Control updates introduced for CIS Rocky Linux 8 Benchmark v2.0.0
SCE for Linux v2.0.0 introduces enforcement for Center for Internet Security (CIS) Rocky Linux 8 Benchmark v2.0.0. The transition from the previous CIS Benchmark, v1.0.0, to the new benchmark resulted in module updates.
- Added
- The following controls are added to the module:
- 1.1.1.1 - Ensure cramfs kernel module is not available
- 1.1.1.2 - Ensure freevxfs kernel module is not available
1.1.1.3 - Ensure hfs kernel module is not available
1.1.1.4 - Ensure hfsplus kernel module is not available
1.1.1.5 - Ensure jffs2 kernel module is not available
1.1.1.6 - Ensure squashfs kernel module is not available
1.1.1.7 - Ensure udf kernel module is not available
1.1.1.8 - Ensure usb-storage kernel module is not available
1.4.2 - Ensure ptrace_scope is restricted
1.6.1 - Ensure system wide crypto policy is not set to legacy
1.6.2 - Ensure system wide crypto policy disables sha1 hash and signature support
1.6.3 - Ensure system wide crypto policy disables cbc for ssh
1.6.4 - Ensure system wide crypto policy disables macs less than 128 bits
1.7.4 - Ensure access to /etc/motd is configured
1.7.5 - Ensure access to /etc/issue is configured
1.7.6 - Ensure access to /etc/issue.net is configured
1.8.3 - Ensure GDM disableuser-list option is enabled
1.8.4 - Ensure GDM screen locks when the user is idle
1.8.5 - Ensure GDM screen locks cannot be overridden
1.8.6 - Ensure GDM automatic mounting of removable media is disabled
1.8.7 - Ensure GDM disabling automatic mounting of removable media is not overridden
1.8.8 - Ensure GDM autorun-never is enabled
1.8.9 - Ensure GDM autorun-never is not overridden
2.1.3 - Ensure chrony is not run as the root user
2.2.1 - Ensure autofs services are not in use
2.2.2 - Ensure avahi daemon services are not in use
2.2.3 - Ensure dhcp server services are not in use
2.2.4 - Ensure dns server services are not in use
2.2.5 - Ensure dnsmasq services are not in use
2.2.6 - Ensure samba file server services are not in use
2.2.7 - Ensure ftp server services are not in use
2.2.8 - Ensure message access server services are not in use
2.2.9 - Ensure network file system services are not in use
2.2.10 - Ensure nis server services are not in use
2.2.11 - Ensure print server services are not in use
2.2.12 - Ensure rpcbind services are not in use
2.2.13 - Ensure rsync services are not in use
2.2.14 - Ensure snmp services are not in use
2.2.15 - Ensure telnet server services are not in use
2.2.16 - Ensure tftp server services are not in use
2.2.17 - Ensure web proxy server services are not in use
2.2.18 - Ensure web server services are not in use
2.2.19 - Ensure xinetd services are not in use
2.2.20 - Ensure X window server services are not in use
2.2.21 - Ensure mail transfer agents are configured for local-only mode
2.3.1 - Ensure ftp client is not installed
2.3.2 - Ensure ldap client is not installed
2.3.3 - Ensure nis client is not installed
2.3.5 - Ensure tftp client is not installed
3.1.3 - Ensure bluetooth services are not in use
3.2.1 - Ensure dccp kernel module is not available
3.2.2 - Ensure tipc kernel module is not available
3.2.3 - Ensure rds kernel module is not available
3.2.4 - Ensure sctp kernel module is not available
3.3.1 - Ensure ip forwarding is disabled
3.3.3 - Ensure bogus icmp responses are ignored
3.3.4 - Ensure broadcast icmp requests are ignored
3.3.5 - Ensure icmp redirects are not accepted
3.3.6 - Ensure secure icmp redirects are not accepted
3.3.7 - Ensure reverse path filtering is enabled
3.3.10 - Ensure tcp syn cookies is enabled
3.3.11 - Ensure ipv6 router advertisements are not accepted
3.4.1.2 - Ensure a single firewall configuration utility is in use
3.4.2.2 - Ensure host based firewall loopback traffic is configured
4.1.1.1 - Ensure cron daemon is enabled and active
4.1.1.8 - Ensure crontab is restricted to authorized users
4.2.4 - Ensure sshd access is configured
4.2.5 - Ensure sshd Banner is configured
4.2.6 - Ensure sshd Ciphers are configured
4.2.7 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
4.2.8 - Ensure sshd DisableForwarding is enabled
4.2.9 - Ensure sshd HostbasedAuthentication is disabled
4.2.10 - Ensure sshd IgnoreRhosts is enabled
4.2.11 - Ensure sshd KexAlgorithms is configured
4.2.12 - Ensure sshd LoginGraceTime is configured
4.2.13 - Ensure sshd LogLevel is configured
4.2.14 - Ensure sshd MACs are configured
4.2.15 - Ensure sshd MaxAuthTries is configured
4.2.16 - Ensure sshd MaxSessions is configured
4.2.17 - Ensure sshd MaxStartups is configured
4.2.18 - Ensure sshd PermitEmptyPasswords is disabled
4.2.19 - Ensure sshd PermitRootLogin is disabled
4.2.20 - Ensure sshd PermitUserEnvironment is disabled
4.2.21 - Ensure sshd UsePAM is enabled
4.2.22 - Ensure sshd crypto_policy is not set
4.4.1.1 - Ensure latest version of pam is installed
4.4.3.1.1 - Ensure password failed attempts lockout is configured
4.4.3.1.2 - Ensure password unlock time is configured
4.4.3.1.3 - Ensure password failed attempts lockout includes root account
4.4.3.2.1 - Ensure password number of changed characters is configured
4.4.3.2.2 - Ensure password length is configured
4.4.3.2.3 - Ensure password complexity is configured
4.4.3.2.4 - Ensure password same consecutive characters is configured
4.4.3.2.5 - Ensure password maximum sequential characters is configured
4.4.3.2.6 - Ensure password dictionary check is enabled
4.4.3.2.7 - Ensure password quality is enforced for the root user
4.4.3.3.1 - Ensure password history remember is configured
4.4.3.3.2 - Ensure password history is enforced for the root user
4.4.3.3.3 - Ensure pam_pwhistory includes use_authtok
4.4.3.4.1 - Ensure pam_unix does not include nullok
4.4.3.4.2 - Ensure pam_unix does not include remember
4.4.3.4.3 - Ensure pam_unix includes a strong password hashing algorithm
4.4.3.4.4 - Ensure pam_unix includes use_authtok
4.5.1.1 - Ensure strong password hashing algorithm is configured
4.5.2.2 - Ensure root user umask is configured
4.5.3.1 - Ensure nologin is not listed in /etc/shells
4.5.3.2 - Ensure default user shell timeout is configured
4.5.3.3 - Ensure default user umask is configured
5.1.1.7 - Ensure rsyslog is not configured to receive logs from a remote client
5.1.2.1.4 - Ensure journald is not configured to receive logs from a remote client
5.1.4 - Ensure all logfiles have appropriate access configured
5.2.1.1 - Ensure audit is installed
5.2.2.4 - Ensure system warns when audit logs are low on space
5.2.4.1 - Ensure the audit log directory is 0750 or more restrictive
5.2.4.2 - Ensure audit log files are mode 0640 or less permissive
5.2.4.3 - Ensure only authorized users own audit log files
5.2.4.4 - Ensure only authorized groups are assigned ownership of audit log files
5.2.4.5 - Ensure audit configuration files are 640 or more restrictive
5.2.4.6 - Ensure audit configuration files are owned by root
5.2.4.7 - Ensure audit configuration files belong to group root
5.2.4.8 - Ensure audit tools are 755 or more restrictive
5.2.4.9 - Ensure audit tools are owned by root
5.2.4.10 - Ensure audit tools belong to group root
5.3.3 - Ensure cryptographic mechanisms are used to protect the integrity of audit tools
6.1.10 - Ensure permissions on /etc/shells are configured
6.1.11 - Ensure world writable files and directories are secured
6.1.12 - Ensure no unowned or ungrouped files or directories exist
6.1.3 - Ensure permissions on /etc/opasswd are configured
- The following controls are added to the module:
- Changed
- The following controls are changed in the module. Most of the changes are updates in control numbers. For more detailed information, go to the CIS Benchmarks List webpage, download the PDF file, and review the change history. In the following list, if the control number changed, the new control number is listed first:
- 1.1.2.1.2 - Ensure nodev option set on /tmp partition - updated from 1.1.2.2.
- 1.1.2.1.3 - Ensure nosuid option set on /tmp partition - updated from 1.1.2.4.
- 1.1.2.1.4 - Ensure noexec option set on /tmp partition - updated from 1.1.2.3.
- 1.1.2.2.2 - Ensure nodev option set on /dev/shm partition - updated from 1.1.8.1.
- 1.1.2.2.3 - Ensure nosuid option set on /dev/shm partition - updated from 1.1.8.3.
- 1.1.2.2.4 - Ensure noexec option set on /dev/shm partition - updated from 1.1.8.2.
- 1.1.2.3.2 - Ensure nodev option set on /home partition - updated from 1.1.7.2.
- 1.1.2.3.3 - Ensure nosuid option set on /home partition - updated from 1.1.7.3.
- 1.1.2.4.2 - Ensure nodev option set on /var partition - updated from 1.1.3.2.
- 1.1.2.4.3 - Ensure nosuid option set on /var partition - updated from 1.1.3.4.
- 1.1.2.5.2 - Ensure nodev option set on /var/tmp partition - updated from 1.1.4.4.
- 1.1.2.5.3 - Ensure nosuid option set on /var/tmp partition - updated from 1.1.4.3.
- 1.1.2.5.4 - Ensure noexec option set on /var/tmp partition - updated from 1.1.4.2.
- 1.1.2.6.2 - Ensure nodev option set on /var/log partition - updated from 1.1.5.2.
- 1.1.2.6.3 - Ensure nosuid option set on /var/log partition - updated from 1.1.5.4.
- 1.1.2.6.4 - Ensure noexec option set on /var/log partition - updated from 1.1.5.3.
- 1.1.2.7.2 - Ensure nodev option set on /var/log/audit partition - updated from 1.1.6.3.
- 1.1.2.7.3 - Ensure nosuid option set on /var/log/audit partition - updated from 1.1.6.4.
- 1.1.2.7.4 - Ensure noexec option set on /var/log/audit partition - updated from 1.1.6.2.
- 1.2.2 - Ensure gpgcheck is globally activated - updated from 1.2.3.
- 1.3.1 - Ensure bootloader password is set - updated from 1.4.1.
- 1.3.2 - Ensure permissions on bootloader config are configured - updated from 1.4.2.
- 1.4.1 - Ensure address space layout randomization (ASLR) is enabled - updated from 1.5.3.
- 1.4.3 - Ensure core dump backtraces are disabled - updated from 1.5.2.
1.4.4 - Ensure core dump storage is disabled - updated from 1.5.1.
1.5.1.1 - Ensure SELinux is installed - updated from 1.6.1.1.
1.5.1.2 - Ensure SELinux is not disabled in bootloader configuration - updated from 1.6.1.2.
1.5.1.3 - Ensure SELinux policy is configured - updated from 1.6.1.3.
1.5.1.4 - Ensure the SELinux mode is not disabled - updated from 1.6.1.4.
1.5.1.5 - Ensure the SELinux mode is enforcing - updated from 1.6.1.5.
1.5.1.6 - Ensure no unconfined services exist - updated from 1.6.1.6.
1.5.1.7 - Ensure the MCS Translation Service (mcstrans) is not installed - updated from 1.6.1.8.
1.5.1.8 - Ensure SETroubleshoot is not installed - updated from 1.6.1.7.
1.8.10 - Ensure XDMCP is not enabled - updated from 1.8.4.
3.1.2 - Ensure wireless interfaces are disabled - updated from 3.1.4.
3.3.2 - Ensure packet redirect sending is disabled - updated from 3.2.2.
3.3.8 - Ensure source routed packets are not accepted - updated from 3.3.1.
3.3.9 - Ensure suspicious packets are logged - updated from 3.3.4.
4.1.1.2 - Ensure permissions on /etc/crontab are configured - updated from 5.1.2.
4.1.1.3 - Ensure permissions on /etc/cron.hourly are configured - updated from 5.1.3.
4.1.1.4 - Ensure permissions on /etc/cron.daily are configured - updated from 5.1.4.
4.1.1.5 - Ensure permissions on /etc/cron.weekly are configured - updated from 5.1.5.
4.1.1.6 - Ensure permissions on /etc/cron.monthly are configured - updated from 5.1.6.
4.1.1.7 - Ensure permissions on /etc/cron.d are configured - updated from 5.1.7.
4.1.2.1 - Ensure at is restricted to authorized users - updated from 5.1.9.
This control helps to enforce secure configurations for
atjobs. Authorized users or groups define permissions foratjobs by specifying theat.allowandat.denyfiles.The control enforces a default setting of
manage_at_deny=true, which means that the module manages the owner, group, and permissions of theat.denyfile. If theat.denyfile exists, only the assigned user or group has read and write access. If the value is changed tofalse, the module does not control the owner, group, or permissions.The control also manages file purging. The default setting is
purge_at_deny=false, which means that theat.denyfile will not be removed from disk. If the value is changed totrue, the file will be removed from disk.4.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured - updated from 5.2.1.
4.2.2 - Ensure permissions on SSH private host key files are configured - updated from 5.2.2.
4.2.3 - Ensure permissions on SSH public host key files are configured - updated from 5.2.3.
4.3.1 - Ensure sudo is installed - updated from 5.3.1.
4.3.2 - Ensure sudo commands use pty - updated from 5.3.2.
4.3.3 - Ensure sudo log file exists - updated from 5.3.3.
4.3.4 - Ensure users must provide password for escalation - updated from 5.3.4.
4.3.5 - Ensure reauthentication for privilege escalation is not disabled globally - updated from 5.3.5.
4.3.6 - Ensure sudo authentication timeout is configured correctly - updated from 5.3.6.
4.3.7 - Ensure access to the su command is restricted - updated from 5.3.7.
4.5.1.2 - Ensure password expiration is 365 days or less - updated from 5.6.1.1.
4.5.1.3 - Ensure password expiration warning days is 7 or more - updated from 5.6.1.3.
4.5.1.4 - Ensure inactive password lock is 30 days or less - updated from 5.6.1.4.
4.5.2.1 - Ensure default group for the root account is GID 0 - updated from 5.6.4.
4.5.2.3 - Ensure system accounts are secured - updated from 5.6.2.
5.1.1.1 - Ensure rsyslog is installed - updated from 4.2.1.1.
5.1.1.2 - Ensure rsyslog service is enabled - updated from 4.2.1.2.
5.1.1.3 - Ensure journald is configured to send logs to rsyslog - updated from 4.2.1.3.
5.1.1.4 - Ensure rsyslog default file permissions are configured - updated from 4.2.1.4.
5.1.1.5 - Ensure logging is configured - updated from 4.2.1.5.
5.1.1.6 - Ensure rsyslog is configured to send logs to a remote log host - updated from 4.2.1.6.
5.1.2.1.1 - Ensure systemdjournal-remote is installed - updated from 4.2.2.1.1.
5.1.2.1.2 - Ensure journald service is enabled - updated from 4.2.2.1.2.
5.1.2.1.3 - Ensure systemdjournal-remote is enabled - updated from 4.2.2.1.3.
5.1.2.2 - Ensure journald service is enabled – updated from 4.2.2.2.
5.1.2.3 - Ensure journald is configured to compress large log files - updated from 4.2.2.3.
5.1.2.4 - Ensure journald is configured to write logfiles to persistent disk - updated from 4.2.2.4.
5.1.3 - Ensure logrotate is configured - updated from 4.3.
5.2.1.2 - Ensure auditing for processes that start prior to auditd is enabled - updated from 4.1.1.3.
5.2.1.3 - Ensure audit_backlog_limit is sufficient - updated from 4.1.1.4.
5.2.1.4 - Ensure auditd service is enabled - updated from 4.1.1.2.
5.2.2.1 - Ensure audit log storage size is configured - updated from 4.1.2.1.
5.2.2.2 - Ensure audit logs are not automatically deleted - updated from 4.1.2.2.
5.2.2.3 - Ensure system is disabled when audit logs are full - updated from 4.1.2.3. Parameter values are updated. The
disk_full_actionand thedisk_error_actionparameters now have a default value ofhalt.5.2.3.1 - Ensure changes to system administration scope (sudoers) is collected - updated from 4.1.3.1.
5.2.3.2 - Ensure actions as another user are always logged - updated from 4.1.3.2.
5.2.3.3 - Ensure events that modify the sudo log file are collected - updated from 4.1.3.3.
5.2.3.4 - Ensure events that modify date and time information are collected - updated from 4.1.3.4.
5.2.3.5 - Ensure events that modify the system's network environment are collected - updated from 4.1.3.5.
5.2.3.6 - Ensure use of privileged commands are collected - updated from 4.1.3.6.
5.2.3.7 - Ensure unsuccessful file access attempts are collected - updated from 4.1.3.7.
5.2.3.8 - Ensure events that modify user/group information are collected - updated from 4.1.3.8.
5.2.3.9 - Ensure discretionary access control permission modification events are collected - updated from 4.1.3.9.
5.2.3.10 - Ensure successful file system mounts are collected - updated from 4.1.3.10.
5.2.3.11 - Ensure session initiation information is collected - updated from 4.1.3.11.
5.2.3.12 - Ensure login and logout events are collected - updated from 4.1.3.12.
5.2.3.13 - Ensure file deletion events by users are collected - updated from 4.1.3.13.
5.2.3.14 - Ensure events that modify the system's Mandatory Access Controls are collected - updated from 4.1.3.14.
5.2.3.15 - Ensure successful and unsuccessful attempts to use the chcon command are recorded - updated from 4.1.3.15.
5.2.3.16 - Ensure successful and unsuccessful attempts to use the setfacl command are recorded - updated from 4.1.3.16.
5.2.3.17 - Ensure successful and unsuccessful attempts to use the chacl command are recorded - updated from 4.1.3.17.
5.2.3.18 - Ensure successful and unsuccessful attempts to use the usermod command are recorded - updated from 4.1.3.18.
5.2.3.19 - Ensure kernel module loading unloading and modification is collected - updated from 4.1.3.19.
5.2.3.20 - Ensure the audit configuration is immutable - updated from 4.1.3.20.
5.3.1 - Ensure AIDE is installed - updated from 1.3.1.
5.3.2 - Ensure filesystem integrity is regularly checked - updated from 1.3.2.
6.1.1 - Ensure permissions on /etc/passwd are configured - updated from 6.1.3.
6.1.2 - Ensure permissions on /etc/passwd- are configured - updated from 6.1.7.
6.1.4 - Ensure permissions on /etc/group are configured - updated from 6.1.5.
6.1.5 - Ensure permissions on /etc/group- are configured - updated from 6.1.9.
6.1.6 - Ensure permissions on /etc/shadow are configured - updated from 6.1.4.
6.1.7 - Ensure permissions on /etc/shadow- are configured - updated from 6.1.8.
6.1.8 - Ensure permissions on /etc/gshadow are configured - updated from 6.1.6.
6.1.9 - Ensure permissions on /etc/gshadow- are configured - updated from 6.1.10.
- The following controls are changed in the module. Most of the changes are updates in control numbers. For more detailed information, go to the CIS Benchmarks List webpage, download the PDF file, and review the change history. In the following list, if the control number changed, the new control number is listed first:
- Removed
- The following controls are removed from the module:
1.1.1.1 - Ensure mounting of cramfs filesystems is disabled
1.1.1.2 - Ensure mounting of squashfs filesystems is disabled
1.1.1.3 - Ensure mounting of udf filesystems is disabled
1.1.3.3 - Ensure noexec option set on /var partition
1.1.7.4 - Ensure usrquota option set on /home partition
1.1.7.5 - Ensure grpquota option set on /home partition
1.1.9 - Disable Automounting
1.1.10 - Disable USB Storage
1.2.1 - Ensure Red Hat Subscription Manager connection is configured
1.4.3 - Ensure authentication is required when booting into rescue mode
1.7.4 - Ensure permissions on /etc/motd are configured
1.7.5 - Ensure permissions on /etc/issue are configured
1.7.6 - Ensure permissions on /etc/issue.net are configured
1.8.3 - Ensure last logged in user display is disabled
1.8.5 - Ensure automatic mounting of removable media is disabled
1.10 - Ensure system-wide crypto policy is not legacy
2.2.1 - Ensure xinetd is not installed
2.2.2 - Ensure xorg-x11-server-common is not installed
2.2.3 - Ensure Avahi Server is not installed
2.2.4 - Ensure CUPS is not installed
2.2.5 - Ensure DHCP Server is not installed
2.2.6 - Ensure DNS Server is not installed
2.2.7 - Ensure FTP Server is not installed
2.2.8 - Ensure VSFTP Server is not installed
2.2.9 - Ensure TFTP Server is not installed
2.2.10 - Ensure a web server is not installed
2.2.11 - Ensure IMAP and POP3 server is not installed
2.2.12 - Ensure Samba is not installed
2.2.13 - Ensure HTTP Proxy Server is not installed
2.2.14 - Ensure net-snmp is not installed
2.2.15 - Ensure NIS server is not installed
2.2.16 - Ensure telnetserver is not installed
2.2.17 - Ensure mail transfer agent is configured for local-only mode
2.2.18 - Ensure nfs-utils is not installed or the nfs-server service is masked
2.2.19 - Ensure rpcbind is not installed or the rpcbind services are masked
2.2.20 - Ensure rsync is not installed or the rsyncd service is masked
2.3.1 - Ensure NIS Client is not installed
2.3.2 - Ensure rsh client is not installed
2.3.3 - Ensure talk client is not installed
2.3.5 - Ensure LDAP client is not installed
2.3.6 - Ensure TFTP client is not installed
2.4 - Ensure nonessential services are removed or masked
3.1.1 - Verify if IPv6 is enabled on the system
3.1.2 - Ensure SCTP is disabled
3.1.3 - Ensure DCCP is disabled
3.2.1 - Ensure IP forwarding is disabled
3.3.2 - Ensure ICMP redirects are not accepted
3.3.3 - Ensure secure ICMP redirects are not accepted
3.3.5 - Ensure broadcast ICMP requests are ignored
3.3.6 - Ensure bogus ICMP responses are ignored
3.3.7 - Ensure Reverse Path Filtering is enabled
3.3.8 - Ensure TCP SYN Cookies is enabled
3.3.9 - Ensure IPv6 router advertisements are not accepted
3.4.1.1 - Ensure firewalld is installed
3.4.1.2 - Ensure iptablesservices not installed with firewalld
3.4.1.3 - Ensure nftables either not installed or masked with firewalld
3.4.1.4 - Ensure firewalld service enabled and running
3.4.1.5 - Ensure firewalld default zone is set
3.4.1.6 - Ensure network interfaces are assigned to appropriate zone
3.4.2.2 - Ensure firewalld is either not installed or masked with nftables
3.4.2.3 - Ensure iptables-services not installed with nftables
3.4.2.4 - Ensure iptables are flushed with nftables
3.4.2.5 - Ensure an nftables table exists
3.4.2.7 - Ensure nftables loopback traffic is configured
3.4.2.8 - Ensure nftables outbound and established connections are configured
3.4.2.10 - Ensure nftables service is enabled
3.4.2.11 - Ensure nftables rules are permanent
3.4.3.1.1 - Ensure iptables packages are installed
3.4.3.1.2 - Ensure nftables is not installed with iptables
3.4.3.1.3 - Ensure firewalld is either not installed or masked with iptables
3.4.3.2.1 - Ensure iptables loopback traffic is configured
3.4.3.2.2 - Ensure iptables outbound and established connections are configured
3.4.3.2.3 - Ensure iptables rules exist for all open ports
3.4.3.2.4 - Ensure iptables default deny firewall policy
3.4.3.2.5 - Ensure iptables rules are saved
3.4.3.2.6 - Ensure iptables is enabled and active
3.4.3.3.1 - Ensure ip6tables loopback traffic is configured
3.4.3.3.2 - Ensure ip6tables outbound and established connections are configured
3.4.3.3.3 - Ensure ip6tables firewall rules exist for all open ports
3.4.3.3.4 - Ensure ip6tables default deny firewall policy
3.4.3.3.5 - Ensure ip6tables rules are saved
3.4.3.3.6 - Ensure ip6tables is enabled and active
4.1.1.1 - Ensure auditd is installed
4.2.1.7 - Ensure rsyslog is not configured to recieve logs from a remote client
4.2.2.1.4 - Ensure journald is not configured to recieve logs from a remote client
4.2.2.7 - Ensure journald default file permissions configured
4.2.3 - Ensure permissions on all logfiles are configured
5.1.1 - Ensure cron daemon is enabled
5.1.8 - Ensure cron is restricted to authorized users
5.2.4 - Ensure SSH access is limited
5.2.5 - Ensure SSH LogLevel is appropriate
5.2.6 - Ensure SSH PAM is enabled
5.2.7 - Ensure SSH root login is disabled
5.2.8 - Ensure SSH HostbasedAuthentication is disabled
5.2.9 - Ensure SSH PermitEmptyPasswords is disabled
5.2.10 - Ensure SSH PermitUserEnvironment is disabled
5.2.11 - Ensure SSH IgnoreRhosts is enabled
5.2.12 - Ensure SSH X11 forwarding is disabled
5.2.13 - Ensure SSH AllowTcpForwarding is disabled
5.2.14 - Ensure systemwide crypto policy is not over-ridden
5.2.15 - Ensure SSH warning banner is configured
5.2.16 - Ensure SSH MaxAuthTries is set to 4 or less
5.2.17 - Ensure SSH MaxStartups is configured
5.2.18 - Ensure SSH MaxSessions is set to 10 or less
5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less
5.2.20 - Ensure SSH Idle Timeout Interval is configured
5.4.1 - Ensure custom authselect profile is used
5.4.2 - Ensure authselect includes with-faillock
5.5.1 - Ensure password creation requirements are configured
5.5.2 - Ensure lockout for failed password attempts is configured
5.5.3 - Ensure password reuse is limited
5.5.4 - Ensure password hashing algorithm is SHA-512
5.6.1.2 - Ensure minimum days between password changes is 7 or more
5.6.3 - Ensure default user shell timeout is 900 seconds or less
5.6.5 - Ensure default user umask is 027 or more restrictive
6.1.11 - Ensure no world writable files exist
6.1.12 - Ensure no unowned files or directories exist
6.1.13 - Ensure no ungrouped files or directories exist
6.1.14 - Audit SUID executables
6.1.15 - Audit SGID executables
6.1.2 - Ensure sticky bit is set on all world-writable directories
6.2.1 - Ensure password fields are not empty
6.2.7 - Ensure root PATH Integrity
6.2.9 - Ensure all users' home directories exist
6.2.10 - Ensure users own their home directories
6.2.11 - Ensure users' home directories permissions are 750 or more restrictive
6.2.12 - Ensure users' dot files are not group or world writable
6.2.13 - Ensure users' .netrc Files are not group or world accessible
6.2.14 - Ensure no users have .forward files
6.2.15 - Ensure no users have .netrc files
6.2.16 - Ensure no users have .rhosts files
