Definition of Standard Benchmark for openEuler for openeuler2203

1.1.1: Ensure All Files Have Owner And Group

Description: None

• l1_server

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group
• no_files_unowned_by_user: Ensure All Files Are Owned by a User

1.1.2: Ensure No Empty Symlink

Description: None

• l1_server

Automated: no

No rules selected

1.1.3: Ensure No Hidden Executable Files

Description: None

• l1_server

Automated: no

No rules selected

1.1.4: Ensure Sticky Set On Global Writable Folder

Description: None

• l1_server

Automated: yes

• dir_perms_world_writable_sticky_bits: Verify that All World-Writable Directories Have Sticky Bits Set

1.1.5: Ensure UMASK Correct

Description: None

• l1_server

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• var_accounts_user_umask = 077

1.1.6: Ensure No Global Writable File

Description: None

• l1_server

Automated: yes

• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist

1.1.7: Umount Unnecessary File System

Description: None

• l1_server

Automated: no

No rules selected

1.1.8: Ensure Mount As Readonly If No Need To Write

Description: None

• l1_server

Automated: no

No rules selected

1.1.9: Ensure Mount As Nodev

Description: None

• l1_server

Automated: no

No rules selected

1.1.10: Ensure Mount As Noexec

Description: None

• l1_server

Automated: no

No rules selected

1.1.11: Ensure Mount As Noexec And Nodev For Removable Device

Description: None

• l1_server

Automated: yes

• mount_option_nodev_removable_partitions: Add nodev Option to Removable Media Partitions
• mount_option_noexec_removable_partitions: Add noexec Option to Removable Media Partitions

1.1.12: Ensure Mount As Nosuid

Description: None

• l1_server

Automated: no

No rules selected

1.1.13: Ensure Remove Unnecessary SUID And SGID

Description: None

• l1_server

Automated: yes

• file_permissions_unauthorized_sgid: Ensure All SGID Executables Are Authorized
• file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized

1.1.14: Ensure File Permission Minimize

Description: None

• l1_server

Automated: no

No rules selected

1.1.15: Ensure Ulinmit Correctly

Description: None

• l1_server

Automated: no

No rules selected

1.1.16: Ensure Symlinks And Hardlinks Protected

Description: None

• l1_server

Automated: yes

• sysctl_fs_protected_hardlinks: Enable Kernel Parameter to Enforce DAC on Hardlinks
• sysctl_fs_protected_symlinks: Enable Kernel Parameter to Enforce DAC on Symlinks

1.1.17: Ensure USB Disabled

Description: None

• l2_server

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

1.1.18: Ensure Different Data Store In Different Partitions

Description: None

• l2_server

Automated: no

No rules selected

1.1.19: Ensure LD_LIBRARY_PATH Correct

Description: None

• l1_server

Automated: no

No rules selected

1.1.20: Ensure User PATH Correct

Description: None

• l1_server

Automated: no

No rules selected

1.2.1: Ensure FTP Not Installed

Description: None

• l1_server

Automated: yes

• package_ftp_removed: Remove ftp Package

1.2.2: Ensure TFTP Server Not Installed

Description: None

• l1_server

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package
• package_tftp_removed: Remove tftp Daemon

1.2.3: Ensure Telnet Server Not Installed

Description: None

• l1_server

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients

1.2.4: Ensure SNMP Not Installed

Description: None

• l1_server

Automated: yes

• package_net-snmp_removed: Uninstall net-snmp Package

1.2.5: Ensure Python2 Not Installed

Description: None

• l1_server

Automated: no

No rules selected

1.2.6: Ensure GPG Check Configured

Description: None

• l1_server

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories

1.2.7: Ensure Debug-Shell Disabled

Description: None

• l1_server

Automated: yes

• service_debug-shell_disabled: Disable debug-shell SystemD Service

1.2.8: Ensure Rsync Not Installed

Description: None

• l1_server

Automated: yes

• service_rsyncd_disabled: Ensure rsyncd service is disabled

1.2.9: Ensure Avahi Not Installed

Description: None

• l1_server

Automated: yes

• service_avahi-daemon_disabled: Disable Avahi Server Software

1.2.10: Ensure LDAP Server Not Installed

Description: None

• l1_server

Automated: yes

• package_openldap-servers_removed: Uninstall openldap-servers Package

1.2.11: Ensure CUPS Not Installed

Description: None

• l1_server

Automated: yes

• package_cups_removed: Uninstall CUPS Package

1.2.12: Ensure NIS Server Not Installed

Description: None

• l1_server

Automated: yes

• package_ypserv_removed: Uninstall ypserv Package

1.2.13: Ensure NIS Client Not Installed

Description: None

• l1_server

Automated: yes

• package_ypbind_removed: Remove NIS Client

1.2.14: Ensure LDAP Client Not Installed

Description: None

• l1_server

Automated: yes

• package_openldap-clients_removed: Ensure LDAP client is not installed

1.2.15: Ensure Network Sniffing Software Removed

Description: None

• l1_server

Automated: no

No rules selected

1.2.16: Ensure Debug Tools Removed

Description: None

• l1_server

Automated: no

No rules selected

1.2.17: Ensure Compiler Tools Removed

Description: None

• l1_server

Automated: no

No rules selected

1.2.18: Ensure X Window Not Installed

Description: None

• l2_server

Automated: yes

• xwindows_remove_packages: Disable graphical user interface

1.2.19: Ensure Http Service Not Installed

Description: None

• l2_server

Automated: yes

• package_httpd_removed: Uninstall httpd Package

1.2.20: Ensure Samba Service Not Installed

Description: None

• l2_server

Automated: yes

• package_samba_removed: Uninstall Samba Package

1.2.21: Ensure DNS Service Disabled

Description: None

• l2_server

Automated: yes

• service_named_disabled: Disable named Service

1.2.22: Ensure NFS Service Disabled

Description: None

• l2_server

Automated: yes

• service_nfs_disabled: Disable Network File System (nfs)

1.2.23: Ensure RPC Service Disabled

Description: None

• l2_server

Automated: yes

• service_rpcbind_disabled: Disable rpcbind Service

1.2.24: Ensure DHCP Service Disabled

Description: None

• l2_server

Automated: yes

• service_dhcpd_disabled: Disable DHCP Service

2.1.1: Ensure All Login Accounts Are Necessary

Description: None

• l1_server

Automated: no

No rules selected

2.1.2: Ensure No Unused Accounts

Description: None

• l1_server

Automated: no

No rules selected

2.1.3: Ensure Different Accounts Have Different GroupID

Description: None

• l1_server

Automated: no

No rules selected

2.1.4: Ensure Only Root's UID Is 0

Description: None

• l1_server

Automated: yes

• accounts_no_uid_except_zero: Verify Only Root Has UID 0

2.1.5: Ensure Account Related Files Have Correct Permission

Description: None

• l1_server

Automated: yes

• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_owner_backup_etc_group: Verify User Who Owns Backup group File
• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_permissions_backup_etc_group: Verify Permissions on Backup group File
• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File
• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_shadow: Verify Permissions on shadow File

2.1.6: Ensure All Accounts Have Own Home Folder

Description: None

• l1_server

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

2.1.7: Ensure All Groups Existed

Description: None

• l1_server

Automated: yes

• gid_passwd_group_same: All GIDs referenced in /etc/passwd must be defined in /etc/group

2.1.8: Ensure UID Unique

Description: None

• l1_server

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

2.1.9: Ensure Account Name Unique

Description: None

• l1_server

Automated: yes

• account_unique_name: Ensure All Accounts on the System Have Unique Names

2.1.10: Ensure Group Unique ID

Description: None

• l1_server

Automated: yes

• group_unique_id: Ensure All Groups on the System Have Unique Group ID

2.1.11: Ensure Group Unique Name

Description: None

• l1_server

Automated: yes

• group_unique_name: Ensure All Groups on the System Have Unique Group Names

2.1.12: Ensure Account Expire Date Correct

Description: None

• l2_server

Automated: no

• account_temp_expire_date: Assign Expiration Date to Temporary Accounts

2.1.13: Ensure No .forward Files In Home Folder

Description: None

• l2_server

Automated: yes

• no_forward_files: Verify No .forward Files Exist

2.1.14: Ensure No .netrc Files In Home Folder

Description: None

• l2_server

Automated: yes

• no_netrc_files: Verify No netrc Files Exist

2.2.1: Ensure Set Correct Password Complexity

Description: None

• l1_server

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_dcredit = 0
• var_password_pam_lcredit = 0
• var_password_pam_minclass = 3
• var_password_pam_minlen = 8
• var_password_pam_ocredit = 0
• var_password_pam_retry = 3
• var_password_pam_ucredit = 0

2.2.2: Ensure No History Password Used

Description: None

• l1_server

Automated: yes

• accounts_password_pam_unix_remember: Limit Password Reuse
• var_password_pam_unix_remember = 5

2.2.3: Ensure Old Password Verified

Description: None

• l1_server

Automated: no

No rules selected

2.2.4: Ensure Password Not Contain User Name

Description: None

• l1_server

Automated: no

No rules selected

2.2.5: Ensure Using Strong Hash Algorithm To Encipher Password

Description: None

• l1_server

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm

2.2.6: Ensure Password Dictionary Correct

Description: None

• l1_server

Automated: yes

• accounts_password_pam_dictcheck: Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

2.2.7: Ensure Password Expire Correct

Description: None

• l1_server

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• var_accounts_maximum_age_login_defs = 90
• var_accounts_minimum_age_login_defs = 0
• var_accounts_password_warn_age_login_defs = 7

2.2.8: Ensure No Empty Password

Description: None

• l1_server

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

2.2.9: Ensure Grub Password Set

Description: None

• l1_server

Automated: yes

• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

2.2.10: Ensure Password Set In Single User Mode

Description: None

• l1_server

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

2.2.11: Ensure Password Changed At First Login

Description: None

• l1_server

Automated: no

No rules selected

2.3.1: Ensure Account Locked After Accessing Fail

Description: None

• l1_server

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 3
• var_accounts_passwords_pam_faillock_unlock_time = 300

2.3.2: Ensure TIMOUT Set Correct

Description: None

• l1_server

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 5_min

2.3.3: Ensure Warning Banners Correct

Description: None

• l1_server

Automated: yes

• file_groupowner_etc_issue: Verify Group Ownership of System Login Banner
• file_groupowner_etc_issue_net: Verify Group Ownership of System Login Banner for Remote Connections
• file_groupowner_etc_motd: Verify Group Ownership of Message of the Day Banner
• file_owner_etc_issue: Verify ownership of System Login Banner
• file_owner_etc_issue_net: Verify ownership of System Login Banner for Remote Connections
• file_owner_etc_motd: Verify ownership of Message of the Day Banner
• file_permissions_etc_issue: Verify permissions on System Login Banner
• file_permissions_etc_issue_net: Verify permissions on System Login Banner for Remote Connections
• file_permissions_etc_motd: Verify permissions on Message of the Day Banner

2.3.4: Ensure Warning Path Correct

Description: None

• l1_server

Automated: yes

• sshd_enable_warning_banner_net: Enable SSH Warning Banner

2.4.1: Ensure HISTSIZE Limited

Description: None

• l2_server

Automated: no

No rules selected

2.4.2: Ensure SELinux Enforce

Description: None

• l2_server

Automated: yes

• selinux_state: Ensure SELinux State is Enforcing

2.4.3: Ensure SELinux Configurate Correct

Description: None

• l2_server

Automated: yes

• selinux_policytype: Configure SELinux Policy

2.4.4: Ensure SU Usage Limited

Description: None

• l1_server

Automated: yes

• use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

2.4.5: Ensure Use Sudo To Run

Description: None

• l1_server

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

2.4.6: Ensure No Files In /etc/sudoers Can Be Write By Low-privilege User

Description: None

• l1_server

Automated: no

No rules selected

2.4.7: Ensure Low-privilege User Cannot Escalate By Pkexec

Description: None

• l1_server

Automated: no

No rules selected

2.4.8: Ensure ALWAYS_SET_PATH Configurated

Description: None

• l1_server

Automated: no

No rules selected

2.4.9: Ensure Root Can Not Login Local

Description: None

• l2_server

Automated: no

No rules selected

2.4.10: Ensure Not Run Files wiht unconfined_service_t Flag

Description: None

• l2_server

Automated: yes

• selinux_confinement_of_daemons: Ensure No Daemons are Unconfined by SELinux

2.5.1: Ensure IMA Enabled

Description: None

• l2_server

Automated: no

No rules selected

2.5.2: Ensure AIDE Enabled

Description: None

• l2_server

Automated: yes

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE

2.6.1: Ensure Haveged Enabled

Description: None

• l2_server

Automated: no

No rules selected

2.6.2: Global Crypto Setting Correct

Description: None

• l2_server

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy

3.1.1: Ensure No Unusual Network Service

Description: None

• l2_server

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support
• kernel_module_tipc_disabled: Disable TIPC Support

3.1.2: Ensure No WIFI

Description: None

• l2_server

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

3.2.1: Ensure Firewalld Enabled

Description: None

• l2_server

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled

3.2.2: Ensure Firewalld Set Default Zone Correctly

Description: None

• l2_server

Automated: no

No rules selected

3.2.3: Ensure Firewalld Set Correct Interface Zone

Description: None

• l2_server

Automated: no

• set_firewalld_appropriate_zone: Ensure network interfaces are assigned to appropriate zone

3.2.4: Ensure Unnecessary Service And Port Disabled

Description: None

• l2_server

Automated: no

• unnecessary_firewalld_services_ports_disabled: Ensure Unnecessary Services and Ports Are Not Accepted

3.2.5: Ensure Iptables Enabled

Description: None

• l2_server

Automated: yes

• service_ip6tables_enabled: Verify ip6tables Enabled if Using IPv6
• service_iptables_enabled: Verify iptables Enabled

3.2.6: Ensure Iptables Default Refuse Rules Set

Description: None

• l2_server

Automated: no

• set_iptables_default_rule: Set Default iptables Policy for Incoming Packets

3.2.7: Ensure Iptables Loopback Rules Set

Description: None

• l2_server

Automated: yes

• set_ipv6_loopback_traffic: Set configuration for IPv6 loopback traffic
• set_loopback_traffic: Set configuration for loopback traffic

3.2.8: Ensure Iptables Input Rules Set

Description: None

• l2_server

Automated: no

No rules selected

3.2.9: Ensure Iptables Output Rules Set

Description: None

• l2_server

Automated: no

No rules selected

3.2.10: Ensure Iptables Input Output Connection Rules Set

Description: None

• l2_server

Automated: no

• set_iptables_outbound_n_established: Ensure Outbound and Established Connections are Configured

3.2.11: Ensure Nftables Enabled

Description: None

• l2_server

Automated: yes

• service_nftables_enabled: Verify nftables Service is Enabled

3.2.12: Ensure Nftables Default Refuse Rules Set

Description: None

• l2_server

Automated: no

• nftables_ensure_default_deny_policy: Ensure nftables Default Deny Firewall Policy

3.2.13: Ensure Nftables Loopback Rules Set

Description: None

• l2_server

Automated: no

• set_nftables_loopback_traffic: Set nftables Configuration for Loopback Traffic

3.2.14: Ensure Nftables Input Rules Set

Description: None

• l2_server

Automated: no

No rules selected

3.2.15: Ensure Nftables Output Rules Set

Description: None

• l2_server

Automated: no

No rules selected

3.2.16: Ensure Nftables Input Output Connection Rules Set

Description: None

• l2_server

Automated: no

• set_nftables_new_connections: Ensure all outbound and established connections are configured for nftables

3.3.1: Ensure SSHd Protocol Version Is 2

Description: None

• l1_server

Automated: yes

• sshd_allow_only_protocol2: Allow Only SSH Protocol 2

3.3.2: Ensure SSHd Authentication Setting Correct

Description: None

• l1_server

Automated: yes

• disable_host_auth: Disable Host-Based Authentication
• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

3.3.3: Ensure SSHd Key Exchange Algorithm Correct

Description: None

• l1_server

Automated: yes

• sshd_strong_kex = std_openeuler
• sshd_use_strong_kex: Use Only Strong Key Exchange algorithms

3.3.4: Ensure SSHd Pubkey Algorithm Correct

Description: None

• l1_server

Automated: no

No rules selected

3.3.5: Ensure SSHd PAM Enabled

Description: None

• l1_server

Automated: yes

• sshd_enable_pam: Enable PAM

3.3.6: Ensure SSHd MACs Algorithm Correct

Description: None

• l1_server

Automated: yes

• sshd_use_strong_macs: Use Only Strong MACs

3.3.7: Ensure SSHd Ciphers Algorithm Correct

Description: None

• l1_server

Automated: yes

• sshd_use_strong_ciphers: Use Only Strong Ciphers

3.3.8: Ensure SSHd Ciphers Algorithm Not Overwritten

Description: None

• l1_server

Automated: no

No rules selected

3.3.9: Ensure SSHd Forbid Root Login From Remote

Description: None

• l1_server

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

3.3.10: Ensure SSHd Log Level Correct

Description: None

• l2_server

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

3.3.11: Ensure SSHd Listen Address Set Correct

Description: None

• l2_server

Automated: no

No rules selected

3.3.12: Ensure SSHd MaxStartups Correct

Description: None

• l2_server

Automated: yes

• sshd_set_maxstartups: Ensure SSH MaxStartups is configured
• var_sshd_set_maxstartups = 10:30:60

3.3.13: Ensure SSHd Maxsessions Correct

Description: None

• l2_server

Automated: yes

• sshd_set_max_sessions: Set SSH MaxSessions limit
• var_sshd_max_sessions = 10

3.3.14: Ensure SSHd X11 Forwarding Forbidden

Description: None

• l1_server

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

3.3.15: Ensure SSHd MaxAuthTries Correct

Description: None

• l2_server

Automated: yes

• sshd_max_auth_tries_value = 3
• sshd_set_max_auth_tries: Set SSH authentication attempt limit

3.3.16: Ensure SSHd PermitUserEnvironment Forbidden

Description: None

• l1_server

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

3.3.17: Ensure SSHd LoginGraceTime Correct

Description: None

• l2_server

Automated: yes

• sshd_set_login_grace_time: Ensure SSH LoginGraceTime is configured
• var_sshd_set_login_grace_time = 60

3.3.18: Ensure SSHd Authorized Keys Not Set

Description: None

• l1_server

Automated: no

No rules selected

3.3.19: Ensure SSHd Known Hosts Not Set

Description: None

• l1_server

Automated: yes

• sshd_disable_user_known_hosts: Disable SSH Support for User Known Hosts

3.3.20: Ensure SSHd Has No Obsolete Configurations

Description: None

• l1_server

Automated: no

No rules selected

3.3.21: Ensure SSHd TCP Forward Disabled

Description: None

• l1_server

Automated: yes

• sshd_disable_tcp_forwarding: Disable SSH TCP Forwarding

3.3.22: Ensure SSHd Has Correct White and Black Access List

Description: None

• l2_server

Automated: no

No rules selected

3.4.1: Ensure Cron Not Run Low Privilege User Writable Bash

Description: None

• l1_server

Automated: no

No rules selected

3.4.2: Ensure Cron Deamon Running

Description: None

• l1_server

Automated: yes

• service_crond_enabled: Enable cron Service

3.4.3: Ensure AT And Cron Set Correct

Description: None

• l1_server

Automated: yes

• file_at_deny_not_exist: Ensure that /etc/at.deny does not exist
• file_cron_deny_not_exist: Ensure that /etc/cron.deny does not exist
• file_groupowner_at_allow: Verify Group Who Owns /etc/at.allow file
• file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_groupowner_crontab: Verify Group Who Owns Crontab
• file_owner_at_allow: Verify User Who Owns /etc/at.allow file
• file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
• file_owner_cron_d: Verify Owner on cron.d
• file_owner_cron_daily: Verify Owner on cron.daily
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_owner_crontab: Verify Owner on crontab
• file_permissions_at_allow: Verify Permissions on /etc/at.allow file
• file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file
• file_permissions_cron_d: Verify Permissions on cron.d
• file_permissions_cron_daily: Verify Permissions on cron.daily
• file_permissions_cron_hourly: Verify Permissions on cron.hourly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly
• file_permissions_crontab: Verify Permissions on crontab

3.5.1: Ensure KASLR Enabled

Description: None

• l1_server

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

3.5.2: Ensure Dmesg Access Permission Correct

Description: None

• l1_server

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

3.5.3: Ensure Kptr_restrict Correct

Description: None

• l1_server

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_kptr_restrict_value = 1

3.5.4: Ensure Kernel SMAP Enabled

Description: None

• l1_server

Automated: yes

• grub2_nosmap_argument_absent: Ensure SMAP is not disabled during boot

3.5.5: Ensure Kernel SMEP Enabled

Description: None

• l1_server

Automated: yes

• grub2_nosmep_argument_absent: Ensure SMEP is not disabled during boot

3.5.6: Ensure ICMP Broadcast Package Not Responsed

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

3.5.7: Ensure ICMP Redirect Package Not Received

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects_value = disabled
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_secure_redirects_value = disabled
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects_value = disabled

3.5.8: Ensure No ICMP Redirect Package Forwarded

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

3.5.9: Ensure Ignore All ICMP Request

Description: None

• l2_server

Automated: no

No rules selected

3.5.10: Ensure Ignore Bogus Error ICMP Package

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value = enabled

3.5.11: Ensure Reverse Proxy Filter Enabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter_value = enabled
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter_value = enabled

3.5.12: Ensure IP Forwarding Disabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding
• sysctl_net_ipv6_conf_all_forwarding_value = disabled

3.5.13: Ensure Source Route Disabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_accept_source_route_value = disabled
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_source_route_value = disabled

3.5.14: Ensure TCP-SYN Cookie Enabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

3.5.15: Ensure Source Route And Redirectly Logged

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

3.5.16: Ensure tcp_timestamps Disabled

Description: None

• l1_server

Automated: no

No rules selected

3.5.17: Ensure TCP Time Wait Correct

Description: None

• l1_server

Automated: no

No rules selected

3.5.18: Ensure SYN Recv Set Correct

Description: None

• l1_server

Automated: no

No rules selected

3.5.19: Ensure No ARP Proxy

Description: None

• l1_server

Automated: no

No rules selected

3.5.20: Ensure Core Dump Set Correct

Description: None

• l1_server

Automated: no

No rules selected

3.5.21: Ensure SysRq Key Disabled

Description: None

• l1_server

Automated: yes

• sysctl_kernel_sysrq: Disallow magic SysRq key

3.5.22: Ensure ptrace_scope Set Correct

Description: None

• l2_server

Automated: yes

• sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes

3.5.23: Ensure Seccomp Enabled

Description: None

• l2_server

Automated: yes

• kernel_config_seccomp: Enable seccomp to safely compute untrusted bytecode

3.6.1: Ensure Ntpd Configuration Correct

Description: None

• l2_server

Automated: yes

• ntpd_configure_restrictions: Configure server restrictions for ntpd
• ntpd_specify_remote_server: Specify a Remote NTP Server
• service_ntpd_enabled: Enable the NTP Daemon

3.6.2: Ensure Chrony Configuration Correct

Description: None

• l2_server

Automated: yes

• chronyd_specify_remote_server: A remote time server for Chrony is configured
• service_chronyd_enabled: The Chronyd service is enabled

4.1.1: Ensure Auditd Enabled

Description: None

• l1_server

Automated: yes

• service_auditd_enabled: Enable auditd Service

4.1.2: Ensure Auditd Rotate Enabled

Description: None

• l1_server

Automated: yes

• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_data_retention_num_logs: Configure auditd Number of Logs Retained
• var_auditd_max_log_file_action = rotate
• var_auditd_num_logs = 5

4.1.3: Ensure Lastlog Recorded

Description: None

• l2_server

Automated: yes

• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog

4.1.4: Ensure Account Info Changing Audited

Description: None

• l2_server

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

4.1.5: Ensure Escalation Audited

Description: None

• l2_server

Automated: no

No rules selected

4.1.6: Ensure Module Changes Audited

Description: None

• l2_server

Automated: yes

• audit_rules_kernel_module_loading: Ensure auditd Collects Information on Kernel Module Loading and Unloading
• audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod
• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

4.1.7: Ensure Sudo Operation Audited

Description: None

• l2_server

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

4.1.8: Ensure Auditd Enabled During Boot

Description: None

• l2_server

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

4.1.9: Ensure Audit Backlog Limit Correct

Description: None

• l2_server

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

4.1.10: Ensure Auditctl Not Used

Description: None

• l2_server

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

4.1.11: Ensure Audit Log Size Set Correct

Description: None

• l1_server

Automated: yes

• auditd_data_retention_max_log_file: Configure auditd Max Log File Size
• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size

4.1.12: Ensure Audit Disk Space Set Correct

Description: None

• l2_server

Automated: yes

• auditd_audispd_disk_full_action: Configure audispd's Plugin disk_full_action When Disk Is Full
• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_disk_full_action: Configure auditd Disk Full Action when Disk Space Is Full
• auditd_data_retention_admin_space_left_action: Configure auditd admin_space_left Action on Low Disk Space
• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• auditd_data_retention_space_left: Configure auditd space_left on Low Disk Space
• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = suspend
• var_auditd_admin_space_left_percentage = 50pc
• var_auditd_disk_error_action = suspend
• var_auditd_disk_full_action = suspend
• var_auditd_space_left_action = syslog

4.1.13: Ensure Sudoers Audited

Description: None

• l2_server

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers

4.1.14: Ensure Session Audited

Description: None

• l2_server

Automated: yes

• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

4.1.15: Ensure Time Changing Audited

Description: None

• l2_server

Automated: yes

• audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
• audit_rules_time_clock_settime: Record Attempts to Alter Time Through clock_settime
• audit_rules_time_settimeofday: Record attempts to alter time through settimeofday

4.1.16: Ensure SELinux Audited

Description: None

• l2_server

Automated: yes

• audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
• audit_rules_mac_modification_usr_share: Record Events that Modify the System's Mandatory Access Controls in usr/share

4.1.17: Ensure Network Audited

Description: None

• l2_server

Automated: yes

• audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment

4.1.18: Ensure Successful File Access Audited

Description: None

• l2_server

Automated: no

• audit_rules_successful_file_modification_chmod: Record Successful Permission Changes to Files - chmod
• audit_rules_successful_file_modification_chown: Record Successful Ownership Changes to Files - chown
• audit_rules_successful_file_modification_fchmod: Record Successful Permission Changes to Files - fchmod
• audit_rules_successful_file_modification_fchmodat: Record Successful Permission Changes to Files - fchmodat
• audit_rules_successful_file_modification_fchown: Record Successful Ownership Changes to Files - fchown
• audit_rules_successful_file_modification_fchownat: Record Successful Ownership Changes to Files - fchownat
• audit_rules_successful_file_modification_fremovexattr: Record Successful Permission Changes to Files - fremovexattr
• audit_rules_successful_file_modification_fsetxattr: Record Successful Permission Changes to Files - fsetxattr
• audit_rules_successful_file_modification_lremovexattr: Record Successful Permission Changes to Files - lremovexattr
• audit_rules_successful_file_modification_lsetxattr: Record Successful Permission Changes to Files - lsetxattr
• audit_rules_successful_file_modification_removexattr: Record Successful Permission Changes to Files - removexattr
• audit_rules_successful_file_modification_setxattr: Record Successful Permission Changes to Files - setxattr

4.1.19: Ensure Unsuccessful File Access Audited

Description: None

• l2_server

Automated: yes

• audit_rules_unsuccessful_file_modification: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

4.1.20: Ensure File Delete Audited

Description: None

• l2_server

Automated: no

• audit_rules_successful_file_modification_rename: Record Successful Delete Attempts to Files - rename
• audit_rules_successful_file_modification_renameat: Record Successful Delete Attempts to Files - renameat
• audit_rules_successful_file_modification_unlink: Record Successful Delete Attempts to Files - unlink
• audit_rules_successful_file_modification_unlinkat: Record Successful Delete Attempts to Files - unlinkat

4.1.21: Ensure Mount Audited

Description: None

• l2_server

Automated: no

No rules selected

4.2.1: Ensure Rsyslog Enabled

Description: None

• l1_server

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

4.2.2: Ensure Authentication Logged

Description: None

• l1_server

Automated: yes

• rsyslog_remote_access_monitoring: Ensure remote access methods are monitored in Rsyslog

4.2.3: Ensure Cron Logged

Description: None

• l1_server

Automated: yes

• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog

4.2.4: Ensure Rsyslog's Files Permission Correct

Description: None

• l2_server

Automated: yes

• rsyslog_filecreatemode: Ensure rsyslog Default File Permissions Configured

4.2.5: Ensure Important Services Logged

Description: None

• l2_server

Automated: yes

• rsyslog_logging_configured: Ensure logging is configured

4.2.6: Ensure Journald Transfer Set Correct

Description: None

• l1_server

Automated: no

No rules selected

4.2.7: Ensure Rotate Setting In Rsyslog

Description: None

• l1_server

Automated: no

No rules selected

4.2.8: Ensure Remote Log Server Correct

Description: None

• l2_server

Automated: no

No rules selected

4.2.9: Ensure Only Specified Server Can Receive Logs

Description: None

• l2_server

Automated: yes

• rsyslog_accept_remote_messages_tcp: Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
• rsyslog_accept_remote_messages_udp: Enable rsyslog to Accept Messages via UDP, if Acting As Log Server