Definition of Standard Benchmark for TencentOS 4 for tencentos4

1.1.1: Ensure mounting of cramfs filesystems is disabled

Description: None

• l1_server

Automated: yes

• kernel_module_cramfs_disabled: Disable Mounting of cramfs

1.1.3: Ensure mounting of squashfs filesystems is disabled

Description: None

• l1_server

Automated: yes

• kernel_module_squashfs_disabled: Disable Mounting of squashfs

1.1.4: Ensure mounting of udf filesystems is disabled

Description: None

• l1_server

Automated: yes

• kernel_module_udf_disabled: Disable Mounting of udf

1.1.4: Disable Automounting

Description: None

• l1_server

Automated: yes

• service_autofs_disabled: Disable the Automounter

1.1.5: Ensure USB Disabled

Description: None

• l2_server

Automated: yes

• kernel_module_usb-storage_disabled: Disable Modprobe Loading of USB Storage Driver

1.1.6: Ensure a separate partition exists for /tmp

Description: None

• l2_server

Automated: yes

• partition_for_tmp: Ensure /tmp Located On Separate Partition

1.1.7: Ensure correct mounting options set on /tmp partition

Description: None

• l2_server

Automated: yes

• mount_option_tmp_nodev: Add nodev Option to /tmp
• mount_option_tmp_noexec: Add noexec Option to /tmp
• mount_option_tmp_nosuid: Add nosuid Option to /tmp

1.1.8: Ensure a separate partition exists for /var

Description: None

• l2_server

Automated: yes

• partition_for_var: Ensure /var Located On Separate Partition

1.1.9: Ensure correct mounting options set on /var partition

Description: None

• l2_server

Automated: yes

• mount_option_var_nodev: Add nodev Option to /var

1.1.10: Ensure a separate partition exists for /home

Description: None

• l2_server

Automated: yes

• partition_for_home: Ensure /home Located On Separate Partition

1.1.11: Ensure correct mounting options set on /home partition

Description: None

• l2_server

Automated: yes

• mount_option_home_nodev: Add nodev Option to /home
• mount_option_home_noexec: Add noexec Option to /home
• mount_option_home_nosuid: Add nosuid Option to /home

1.1.12: Ensure a separate partition exists for /var/log

Description: None

• l2_server

Automated: yes

• partition_for_var_log: Ensure /var/log Located On Separate Partition

1.1.13: Ensure correct mounting options set on /var/log partition

Description: None

• l2_server

Automated: yes

• mount_option_var_log_nodev: Add nodev Option to /var/log
• mount_option_var_log_noexec: Add noexec Option to /var/log
• mount_option_var_log_nosuid: Add nosuid Option to /var/log

1.1.14: Ensure a separate partition exists for /var/log/audit

Description: None

• l2_server

Automated: yes

• partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition

1.1.15: Ensure correct mounting options set on /var/log/audit partition

Description: None

• l2_server

Automated: yes

• mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit
• mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit
• mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit

1.1.16: Ensure a separate partition exists for /var/tmp

Description: None

• l2_server

Automated: yes

• partition_for_var_tmp: Ensure /var/tmp Located On Separate Partition

1.1.17: Ensure correct mounting options set on /var/tmp partition

Description: None

• l2_server

Automated: yes

• mount_option_var_tmp_nodev: Add nodev Option to /var/tmp
• mount_option_var_tmp_noexec: Add noexec Option to /var/tmp
• mount_option_var_tmp_nosuid: Add nosuid Option to /var/tmp

1.1.18: Ensure a separate partition exists for /dev/shm

Description: None

• l2_server

Automated: yes

• partition_for_dev_shm: Ensure /dev/shm is configured

1.1.19: Ensure correct mounting options set on /dev/shm partition

Description: None

• l2_server

Automated: yes

• mount_option_dev_shm_nodev: Add nodev Option to /dev/shm
• mount_option_dev_shm_noexec: Add noexec Option to /dev/shm
• mount_option_dev_shm_nosuid: Add nosuid Option to /dev/shm

1.2.1: Ensure AIDE is installed

Description: None

• l2_server

Automated: yes

• aide_build_database: Build and Test AIDE Database
• package_aide_installed: Install AIDE

1.2.2: Ensure filesystem integrity is regularly checked

Description: None

• l2_server

Automated: yes

• aide_periodic_cron_checking: Configure Periodic Execution of AIDE

1.2.3: Ensure IMA is enabled

Description: None

• l2_server

Automated: no

No rules selected

1.3.1: Ensure updates, patches, and additional security software are installed

Description: None

• l1_server

Automated: yes

• security_patches_up_to_date: Ensure Software Patches Installed

1.3.2: Ensure gpgcheck is globally activated

Description: None

• l1_server

Automated: yes

• ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
• ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories

1.4.1: Ensure message of the day is configured properly

Description: None

• l1_server

Automated: yes

• banner_etc_motd: Modify the System Message of the Day Banner
• motd_banner_text = cis_banners

1.4.2: Ensure local login warning banner is configured properly

Description: None

• l1_server

Automated: yes

• banner_etc_issue: Modify the System Login Banner
• login_banner_text = cis_banners

1.4.3: Ensure remote login warning banner is configured properly

Description: None

• l1_server

Automated: yes

• banner_etc_issue_net: Modify the System Login Banner for Remote Connections
• remote_login_banner_text = cis_banners

1.4.4: Ensure permissions on /etc/motd are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_etc_motd: Verify Group Ownership of Message of the Day Banner
• file_owner_etc_motd: Verify ownership of Message of the Day Banner
• file_permissions_etc_motd: Verify permissions on Message of the Day Banner

1.4.5: Ensure permissions on /etc/issue are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_etc_issue: Verify Group Ownership of System Login Banner
• file_owner_etc_issue: Verify ownership of System Login Banner
• file_permissions_etc_issue: Verify permissions on System Login Banner

1.4.6: Ensure permissions on /etc/issue.net are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_etc_issue_net: Verify Group Ownership of System Login Banner for Remote Connections
• file_owner_etc_issue_net: Verify ownership of System Login Banner for Remote Connections
• file_permissions_etc_issue_net: Verify permissions on System Login Banner for Remote Connections

1.5.1: Ensure Secure Boot is enabled

Description: None

• l2_server

Automated: no

No rules selected

1.5.2: Ensure bootloader password is set

Description: None

• l2_server

Automated: yes

• grub2_password: Set Boot Loader Password in grub2
• grub2_uefi_password: Set the UEFI Boot Loader Password

1.5.3: Ensure permissions on bootloader config are configured

Description: None

• l2_server

Automated: yes

• file_groupowner_grub2_cfg: Verify /boot/grub2/grub.cfg Group Ownership
• file_owner_grub2_cfg: Verify /boot/grub2/grub.cfg User Ownership
• file_permissions_grub2_cfg: Verify /boot/grub2/grub.cfg Permissions

1.6.1: Ensure SELinux is enabled by grub2

Description: None

• l2_server

Automated: yes

• grub2_enable_selinux: Ensure SELinux Not Disabled in /etc/default/grub

1.6.2: Ensure SELinux is set to enforcing mode

Description: None

• l2_server

Automated: yes

• selinux_not_disabled: Ensure SELinux is Not Disabled
• selinux_state: Ensure SELinux State is Enforcing
• var_selinux_state = enforcing

1.6.3: Ensure SELinux policy is configured

Description: None

• l2_server

Automated: yes

• selinux_policytype: Configure SELinux Policy
• var_selinux_policy_name = targeted

1.6.4: Ensure no unconfined services exist

Description: None

• l2_server

Automated: yes

• selinux_confinement_of_daemons: Ensure No Daemons are Unconfined by SELinux

2.1.1: Ensure time synchronization is in use

Description: None

• l1_server

Automated: yes

• package_chrony_installed: The Chrony package is installed

2.1.3: Ensure chrony is configured

Description: None

• l1_server

Automated: yes

• chronyd_configure_pool_and_server: Chrony Configure Pool and Server
• chronyd_run_as_chrony_user: Ensure that chronyd is running under chrony user account
• service_chronyd_enabled: The Chronyd service is enabled

2.2.1: Ensure firewalld is installed

Description: None

• l1_server

Automated: yes

• package_firewalld_installed: Install firewalld Package

2.2.2: Ensure firewalld is enabled and configured

Description: None

• l2_server

Automated: yes

• service_firewalld_enabled: Verify firewalld Enabled
• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

2.2.3: Ensure nftables is installed

Description: None

• l2_server

Automated: yes

• package_nftables_installed: Install nftables Package

2.2.4: Ensure nftables is enabled and configured

Description: None

• l2_server

Automated: yes

• nftables_ensure_default_deny_policy: Ensure nftables Default Deny Firewall Policy
• service_nftables_enabled: Verify nftables Service is Enabled
• set_nftables_loopback_traffic: Set nftables Configuration for Loopback Traffic

2.3.1: Ensure Avahi Server is not installed

Description: None

• l1_server

Automated: yes

• package_avahi_removed: Uninstall avahi Server Package
• service_avahi-daemon_disabled: Disable Avahi Server Software

2.3.2: Ensure CUPS is not installed

Description: None

• l1_server

Automated: yes

• package_cups_removed: Uninstall CUPS Package
• service_cups_disabled: Disable the CUPS Service

2.3.3: Ensure Rsync Server is not installed

Description: None

• l1_server

Automated: yes

• package_rsync_removed: Uninstall rsync Package
• service_rsyncd_disabled: Ensure rsyncd service is disabled

2.3.4: Ensure LDAP Server is not installed

Description: None

• l1_server

Automated: yes

• package_openldap-servers_removed: Uninstall openldap-servers Package

2.3.5: Ensure xinetd is not installed

Description: None

• l1_server

Automated: yes

• package_xinetd_removed: Uninstall xinetd Package
• service_xinetd_disabled: Disable xinetd Service

2.3.6: Ensure NIS Server is not installed

Description: None

• l1_server

Automated: yes

• package_ypserv_removed: Uninstall ypserv Package
• service_ypserv_disabled: Disable ypserv Service

2.3.7: Ensure telnet Server is not installed

Description: None

• l1_server

Automated: yes

• package_telnet-server_removed: Uninstall telnet-server Package
• package_telnet_removed: Remove telnet Clients
• service_telnet_disabled: Disable telnet Service

2.3.8: Ensure DNS Server is not installed

Description: None

• l1_server

Automated: yes

• package_bind_removed: Uninstall bind Package
• service_named_disabled: Disable named Service

2.3.9: Ensure FTP Server is not installed

Description: None

• l1_server

Automated: yes

• package_vsftpd_removed: Uninstall vsftpd Package
• service_vsftpd_disabled: Disable vsftpd Service

2.3.10: Ensure TFTP Server is not installed

Description: None

• l1_server

Automated: yes

• package_tftp-server_removed: Uninstall tftp-server Package
• package_tftp_removed: Remove tftp Daemon
• service_tftp_disabled: Disable tftp Service

2.3.11: Ensure HTTP Server is not installed

Description: None

• l1_server

Automated: yes

• package_httpd_removed: Uninstall httpd Package
• service_httpd_disabled: Disable httpd Service

2.3.12: Ensure Samba is not installed

Description: None

• l2_server

Automated: yes

• package_samba_removed: Uninstall Samba Package
• service_smb_disabled: Disable Samba

2.3.13: Ensure HTTP Proxy Server is not installed

Description: None

• l2_server

Automated: yes

• package_squid_removed: Uninstall squid Package
• service_squid_disabled: Disable Squid

2.3.14: Ensure SNMP Server is not installed

Description: None

• l2_server

Automated: yes

• package_net-snmp_removed: Uninstall net-snmp Package
• service_snmpd_disabled: Disable snmpd Service

2.3.15: Ensure rsh is not installed

Description: None

• l2_server

Automated: yes

• package_rsh_removed: Uninstall rsh Package
• service_rsh_disabled: Disable rsh Service

2.3.16: Ensure mail transfer agent is configured for local-only mode

Description: None

• l2_server

Automated: yes

• postfix_network_listening_disabled: Disable Postfix Network Listening
• var_postfix_inet_interfaces = loopback-only

2.3.17: Ensure IMAP and POP3 Server is disabled

Description: None

• l2_server

Automated: yes

• package_dovecot_removed: Uninstall dovecot Package
• service_dovecot_disabled: Disable Dovecot Service

2.3.18: Ensure RPC Service is disabled

Description: None

• l2_server

Automated: yes

• service_rpcbind_disabled: Disable rpcbind Service

2.3.19: Ensure DHCP Service is disabled

Description: None

• l2_server

Automated: yes

• package_dhcp_removed: Uninstall DHCP Server Package
• service_dhcpd_disabled: Disable DHCP Service

2.3.20: Ensure NFS Service is disabled

Description: None

• l2_server

Automated: yes

• service_nfs_disabled: Disable Network File System (nfs)

3.1.1: Ensure IP forwarding is disabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_ip_forward: Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
• sysctl_net_ipv6_conf_all_forwarding: Disable Kernel Parameter for IPv6 Forwarding
• sysctl_net_ipv6_conf_all_forwarding_value = disabled

3.1.2: Ensure packet redirect sending is disabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_default_send_redirects: Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

3.1.3: Ensure source routed packets are not accepted

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv4_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_accept_source_route_value = disabled
• sysctl_net_ipv6_conf_all_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_source_route_value = disabled
• sysctl_net_ipv6_conf_default_accept_source_route: Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_source_route_value = disabled

3.1.4: Ensure ICMP redirects are not accepted

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv4 Interfaces
• sysctl_net_ipv4_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv4_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
• sysctl_net_ipv4_conf_default_accept_redirects_value = disabled
• sysctl_net_ipv6_conf_all_accept_redirects: Disable Accepting ICMP Redirects for All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_redirects_value = disabled
• sysctl_net_ipv6_conf_default_accept_redirects: Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
• sysctl_net_ipv6_conf_default_accept_redirects_value = disabled

3.1.5: Ensure secure ICMP redirects are not accepted

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_secure_redirects: Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_secure_redirects_value = disabled
• sysctl_net_ipv4_conf_default_secure_redirects: Configure Kernel Parameter for Accepting Secure Redirects By Default
• sysctl_net_ipv4_conf_default_secure_redirects_value = disabled

3.1.6: Ensure suspicious packets are logged

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_log_martians: Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_log_martians_value = enabled
• sysctl_net_ipv4_conf_default_log_martians: Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_log_martians_value = enabled

3.1.7: Ensure broadcast ICMP requests are ignored

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_icmp_echo_ignore_broadcasts: Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
• sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value = enabled

3.1.8: Ensure bogus ICMP responses are ignored

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_icmp_ignore_bogus_error_responses: Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
• sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value = enabled

3.1.9: Ensure Reverse Path Filtering is enabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_conf_all_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
• sysctl_net_ipv4_conf_all_rp_filter_value = enabled
• sysctl_net_ipv4_conf_default_rp_filter: Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
• sysctl_net_ipv4_conf_default_rp_filter_value = enabled

3.1.10: Ensure TCP SYN Cookies is enabled

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv4_tcp_syncookies: Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
• sysctl_net_ipv4_tcp_syncookies_value = enabled

3.1.11: Ensure IPv6 router advertisements are not accepted

Description: None

• l1_server

Automated: yes

• sysctl_net_ipv6_conf_all_accept_ra: Configure Accepting Router Advertisements on All IPv6 Interfaces
• sysctl_net_ipv6_conf_all_accept_ra_value = disabled
• sysctl_net_ipv6_conf_default_accept_ra: Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
• sysctl_net_ipv6_conf_default_accept_ra_value = disabled

3.2.1: Ensure DCCP is disabled

Description: None

• l2_server

Automated: yes

• kernel_module_dccp_disabled: Disable DCCP Support

3.2.2: Ensure SCTP is disabled

Description: None

• l2_server

Automated: yes

• kernel_module_sctp_disabled: Disable SCTP Support

3.2.3: Ensure wireless interfaces are disabled

Description: None

• l2_server

Automated: yes

• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

4.1.1: Ensure auditd is installed

Description: None

• l1_server

Automated: yes

• package_audit-libs_installed: Ensure the audit-libs package as a part of audit Subsystem is Installed
• package_audit_installed: Ensure the audit Subsystem is Installed

4.1.2: Ensure auditd service is enabled

Description: None

• l2_server

Automated: yes

• service_auditd_enabled: Enable auditd Service

4.1.3: Ensure auditing for processes that start prior to auditd is enabled

Description: None

• l2_server

Automated: yes

• grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon

4.1.4: Ensure audit_backlog_limit is sufficient

Description: None

• l2_server

Automated: yes

• grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon

4.1.5: Ensure audit rules are immutable

Description: None

• l2_server

Automated: yes

• audit_rules_immutable: Make the auditd Configuration Immutable

4.1.6: Ensure audit log size is configured

Description: None

• l2_server

Automated: yes

• auditd_data_retention_max_log_file: Configure auditd Max Log File Size

4.1.7: Ensure audit logs are not automatically deleted

Description: None

• l2_server

Automated: yes

• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• var_auditd_max_log_file_action = keep_logs

4.1.8: Ensure system is disabled when audit logs are full

Description: None

• l2_server

Automated: yes

• auditd_audispd_disk_full_action: Configure audispd's Plugin disk_full_action When Disk Is Full
• auditd_data_disk_error_action: Configure auditd Disk Error Action on Disk Error
• auditd_data_disk_full_action: Configure auditd Disk Full Action when Disk Space Is Full
• auditd_data_retention_admin_space_left_percentage: Configure auditd admin_space_left on Low Disk Space
• auditd_data_retention_space_left: Configure auditd space_left on Low Disk Space
• auditd_data_retention_space_left_action: Configure auditd space_left Action on Low Disk Space
• var_auditd_admin_space_left_action = suspend
• var_auditd_admin_space_left_percentage = 50pc
• var_auditd_disk_error_action = suspend
• var_auditd_disk_full_action = suspend
• var_auditd_space_left_action = syslog

4.1.9: Ensure auditd log rotation is configured

Description: None

• l2_server

Automated: yes

• auditd_data_retention_max_log_file_action: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
• auditd_data_retention_num_logs: Configure auditd Number of Logs Retained
• var_auditd_max_log_file_action = rotate
• var_auditd_num_logs = 5

4.1.10: Ensure login and logout events are collected

Description: None

• l2_server

Automated: yes

• audit_rules_login_events_faillog: Record Attempts to Alter Logon and Logout Events - faillog
• audit_rules_login_events_lastlog: Record Attempts to Alter Logon and Logout Events - lastlog
• audit_rules_login_events_tallylog: Record Attempts to Alter Logon and Logout Events - tallylog

4.1.11: Ensure session events are collected

Description: None

• l2_server

Automated: yes

• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information

4.1.12: Ensure events that modify user/group information are collected

Description: None

• l2_server

Automated: yes

• audit_rules_usergroup_modification_group: Record Events that Modify User/Group Information - /etc/group
• audit_rules_usergroup_modification_gshadow: Record Events that Modify User/Group Information - /etc/gshadow
• audit_rules_usergroup_modification_opasswd: Record Events that Modify User/Group Information - /etc/security/opasswd
• audit_rules_usergroup_modification_passwd: Record Events that Modify User/Group Information - /etc/passwd
• audit_rules_usergroup_modification_shadow: Record Events that Modify User/Group Information - /etc/shadow

4.1.13: Ensure kernel module loading and unloading is collected

Description: None

• l2_server

Automated: yes

• audit_rules_kernel_module_loading: Ensure auditd Collects Information on Kernel Module Loading and Unloading
• audit_rules_kernel_module_loading_delete: Ensure auditd Collects Information on Kernel Module Unloading - delete_module
• audit_rules_kernel_module_loading_init: Ensure auditd Collects Information on Kernel Module Loading - init_module
• audit_rules_privileged_commands_insmod: Ensure auditd Collects Information on the Use of Privileged Commands - insmod
• audit_rules_privileged_commands_modprobe: Ensure auditd Collects Information on the Use of Privileged Commands - modprobe
• audit_rules_privileged_commands_rmmod: Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

4.1.14: Ensure sudo commands are collected

Description: None

• l2_server

Automated: yes

• audit_rules_privileged_commands_sudo: Ensure auditd Collects Information on the Use of Privileged Commands - sudo

4.1.15: Ensure the events that modify the sudoers file are collected

Description: None

• l2_server

Automated: yes

• audit_rules_sudoers: Ensure auditd Collects System Administrator Actions - /etc/sudoers
• audit_rules_sysadmin_actions: Ensure auditd Collects System Administrator Actions

4.1.16: Ensure events that modify date and time information are collected

Description: None

• l2_server

Automated: yes

• audit_rules_time_adjtimex: Record attempts to alter time through adjtimex
• audit_rules_time_clock_settime: Record Attempts to Alter Time Through clock_settime
• audit_rules_time_settimeofday: Record attempts to alter time through settimeofday
• audit_rules_time_stime: Record Attempts to Alter Time Through stime

4.1.17: Ensure events that modify the system's network configuration are collected

Description: None

• l2_server

Automated: yes

• audit_rules_networkconfig_modification: Record Events that Modify the System's Network Environment

4.1.18: Ensure events that modify the systems Mandatory Access Control (MAC) settings are collected

Description: None

• l2_server

Automated: yes

• audit_rules_mac_modification: Record Events that Modify the System's Mandatory Access Controls
• audit_rules_mac_modification_usr_share: Record Events that Modify the System's Mandatory Access Controls in usr/share

4.1.19: Ensure discretionary access control permission modification events are collected

Description: None

• l2_server

Automated: yes

• audit_rules_dac_modification_chmod: Record Events that Modify the System's Discretionary Access Controls - chmod
• audit_rules_dac_modification_chown: Record Events that Modify the System's Discretionary Access Controls - chown
• audit_rules_dac_modification_fchmod: Record Events that Modify the System's Discretionary Access Controls - fchmod
• audit_rules_dac_modification_fchmodat: Record Events that Modify the System's Discretionary Access Controls - fchmodat
• audit_rules_dac_modification_fchown: Record Events that Modify the System's Discretionary Access Controls - fchown
• audit_rules_dac_modification_fchownat: Record Events that Modify the System's Discretionary Access Controls - fchownat
• audit_rules_dac_modification_fremovexattr: Record Events that Modify the System's Discretionary Access Controls - fremovexattr
• audit_rules_dac_modification_fsetxattr: Record Events that Modify the System's Discretionary Access Controls - fsetxattr
• audit_rules_dac_modification_lchown: Record Events that Modify the System's Discretionary Access Controls - lchown
• audit_rules_dac_modification_lremovexattr: Record Events that Modify the System's Discretionary Access Controls - lremovexattr
• audit_rules_dac_modification_lsetxattr: Record Events that Modify the System's Discretionary Access Controls - lsetxattr
• audit_rules_dac_modification_removexattr: Record Events that Modify the System's Discretionary Access Controls - removexattr
• audit_rules_dac_modification_setxattr: Record Events that Modify the System's Discretionary Access Controls - setxattr

4.1.20: Ensure successful file access is audited

Description: None

• l2_server

Automated: yes

• audit_rules_successful_file_modification_chmod: Record Successful Permission Changes to Files - chmod
• audit_rules_successful_file_modification_chown: Record Successful Ownership Changes to Files - chown
• audit_rules_successful_file_modification_fchmod: Record Successful Permission Changes to Files - fchmod
• audit_rules_successful_file_modification_fchmodat: Record Successful Permission Changes to Files - fchmodat
• audit_rules_successful_file_modification_fchown: Record Successful Ownership Changes to Files - fchown
• audit_rules_successful_file_modification_fchownat: Record Successful Ownership Changes to Files - fchownat
• audit_rules_successful_file_modification_fremovexattr: Record Successful Permission Changes to Files - fremovexattr
• audit_rules_successful_file_modification_fsetxattr: Record Successful Permission Changes to Files - fsetxattr
• audit_rules_successful_file_modification_lremovexattr: Record Successful Permission Changes to Files - lremovexattr
• audit_rules_successful_file_modification_lsetxattr: Record Successful Permission Changes to Files - lsetxattr
• audit_rules_successful_file_modification_removexattr: Record Successful Permission Changes to Files - removexattr
• audit_rules_successful_file_modification_setxattr: Record Successful Permission Changes to Files - setxattr

4.1.21: Ensure unsuccessful file access attempts are collected

Description: None

• l2_server

Automated: yes

• audit_rules_unsuccessful_file_modification: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

4.1.22: Ensure file deletion events by users are collected

Description: None

• l2_server

Automated: yes

• audit_rules_successful_file_modification_rename: Record Successful Delete Attempts to Files - rename
• audit_rules_successful_file_modification_renameat: Record Successful Delete Attempts to Files - renameat
• audit_rules_successful_file_modification_unlink: Record Successful Delete Attempts to Files - unlink
• audit_rules_successful_file_modification_unlinkat: Record Successful Delete Attempts to Files - unlinkat

4.2.1: Ensure rsyslog is installed

Description: None

• l1_server

Automated: yes

• package_rsyslog_installed: Ensure rsyslog is Installed

4.2.2: Ensure rsyslog is enabled

Description: None

• l2_server

Automated: yes

• service_rsyslog_enabled: Enable rsyslog Service

4.2.3: Ensure rsyslog default file permissions are configured

Description: None

• l2_server

Automated: yes

• rsyslog_files_groupownership: Ensure Log Files Are Owned By Appropriate Group
• rsyslog_files_ownership: Ensure Log Files Are Owned By Appropriate User
• rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions

4.3.1: Ensure journald is enabled

Description: None

• l2_server

Automated: yes

• service_systemd-journald_enabled: Enable systemd-journald Service

4.3.2: Ensure journald is configured to send logs to rsyslog

Description: None

• l2_server

Automated: yes

• journald_forward_to_syslog: Ensure journald is configured to send logs to rsyslog

4.3.3: Ensure journald is configured to compress large log files

Description: None

• l2_server

Automated: yes

• journald_compress: Ensure journald is configured to compress large log files

4.3.4: Ensure journald is configured to write logfiles to persistent disk

Description: None

• l2_server

Automated: yes

• journald_storage: Ensure journald is configured to write log files to persistent disk

4.3.5: Ensure journald is disabled from receiving logs from a remote client

Description: None

• l2_server

Automated: yes

• socket_systemd-journal-remote_disabled: Disable systemd-journal-remote Socket

5.1.1: Ensure cron daemon is enabled

Description: None

• l1_server

Automated: yes

• service_crond_enabled: Enable cron Service

5.1.2: Ensure permissions on /etc/crontab are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_crontab: Verify Group Who Owns Crontab
• file_owner_crontab: Verify Owner on crontab
• file_permissions_crontab: Verify Permissions on crontab

5.1.3: Ensure permissions on /etc/cron.hourly are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_cron_hourly: Verify Group Who Owns cron.hourly
• file_owner_cron_hourly: Verify Owner on cron.hourly
• file_permissions_cron_hourly: Verify Permissions on cron.hourly

5.1.4: Ensure permissions on /etc/cron.daily are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_cron_daily: Verify Group Who Owns cron.daily
• file_owner_cron_daily: Verify Owner on cron.daily
• file_permissions_cron_daily: Verify Permissions on cron.daily

5.1.5: Ensure permissions on /etc/cron.weekly are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_cron_weekly: Verify Group Who Owns cron.weekly
• file_owner_cron_weekly: Verify Owner on cron.weekly
• file_permissions_cron_weekly: Verify Permissions on cron.weekly

5.1.6: Ensure permissions on /etc/cron.monthly are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_cron_monthly: Verify Group Who Owns cron.monthly
• file_owner_cron_monthly: Verify Owner on cron.monthly
• file_permissions_cron_monthly: Verify Permissions on cron.monthly

5.1.7: Ensure permissions on /etc/cron.d are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_cron_d: Verify Group Who Owns cron.d
• file_owner_cron_d: Verify Owner on cron.d
• file_permissions_cron_d: Verify Permissions on cron.d

5.1.8: Ensure cron is restricted to authorized users

Description: None

• l1_server

Automated: yes

• file_cron_deny_not_exist: Ensure that /etc/cron.deny does not exist
• file_groupowner_cron_allow: Verify Group Who Owns /etc/cron.allow file
• file_owner_cron_allow: Verify User Who Owns /etc/cron.allow file
• file_permissions_cron_allow: Verify Permissions on /etc/cron.allow file

5.1.9: Ensure at is restricted to authorized users

Description: None

• l1_server

Automated: yes

• file_at_deny_not_exist: Ensure that /etc/at.deny does not exist
• file_groupowner_at_allow: Verify Group Who Owns /etc/at.allow file
• file_owner_at_allow: Verify User Who Owns /etc/at.allow file
• file_permissions_at_allow: Verify Permissions on /etc/at.allow file

5.2.1: Ensure permissions on /etc/ssh/sshd_config are configured

Description: None

• l1_server

Automated: yes

• file_groupowner_sshd_config: Verify Group Who Owns SSH Server config file
• file_owner_sshd_config: Verify Owner on SSH Server config file
• file_permissions_sshd_config: Verify Permissions on SSH Server config file

5.2.2: Ensure SSH PermitEmptyPasswords is disabled

Description: None

• l1_server

Automated: yes

• sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords

5.2.3: Ensure SSH root login from remote is disabled

Description: None

• l1_server

Automated: yes

• sshd_disable_root_login: Disable SSH Root Login

5.2.4: Ensure SSH PermitUserEnvironment is disabled

Description: None

• l1_server

Automated: yes

• sshd_do_not_permit_user_env: Do Not Allow SSH Environment Options

5.2.5: Ensure SSH Protocol is set to 2

Description: None

• l1_server

Automated: yes

• sshd_allow_only_protocol2: Allow Only SSH Protocol 2

5.2.6: Ensure SSH X11 forwarding is disabled

Description: None

• l1_server

Automated: yes

• sshd_disable_x11_forwarding: Disable X11 Forwarding

5.2.7: Ensure SSH disallows TCP forwarding

Description: None

• l1_server

Automated: yes

• sshd_disable_tcp_forwarding: Disable SSH TCP Forwarding

5.2.8: Ensure SSH IgnoreRhosts is enabled

Description: None

• l1_server

Automated: yes

• sshd_disable_rhosts: Disable SSH Support for .rhosts Files

5.2.9: Ensure SSH HostbasedAuthentication is disabled

Description: None

• l1_server

Automated: yes

• disable_host_auth: Disable Host-Based Authentication

5.2.10: Ensure SSH PAM is enabled

Description: None

• l1_server

Automated: yes

• sshd_enable_pam: Enable PAM

5.2.11: Ensure SSH warning banner is configured

Description: None

• l1_server

Automated: yes

• sshd_enable_warning_banner_net: Enable SSH Warning Banner

5.2.12: Ensure SSH access is limited to authorized users

Description: None

• l2_server

Automated: yes

• sshd_limit_user_access: Limit Users' SSH Access

5.2.13: Ensure SSH LogLevel is appropriate

Description: None

• l2_server

Automated: yes

• sshd_set_loglevel_verbose: Set SSH Daemon LogLevel to VERBOSE

5.2.14: Ensure SSH MaxAuthTries is set to 4 or less

Description: None

• l2_server

Automated: yes

• sshd_max_auth_tries_value = 4
• sshd_set_max_auth_tries: Set SSH authentication attempt limit

5.2.15: Ensure SSH MaxSessions is set to 10 or less

Description: None

• l2_server

Automated: yes

• sshd_set_max_sessions: Set SSH MaxSessions limit
• var_sshd_max_sessions = 10

5.2.16: Ensure SSH MaxStartups is set properly

Description: None

• l2_server

Automated: yes

• sshd_set_maxstartups: Ensure SSH MaxStartups is configured
• var_sshd_set_maxstartups = 10:30:60

5.2.17: Ensure SSH LoginGraceTime is set to 1 minute or less

Description: None

• l2_server

Automated: yes

• sshd_set_login_grace_time: Ensure SSH LoginGraceTime is configured
• var_sshd_set_login_grace_time = 60

5.2.18: Ensure SSH Idle Timeout Interval is configured

Description: None

• l2_server

Automated: yes

• sshd_idle_timeout_value = 15_minutes
• sshd_set_idle_timeout: Set SSH Client Alive Interval

5.2.19: Ensure SSH MACs are configured

Description: None

• l2_server

Automated: yes

• sshd_use_strong_macs: Use Only Strong MACs

5.2.20: Ensure SSH Ciphers are configured

Description: None

• l2_server

Automated: yes

• sshd_use_strong_ciphers: Use Only Strong Ciphers

5.2.21: Ensure SSH Key Exchange Algorithms are configured

Description: None

• l2_server

Automated: yes

• sshd_use_strong_kex: Use Only Strong Key Exchange algorithms

5.3.1: Ensure password creation requirements are configured

Description: None

• l1_server

Automated: yes

• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_enforce_root: Ensure PAM Enforces Password Requirements - Enforce for root User
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_retry: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• var_password_pam_dcredit = 0
• var_password_pam_lcredit = 0
• var_password_pam_minclass = 3
• var_password_pam_minlen = 8
• var_password_pam_ocredit = 0
• var_password_pam_retry = 3
• var_password_pam_ucredit = 0

5.3.2: Ensure history passwords are limited to use

Description: None

• l1_server

Automated: yes

• accounts_password_pam_pwhistory_remember: Limit Password Reuse
• var_password_pam_remember = 5

5.3.3: Ensure password hashing algorithm is SHA-512

Description: None

• l1_server

Automated: yes

• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• var_password_hashing_algorithm_pam = sha512

5.3.4: Ensure password expiration is 180 days or less

Description: None

• l1_server

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_password_set_max_life_existing: Set Existing Passwords Maximum Age
• var_accounts_maximum_age_login_defs = 180

5.3.5: Ensure minimum days between password changes is configured

Description: None

• l1_server

Automated: yes

• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_set_min_life_existing: Set Existing Passwords Minimum Age
• var_accounts_minimum_age_login_defs = 1

5.3.6: Ensure password expiration warning days is 7 or more

Description: None

• l1_server

Automated: yes

• accounts_password_set_warn_age_existing: Set Existing Passwords Warning Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• var_accounts_password_warn_age_login_defs = 7

5.3.7: Ensure inactive password lock is 30 days or less

Description: None

• l1_server

Automated: yes

• account_disable_post_pw_expiration: Set Account Expiration Following Inactivity
• accounts_set_post_pw_existing: Set existing passwords a period of inactivity before they been locked
• var_account_disable_post_pw_expiration = 30

5.3.8: Ensure all users last password change date is in the past

Description: None

• l1_server

Automated: yes

• accounts_password_last_change_is_in_past: Ensure all users last password change date is in the past

5.3.9: Ensure accounts locked after 5 failed logins is configured

Description: None

• l1_server

Automated: yes

• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• var_accounts_passwords_pam_faillock_deny = 5
• var_accounts_passwords_pam_faillock_unlock_time = 300

5.4.1: Ensure system accounts are secured

Description: None

• l1_server

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

5.4.2: Ensure default group for the root account is GID 0

Description: None

• l1_server

Automated: yes

• accounts_root_gid_zero: Verify Root Has A Primary GID 0

5.4.3: Ensure default user shell timeout is configured

Description: None

• l1_server

Automated: yes

• accounts_tmout: Set Interactive Session Timeout
• var_accounts_tmout = 15_min

5.4.4: Ensure default user umask is configured

Description: None

• l1_server

Automated: yes

• accounts_umask_etc_bashrc: Ensure the Default Bash Umask is Set Correctly
• var_accounts_user_umask = 027

5.4.5: Ensure passwords are set in single user mode

Description: None

• l1_server

Automated: yes

• require_emergency_target_auth: Require Authentication for Emergency Systemd Target

5.4.6: Ensure display of failed login attempts is configured

Description: None

• l1_server

Automated: yes

• display_login_attempts: Ensure PAM Displays Last Logon/Access Notification

5.4.7: Ensure access to the su command is restricted

Description: None

• l1_server

Automated: yes

• ensure_pam_wheel_group_empty: Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
• use_pam_wheel_group_for_su: Enforce Usage of pam_wheel with Group Parameter for su Authentication
• var_pam_wheel_group_for_su = cis

5.4.8: Ensure every UID is unique

Description: None

• l1_server

Automated: yes

• account_unique_id: Ensure All Accounts on the System Have Unique User IDs

5.4.9: Ensure account name is unique

Description: None

• l1_server

Automated: yes

• account_unique_name: Ensure All Accounts on the System Have Unique Names

5.4.10: Ensure every GID is unique

Description: None

• l1_server

Automated: yes

• group_unique_id: Ensure All Groups on the System Have Unique Group ID

5.4.11: Ensure every group name is unique

Description: None

• l1_server

Automated: yes

• group_unique_name: Ensure All Groups on the System Have Unique Group Names

5.4.12: Ensure accounts related files have correct permissions

Description: None

• l1_server

Automated: yes

• file_groupowner_backup_etc_group: Verify Group Who Owns Backup group File
• file_groupowner_backup_etc_gshadow: Verify Group Who Owns Backup gshadow File
• file_groupowner_backup_etc_passwd: Verify Group Who Owns Backup passwd File
• file_groupowner_backup_etc_shadow: Verify User Who Owns Backup shadow File
• file_groupowner_etc_group: Verify Group Who Owns group File
• file_groupowner_etc_gshadow: Verify Group Who Owns gshadow File
• file_groupowner_etc_passwd: Verify Group Who Owns passwd File
• file_groupowner_etc_shadow: Verify Group Who Owns shadow File
• file_owner_backup_etc_group: Verify User Who Owns Backup group File
• file_owner_backup_etc_gshadow: Verify User Who Owns Backup gshadow File
• file_owner_backup_etc_passwd: Verify User Who Owns Backup passwd File
• file_owner_backup_etc_shadow: Verify Group Who Owns Backup shadow File
• file_owner_etc_group: Verify User Who Owns group File
• file_owner_etc_gshadow: Verify User Who Owns gshadow File
• file_owner_etc_passwd: Verify User Who Owns passwd File
• file_owner_etc_shadow: Verify User Who Owns shadow File
• file_permissions_backup_etc_group: Verify Permissions on Backup group File
• file_permissions_backup_etc_gshadow: Verify Permissions on Backup gshadow File
• file_permissions_backup_etc_passwd: Verify Permissions on Backup passwd File
• file_permissions_backup_etc_shadow: Verify Permissions on Backup shadow File
• file_permissions_etc_group: Verify Permissions on group File
• file_permissions_etc_gshadow: Verify Permissions on gshadow File
• file_permissions_etc_passwd: Verify Permissions on passwd File
• file_permissions_etc_shadow: Verify Permissions on shadow File

5.4.13: Ensure all users' home directories exist

Description: None

• l1_server

Automated: yes

• accounts_user_interactive_home_directory_exists: All Interactive Users Home Directories Must Exist

5.4.14: Ensure all users' home directories permissions are 750 or more restrictive

Description: None

• l1_server

Automated: yes

• accounts_users_home_files_permissions: All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
• file_permissions_home_directories: All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

5.5.1: Ensure sudo is installed

Description: None

• l1_server

Automated: yes

• package_sudo_installed: Install sudo Package

5.5.2: Ensure sudo commands use pty

Description: None

• l1_server

Automated: yes

• sudo_add_use_pty: Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

5.5.3: Ensure sudo log file exists

Description: None

• l1_server

Automated: yes

• sudo_custom_logfile: Ensure Sudo Logfile Exists - sudo logfile

5.5.4: Ensure sudo is limited to authorized users

Description: None

• l1_server

Automated: yes

• sudo_restrict_privilege_elevation_to_authorized: The operating system must restrict privilege elevation to authorized personnel

5.5.5: Ensure users must provide password for privilege escalation

Description: None

• l1_server

Automated: yes

• sudo_require_authentication: Ensure Users Re-Authenticate for Privilege Escalation - sudo

6.1.1: Ensure no world writable files exist

Description: None

• l1_server

Automated: yes

• file_permissions_unauthorized_world_writable: Ensure No World-Writable Files Exist

6.1.2: Ensure no unowned files or directories exist

Description: None

• l1_server

Automated: yes

• no_files_unowned_by_user: Ensure All Files Are Owned by a User

6.1.3: Ensure no ungrouped files or directories exist

Description: None

• l1_server

Automated: yes

• file_permissions_ungroupowned: Ensure All Files Are Owned by a Group

6.1.4: Audit SUID executables

Description: None

• l1_server

Automated: yes

• file_permissions_unauthorized_suid: Ensure All SUID Executables Are Authorized

6.1.5: Audit SGID executables

Description: None

• l1_server

Automated: yes

• file_permissions_unauthorized_sgid: Ensure All SGID Executables Are Authorized

6.1.6: Ensure no users have .forward files

Description: None

• l1_server

Automated: yes

• no_forward_files: Verify No .forward Files Exist

6.1.7: Ensure no users have .netrc files

Description: None

• l1_server

Automated: yes

• no_netrc_files: Verify No netrc Files Exist

6.2.1: Ensure address space layout randomization (ASLR) is enabled

Description: None

• l1_server

Automated: yes

• sysctl_kernel_randomize_va_space: Enable Randomized Layout of Virtual Address Space

6.2.2: Ensure core dumps are restricted

Description: None

• l1_server

Automated: yes

• coredump_disable_backtraces: Disable core dump backtraces
• coredump_disable_storage: Disable storing core dump
• disable_users_coredumps: Disable Core Dumps for All Users
• sysctl_fs_suid_dumpable: Disable Core Dumps for SUID programs

6.2.3: Ensure dmesg access permission is correct

Description: None

• l1_server

Automated: yes

• sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer

6.2.4: Ensure kernel kptr_restrict is configured

Description: None

• l1_server

Automated: yes

• sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
• sysctl_kernel_kptr_restrict_value = 1