensure journald is configured to send logs to rsyslog.

  • Control number changed from 4.2.2.2 to 5.1.2.3 - Ensure journald is configured to compress large log files.

  • Control number changed from 4.2.2.3 to 5.1.2.4 - Ensure journald is configured to write logfiles to persistent disk.

  • Control 4.2.3 - Ensure permissions on all logfiles are configured - is replaced by 5.1.4 - Ensure all logfiles have appropriate access configured.

  • Control number changed from 4.2.4 to 5.1.3 - Ensure logrotate is configured.

  • Control 5.1.1 - Ensure cron daemon is enabled and running - is replaced by 4.1.1.1 - Ensure cron daemon is enabled and active.

  • Control number changed from 5.1.2 to 4.1.1.2 - Ensure permissions on /etc/crontab are configured.

  • Control number changed from 5.1.3 to 4.1.1.3 - Ensure permissions on /etc/cron.hourly are configured.

  • Control number changed from 5.1.5 to 4.1.1.5 - Ensure permissions on /etc/cron.weekly are configured.

  • Control number changed from 5.1.6 to 4.1.1.6 - Ensure permissions on /etc/cron.monthly are configured.

  • Control number changed from 5.1.7 to 4.1.1.7 - Ensure permissions on /etc/cron.d are configured.

  • Control 5.1.8 - Ensure cron is restricted to authorized users - is replaced by 4.1.1.8 - Ensure crontab is restricted to authorized users.

    This control restricts the users who can run cron jobs as specified in the cron.allow and cron.deny files. The control enforces a default setting of manage_cron_deny=true, which means that the module manages the owner, group, and permissions of the cron.deny file. If the cron.deny file exists, only the assigned user or group has read and write access. If the value is changed to false, the module does not control the owner, group, or permissions.

    The control also manages file purging. The default setting is purge_cron_deny=false, which means that the cron.deny file will not be removed from disk. If the value is changed to true, the file will be removed from disk.

  • Control number changed from 5.1.9 to 4.1.2.1 - Ensure at is restricted to authorized users.

    This control helps to enforce secure configurations for at jobs. Authorized users or groups define permissions for at jobs by specifying the at.allow and at.deny files. The control enforces a default setting of manage_at_deny=true, which means that the module manages the owner, group, and permissions of the at.deny file. If the at.deny file exists, only the assigned user or group has read and write access. If the value is changed to false, the module does not control the owner, group, or permissions.

    The control also manages file purging. The default setting is purge_at_deny=false, which means that the at.deny file will not be removed from disk. If the value is changed to true, the file will be removed from disk.

  • Control number changed from 5.2.1 to 4.3.1 - Ensure sudo is installed.

  • Control number changed from 5.2.2 to 4.3.2 - Ensure sudo commands use pty.

  • Control number changed from 5.2.3 to 4.3.3 - Ensure sudo log file exists.

  • Control number changed from 5.3.1 to 4.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured.

  • Control 5.3.13 - Ensure only strong Ciphers are used - is replaced by 4.2.6 - Ensure sshd Ciphers are configured.

  • Control 5.3.14 - Ensure only strong MAC algorithms are used - is replaced by 4.2.15 - Ensure sshd MACs are configured.

  • Control 5.3.15 - Ensure only strong Key Exchange algorithms are used - is replaced by 4.2.12 - Ensure sshd KexAlgorithms is configured.

  • Control 5.3.16 - Ensure SSH Idle Timeout Interval is configured - is replaced by to 4.2.7 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured. The default value for ClientAliveInterval changed from 300 to 15. The default value for ClientAliveCountMax changed from 0 to 3.

  • Control 5.3.17 - Ensure SSH LoginGraceTime is set to one minute or less - is replaced by 4.2.13 - Ensure sshd LoginGraceTime is configured.

  • Control 5.3.18 - Ensure SSH warning banner is configured - is replaced by 4.2.5 - Ensure sshd Banner is configured.

  • Control number changed from 5.3.2 to 4.2.2 - Ensure permissions on SSH private host key files are configured.

  • Control 5.3.4 - Ensure SSH access is limited - is replaced by 4.2.4 - Ensure sshd access is configured.

  • Control 5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less - is replaced by 4.2.16 - Ensure sshd MaxAuthTries is configured.

  • Control 5.3.8 - Ensure SSH IgnoreRhosts is enabled - is replaced by 4.2.11 - Ensure sshd IgnoreRhosts is enabled.

  • Control 5.3.9 - Ensure SSH HostbasedAuthentication is disabled - is replaced by 4.2.10 - Ensure sshd HostbasedAuthentication is disabled.

  • Control 5.3.10 - Ensure SSH root login is disabled - is replaced by 4.2.20 - Ensure sshd PermitRootLogin is disabled.

  • Control 5.3.11 - Ensure SSH PermitEmptyPasswords is disabled - is replaced by 4.2.19 Ensure sshd PermitEmptyPasswords is disabled.

  • Control 5.3.12 - Ensure SSH PermitUserEnvironment is disabled - is replaced by 4.2.21 - Ensure sshd PermitUserEnvironment is disabled.

  • Control 5.3.19 - Ensure SSH PAM is enabled - is replaced by 4.2.22 - Ensure sshd UsePAM is enabled.

  • Control 5.3.21 - Ensure SSH MaxStartups is configured - is replaced by 4.2.18 - Ensure sshd MaxStartups is configured.

  • Control 5.3.22 - Ensure SSH MaxSessions is limited - is replaced by 4.2.17 - Ensure sshd MaxSessions is configured.

  • Control number changed from 5.3.3 to 4.2.3 - Ensure permissions on SSH public host key files are configured.

  • Control 5.3.5 - Ensure SSH LogLevel is appropriate - is replaced by 4.2.14 - Ensure sshd LogLevel is configured.

  • Control 5.3.6 Ensure SSH X11 forwarding is disabled - is replaced by 4.2.8 - Ensure sshd DisableForwarding is enabled. The x11_forwarding parameter is replaced by the disable_forwarding parameter, which has a default value of true.

  • Control 5.4.2 - Ensure lockout for failed password attempts is configured - is replaced by 4.4.2.1.2 - Ensure password failed attempts lockout is configured.

  • Control number changed from 5.5.1.1 to 4.5.1.2 - Ensure password expiration is 365 days or less.

  • Control number changed from 5.5.1.3 to 4.5.1.3 - Ensure password expiration warning days is 7 or more.

  • Control number changed from 5.5.1.4 to 4.5.1.4 - Ensure inactive password lock is 30 days or less.

  • Control number changed from 5.5.1.5 to 4.5.1.5 - Ensure all users last password change date is in the past.

  • Control number changed from 5.5.2 to 4.5.2.3 - Ensure system accounts are secured.

  • Control number changed from 5.5.3 to 4.5.2.1 - Ensure default group for the root account is GID 0.

  • Control number changed from 5.5.4 to 4.5.3.2 - Ensure default user shell timeout is configured.

  • Control number changed from 5.5.5 to 4.5.3.3 - Ensure default user umask is configured.

  • Control number changed from 5.7 to 4.3.7 - Ensure access to the su command is restricted.

  • Control number changed from 6.1.2 to 6.1.1 - Ensure permissions on /etc/passwd are configured.

  • Control number changed from 6.1.3 to 6.1.2 - Ensure permissions on /etc/passwd- are configured.

  • Control number changed from 6.1.4 to 6.1.5 - Ensure permissions on /etc/shadow are configured.

  • Control number changed from 6.1.5 to 6.1.6 - Ensure permissions on /etc/shadow- are configured.

  • Control number changed from 6.1.6 to 6.1.8 - Ensure permissions on /etc/gshadow- are configured.

  • Control number changed from 6.1.8 to 6.1.3 - Ensure permissions on /etc/group are configured.

  • Control number changed from 6.1.9 to 6.1.4 - Ensure permissions on /etc/group- are configured.

Removed

The following controls are removed from the module:

  • 1.1.22 - Ensure sticky bit is set on all world-writable directories

  • 1.2.5 - Disable the rhnsd Daemon

  • 1.5.1 - Ensure core dumps are restricted

  • 1.5.4 - Ensure prelink is not installed

  • 2.2.1.3 - Ensure ntp is configured

  • 2.2.6 - Ensure LDAP server is not installed

  • 2.3.2 - Ensure rsh client is not installed

  • 2.3.3 - Ensure talk client is not installed

  • 3.1.1 - Disable IPv6

  • 3.5.1.2 - Ensure iptables-services not installed with firewalld

  • 3.5.1.3 - Ensure nftables either not installed or masked with firewalld

  • 3.5.1.5 - Ensure firewalld default zone is set

  • 3.5.2.3 - Ensure iptables-services not installed with nftables

  • 3.5.2.10 - Ensure nftables service is enabled

  • 3.5.3.1.1 Ensure iptables packages are installed

  • 3.5.3.1.2 - Ensure nftables is not installed with iptables

  • 3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables

  • 3.5.3.2.1 - Ensure iptables loopback traffic is configured

  • 3.5.3.2.2 - Ensure iptables outbound and established connections are configured

  • 3.5.3.2.3 - Ensure iptables rules exist for all open ports

  • 3.5.3.2.4 - Ensure iptables default deny firewall policy

  • 3.5.3.2.5 - Ensure iptables rules are saved

  • 3.5.3.3.1 - Ensure ip6tables loopback traffic is configured

  • 3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured

  • 3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports

  • 3.5.3.3.4 - Ensure ip6tables default deny firewall policy

  • 3.5.3.3.5 - Ensure ip6tables rules are saved

  • 4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.

  • 5.3.20 - Ensure SSH AllowTcpForwarding is disabled

  • 5.4.1 - Ensure password creation requirements are configured

  • 6.2.12 - Ensure users own their home directories

  • 6.2.13 - Ensure users' home directories permissions are 750 or more restrictive

  • 6.2.14 - Ensure users' dot files are not group or world writable

  • 6.2.15 - Ensure no users have .forward files

  • 6.2.16 - Ensure no users have .netrc files

  • 6.2.17 - Ensure no users have .rhosts files