Definition of DRAFT - CIS Benchmark for Fedora for fedora
based on https://workbench.cisecurity.org/benchmarks/20722
reload_dconf_db: Reload Dconf database
Description: None
Levels:
Automated: yes
Selections:
- dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles
1.1.1.1: Ensure cramfs kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.2: Ensure freevxfs kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.3: Ensure hfs kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.4: Ensure hfsplus kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.5: Ensure jffs2 kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.6: Ensure overlayfs kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.7: Ensure squashfs kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.8: Ensure udf kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.9: Ensure firewire-core kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.10: Ensure usb-storage kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.1.11: Ensure unused filesystems kernel modules are not available (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.1.2.1.1: Ensure /tmp is tmpfs or a separate partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.1.2: Ensure nodev option set on /tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.1.3: Ensure nosuid option set on /tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.1.4: Ensure noexec option set on /tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.2.1: Ensure /dev/shm is tmpfs or a separate partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.2.2: Ensure nodev option set on /dev/shm partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.2.3: Ensure nosuid option set on /dev/shm partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.2.4: Ensure noexec option set on /dev/shm partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.3.1: Ensure separate partition exists for /home (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.3.2: Ensure nodev option set on /home partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.3.3: Ensure nosuid option set on /home partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.4.1: Ensure separate partition exists for /var (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.4.2: Ensure nodev option set on /var partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.4.3: Ensure nosuid option set on /var partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.5.1: Ensure separate partition exists for /var/tmp (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.5.2: Ensure nodev option set on /var/tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.5.3: Ensure nosuid option set on /var/tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.5.4: Ensure noexec option set on /var/tmp partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.6.1: Ensure separate partition exists for /var/log (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.6.2: Ensure nodev option set on /var/log partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.6.3: Ensure nosuid option set on /var/log partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.6.4: Ensure noexec option set on /var/log partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.7.1: Ensure separate partition exists for /var/log/audit (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.7.2: Ensure nodev option set on /var/log/audit partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.7.3: Ensure nosuid option set on /var/log/audit partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.1.2.7.4: Ensure noexec option set on /var/log/audit partition (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.2.1.1: Ensure GPG keys are configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.2.1.2: Ensure gpgcheck is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.2.1.3: Ensure repo_gpgcheck is globally activated (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.2.1.4: Ensure package manager repositories are configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.2.1.5: Ensure weak dependencies are disabled in dnf (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.2.2.1: Ensure updates, patches, and additional security software are installed (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.3.1.1: Ensure SELinux is installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.2: Ensure SELinux is not disabled in bootloader configuration (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.3: Ensure SELinux policy is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.4: Ensure the SELinux mode is not disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.5: Ensure the SELinux mode is enforcing (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.6: Ensure no unconfined services exist (Manual)
Description: None
Levels:
Automated: no
No rules selected
1.3.1.7: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.3.1.8: Ensure SETroubleshoot is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.4.1: Ensure bootloader password is set (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.4.2: Ensure access to bootloader config is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
1.5.1: Ensure core file size is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.2: Ensure fs.protected_hardlinks is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.3: Ensure fs.protected_symlinks is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.4: Ensure fs.suid_dumpable is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.5: Ensure kernel.dmesg_restrict is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.6: Ensure kernel.kptr_restrict is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.7: Ensure kernel.yama.ptrace_scope is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.8: Ensure kernel.randomize_va_space is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.9: Ensure systemd-coredump ProcessSizeMax is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.5.10: Ensure systemd-coredump Storage is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.6.1: Ensure system wide crypto policy is not set to legacy (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.6.2: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
Description: None
Levels:
Automated: yes
No rules selected
1.6.3: Ensure system wide crypto policy macs are configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.6.4: Ensure system wide crypto policy disables cbc for ssh (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.7.1: Ensure /etc/motd is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.7.2: Ensure /etc/issue is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.7.3: Ensure /etc/issue.net is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.7.4: Ensure access to /etc/motd is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.7.5: Ensure access to /etc/issue is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.7.6: Ensure access to /etc/issue.net is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.8.1: Ensure GDM login banner is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
1.8.2: Ensure GDM disable-user-list is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
1.8.3: Ensure GDM screen lock is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
1.8.4: Ensure GDM automount is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
1.8.5: Ensure GDM autorun-never is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
1.8.6: Ensure XDMCP is not enabled (Automated)
Description: None
Levels:
Automated: no
No rules selected
1.8.7: Ensure Xwayland is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
2.1.1: Ensure autofs services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.2: Ensure avahi daemon services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.3: Ensure cockpit web services are not in use (Automated)
Description: None
Levels:
Automated: no
No rules selected
2.1.4: Ensure dhcp server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.5: Ensure dns server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.6: Ensure dnsmasq services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.7: Ensure ftp server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.8: Ensure message access server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.9: Ensure network file system services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.10: Ensure nis server services are not in use (Automated)
Description: None
Levels:
Automated: yes
No rules selected
2.1.11: Ensure print server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.12: Ensure rpcbind services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.13: Ensure rsync services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.14: Ensure samba file server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.15: Ensure snmp services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.16: Ensure telnet server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.17: Ensure tftp server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.18: Ensure web proxy server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.19: Ensure web server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.20: Ensure xinetd services are not in use (Automated)
Description: None
Levels:
Automated: no
No rules selected
2.1.21: Ensure GNOME Display Manager is removed (Automated)
Description: None
Levels:
Automated: no
No rules selected
2.1.22: Ensure X window server services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.1.23: Ensure mail transfer agents are configured for local-only mode (Automated)
Description: None
Levels:
Automated: no
Selections:
2.1.24: Ensure only approved services are listening on a network interface (Manual)
Description: None
Levels:
Automated: no
No rules selected
2.2.1: Ensure ftp client is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.2.2: Ensure ldap client is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.2.3: Ensure nis client is not installed (Automated)
Description: None
Levels:
Automated: yes
No rules selected
2.2.4: Ensure telnet client is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.2.5: Ensure tftp client is not installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.3.1: Ensure time synchronization is in use (Automated)
Description: None
Levels:
Automated: yes
No rules selected
2.3.2: Ensure chrony is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.3.3: Ensure chrony is not run as the root user (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.1: Ensure cron daemon is enabled and active (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.2: Ensure access to /etc/crontab is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.3: Ensure access to /etc/cron.hourly is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.4: Ensure access to /etc/cron.daily is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.5: Ensure access to /etc/cron.weekly is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.6: Ensure access to /etc/cron.monthly is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.7: Ensure access to /etc/cron.yearly is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
2.4.1.8: Ensure access to /etc/cron.d is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.1.9: Ensure access to crontab is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
2.4.2.1: Ensure access to at is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
3.1.1: Ensure IPv6 status is identified (Manual)
Description: None
Levels:
Automated: no
No rules selected
3.1.2: Ensure wireless interfaces are not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.1.3: Ensure bluetooth services are not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.2.1: Ensure atm kernel module is not available (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.2.2: Ensure can kernel module is not available (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.2.3: Ensure dccp kernel module is not available (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.2.4: Ensure tipc kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.2.5: Ensure rds kernel module is not available (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.2.6: Ensure sctp kernel module is not available (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.1: Ensure net.ipv4.ip_forward is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.2: Ensure net.ipv4.conf.all.forwarding is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.3.1.3: Ensure net.ipv4.conf.default.forwarding is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.3.1.4: Ensure net.ipv4.conf.all.send_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.5: Ensure net.ipv4.conf.default.send_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.6: Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.7: Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.8: Ensure net.ipv4.conf.all.accept_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.9: Ensure net.ipv4.conf.default.accept_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.10: Ensure net.ipv4.conf.all.secure_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.11: Ensure net.ipv4.conf.default.secure_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.12: Ensure net.ipv4.conf.all.rp_filter is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.13: Ensure net.ipv4.conf.default.rp_filter is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.14: Ensure net.ipv4.conf.all.accept_source_route is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.15: Ensure net.ipv4.conf.default.accept_source_route is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.16: Ensure net.ipv4.conf.all.log_martians is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.17: Ensure net.ipv4.conf.default.log_martians is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.1.18: Ensure net.ipv4.tcp_syncookies is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.1: Ensure net.ipv6.conf.all.forwarding is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.2: Ensure net.ipv6.conf.default.forwarding is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
3.3.2.3: Ensure net.ipv6.conf.all.accept_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.4: Ensure net.ipv6.conf.default.accept_redirects is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.5: Ensure net.ipv6.conf.all.accept_source_route is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.6: Ensure net.ipv6.conf.default.accept_source_route is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.7: Ensure net.ipv6.conf.all.accept_ra is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
3.3.2.8: Ensure net.ipv6.conf.default.accept_ra is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
4.1.1: Ensure nftables is installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
4.1.2: Ensure a single firewall configuration utility is in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
4.2.1: Ensure firewalld drops unnecessary services and ports (Manual)
Description: None
Levels:
Automated: no
No rules selected
4.2.2: Ensure firewalld loopback traffic is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
4.3.1: Ensure nftables base chains exist (Automated)
Description: None
Levels:
Automated: no
No rules selected
4.3.2: Ensure nftables established connections are configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
4.3.3: Ensure nftables default deny firewall policy (Automated)
Description: None
Levels:
Automated: no
No rules selected
4.3.4: Ensure nftables loopback traffic is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.1.1: Ensure access to /etc/ssh/sshd_config is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.2: Ensure access to SSH private host key files is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.3: Ensure access to SSH public host key files is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.4: Ensure sshd Ciphers are configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.1.5: Ensure sshd KexAlgorithms is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
5.1.6: Ensure sshd MACs are configured (Automated)
Description: None
Levels:
Automated: no
Selections:
5.1.7: Ensure sshd access is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.8: Ensure sshd Banner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.9: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.10: Ensure sshd DisableForwarding is enabled (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.1.11: Ensure sshd GSSAPIAuthentication is disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.12: Ensure sshd HostbasedAuthentication is disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.13: Ensure sshd IgnoreRhosts is enabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.14: Ensure sshd LoginGraceTime is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.15: Ensure sshd LogLevel is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.16: Ensure sshd MaxAuthTries is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.17: Ensure sshd MaxStartups is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.18: Ensure sshd MaxSessions is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.19: Ensure sshd PermitEmptyPasswords is disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.20: Ensure sshd PermitRootLogin is disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.21: Ensure sshd PermitUserEnvironment is disabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.1.22: Ensure sshd UsePAM is enabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.1: Ensure sudo is installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.2: Ensure sudo commands use pty (Automated)
Description: None
Levels:
Automated: yes
Selections:
- sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
5.2.3: Ensure sudo log file exists (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.4: Ensure users must provide password for escalation (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.5: Ensure re-authentication for privilege escalation is not disabled globally (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.6: Ensure sudo timestamp_timeout is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.2.7: Ensure access to the su command is restricted (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.1.1: Ensure latest version of pam is installed (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.1.2: Ensure latest version of authselect is installed (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.1.3: Ensure latest version of libpwquality is installed (Automated)
Description: None
Levels:
Automated: no
Selections:
5.3.2.1: Ensure active authselect profile includes pam modules (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.2.2: Ensure pam_faillock module is enabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.2.3: Ensure pam_pwquality module is enabled (Automated)
Description: None
Levels:
Automated: yes
No rules selected
5.3.2.4: Ensure pam_pwhistory module is enabled (Automated)
Description: None
Levels:
Automated: yes
No rules selected
5.3.2.5: Ensure pam_unix module is enabled (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.3.1.1: Ensure password failed attempts lockout is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.1.2: Ensure password unlock time is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.1.3: Ensure password failed attempts lockout includes root account (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.1: Ensure password number of changed characters is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.2: Ensure password length is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.3: Ensure password complexity is configured (Manual)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.4: Ensure password same consecutive characters is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.5: Ensure password maximum sequential characters is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.3.2.6: Ensure password dictionary check is enabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.2.7: Ensure password quality is enforced for the root user (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.3.1: Ensure password history remember is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.3.2: Ensure password history is enforced for the root user (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.3.3.3: Ensure pam_pwhistory includes use_authtok (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.3.4.1: Ensure pam_unix does not include nullok (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.4.2: Ensure pam_unix does not include remember (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.3.3.4.3: Ensure pam_unix includes a strong password hashing algorithm (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.3.3.4.4: Ensure pam_unix includes use_authtok (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.4.1.1: Ensure password expiration is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.1.2: Ensure minimum password days is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.1.3: Ensure password expiration warning days is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.1.4: Ensure strong password hashing algorithm is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.1.5: Ensure inactive password lock is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.1.6: Ensure all users last password change date is in the past (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.2.1: Ensure root is the only UID 0 account (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.2.2: Ensure root is the only GID 0 account (Automated)
Description: None
Levels:
Automated: no
Selections:
5.4.2.3: Ensure group root is the only GID 0 group (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.4.2.4: Ensure root account access is controlled (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.2.5: Ensure root path integrity (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.2.6: Ensure root user umask is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.4.2.7: Ensure system accounts do not have a valid login shell (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.2.8: Ensure accounts without a valid login shell are locked (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.4.3.1: Ensure nologin is not listed in /etc/shells (Automated)
Description: None
Levels:
Automated: no
No rules selected
5.4.3.2: Ensure default user shell timeout is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
5.4.3.3: Ensure default user umask is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.1.1: Ensure AIDE is installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.1.2: Ensure filesystem integrity is regularly checked (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.1.3: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.2.1.1: Ensure journald service is active (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.2.1.2: Ensure journald log file access is configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.1.3: Ensure journald log file rotation is configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.1.4: Ensure only one logging system is in use (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.2.1.1: Ensure systemd-journal-remote is installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.2.2.1.2: Ensure systemd-journal-upload authentication is configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.2.1.3: Ensure systemd-journal-upload is enabled and active (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.2.1.4: Ensure systemd-journal-remote service is not in use (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.2.2.2: Ensure journald ForwardToSyslog is disabled (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.2.3: Ensure journald Compress is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.2.2.4: Ensure journald Storage is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
- journald_storage: Ensure journald is configured to write log files to persistent disk
6.2.5.1: Ensure rsyslog is installed (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.2: Ensure rsyslog service is enabled and active (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.3: Ensure journald is configured to send logs to rsyslog (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.4: Ensure rsyslog log file creation mode is configured (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.5: Ensure rsyslog logging is configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.6: Ensure rsyslog is configured to send logs to a remote log host (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.5.7: Ensure rsyslog is not configured to receive logs from a remote client (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.2.3.8: Ensure rsyslog logrotate is configured (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.2.6.1: Ensure access to all logfiles has been configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.1.1: Ensure auditd packages are installed (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.1.2: Ensure auditing for processes that start prior to auditd is enabled (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.1.3: Ensure audit_backlog_limit is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.1.4: Ensure auditd service is enabled and active (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.2.1: Ensure audit log storage size is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.2.2: Ensure audit logs are not automatically deleted (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.2.3: Ensure system is disabled when audit logs are full (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.2.4: Ensure system warns when audit logs are low on space (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.1: Ensure modification of the /etc/sudoers file is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.2: Ensure actions as another user are always logged (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.3: Ensure events that modify the sudo log file are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.4: Ensure events that modify date and time information are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.5: Ensure events that modify sethostname and setdomainname are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.6: Ensure events that modify /etc/issue and /etc/issue.net are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.7: Ensure events that modify /etc/hosts and /etc/hostname are collected (Automated)
Description: None
Levels:
Automated: no
Selections:
6.3.3.8: Ensure events that modify /etc/sysconfig/network and /etc/sysconfig/network-scripts/ are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.9: Ensure events that modify /etc/NetworkManager directory are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.10: Ensure use of privileged commands are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.11: Ensure unsuccessful file access attempts are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.12: Ensure events that modify /etc/group information are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.13: Ensure events that modify /etc/passwd information are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.14: Ensure events that modify /etc/shadow and /etc/gshadow are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.15: Ensure events that modify /etc/security/opasswd are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.16: Ensure events that modify /etc/nsswitch.conf file are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.17: Ensure events that modify /etc/pam.conf and /etc/pam.d/ information are collected (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.18: Ensure discretionary access control permission modification events are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.19: Ensure successful file system mounts are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.20: Ensure session initiation information is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.21: Ensure login and logout events are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.22: Ensure file deletion events by users are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.23: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.24: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.25: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.26: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.27: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.28: Ensure kernel module loading unloading and modification is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.29: Ensure kernel "init_module" and "finit_module" loading unloading and modification is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.30: Ensure kernel "delete_module" loading unloading and modification is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.31: Ensure kernel "create_module" and "query_module" loading unloading and modification is collected (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.32: Ensure the audit configuration is loaded regardless of errors (Automated)
Description: None
Levels:
Automated: no
No rules selected
6.3.3.33: Ensure the audit configuration is immutable (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.3.34: Ensure the running and on disk configuration is the same (Manual)
Description: None
Levels:
Automated: no
No rules selected
6.3.4.1: Ensure the audit log file directory mode is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.2: Ensure audit log files mode is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.3: Ensure audit log files owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.4: Ensure audit log files group owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.5: Ensure audit configuration files mode is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.6: Ensure audit configuration files owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.7: Ensure audit configuration files group owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.8: Ensure audit tools mode is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.9: Ensure audit tools owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
6.3.4.10: Ensure audit tools group owner is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.1: Ensure access to /etc/passwd is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.2: Ensure access to /etc/passwd- is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.3: Ensure access to /etc/group is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.4: Ensure access to /etc/group- is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.5: Ensure access to /etc/shadow is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.6: Ensure access to /etc/shadow- is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.7: Ensure access to /etc/gshadow is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.8: Ensure access to /etc/gshadow- is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.9: Ensure access to /etc/shells is configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.10: Ensure access to /etc/security/opasswd is configured (Automated)
Description: None
Levels:
Automated: no
Selections:
7.1.11: Ensure world writable files and directories are secured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.1.12: Ensure no files or directories without an owner and a group exist (Automated)
Description: None
Levels:
Automated: no
Selections:
7.1.13: Ensure SUID and SGID files are reviewed (Manual)
Description: None
Levels:
Automated: no
No rules selected
7.2.1: Ensure accounts in /etc/passwd use shadowed passwords (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.2: Ensure /etc/shadow password fields are not empty (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.3: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.4: Ensure no duplicate UIDs exist (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.5: Ensure no duplicate GIDs exist (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.6: Ensure no duplicate user names exist (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.7: Ensure no duplicate group names exist (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.8: Ensure local interactive user home directories are configured (Automated)
Description: None
Levels:
Automated: yes
Selections:
7.2.9: Ensure local interactive user dot files access is configured (Automated)
Description: None
Levels:
Automated: no
Selections: