Tags

10.3 Disable Autorun and Autoplay for Removable Media

• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden

10.5 Enable Anti-Exploitation Features

• 1.5.1 Ensure address space layout randomization (ASLR) is enabled

3.10 Encrypt Sensitive Data in Transit

• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used

3.11 Encrypt Sensitive Data at Rest

• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords

3.14 Log Sensitive Data Access

• 1.3.1 Ensure AIDE is installed
• 1.5.2 Ensure prelink is not installed

3.3 Configure Data Access Control Lists

• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.3.7 Ensure access to the su command is restricted
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist

4.1 Establish and Maintain a Secure Configuration Process

• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

4.3 Configure Automatic Session Locking on Enterprise Assets

• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 5.5.5 Ensure default user shell timeout is 900 seconds or less

4.4 Implement and Manage a Firewall on Servers

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

4.5 Implement and Manage a Firewall on End-User Devices

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.2.12 Ensure SSH X11 forwarding is disabled

5.2 Use Unique Passwords

• 1.4.1 Ensure bootloader password is set
• 1.4.3 Ensure authentication required for single user mode
• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.2.2 Ensure /etc/shadow password fields are not empty

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

• 5.2.7 Ensure SSH root login is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly

6.2 Establish an Access Revoking Process

• 5.4.2 Ensure lockout for failed password attempts is configured

7.3 Perform Automated Operating System Patch Management

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

8.2 Collect Audit Logs

• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.2.5 Ensure SSH LogLevel is appropriate

8.3 Ensure Adequate Audit Log Storage

• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.2.1.3 Ensure journald is configured to compress large log files

8.4 Standardize Time Synchronization

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled

8.5 Collect Detailed Audit Logs

• 1.3.2 Ensure filesystem integrity is regularly checked
• 3.3.4 Ensure suspicious packets are logged
• 4.1.1.1 Ensure auditd is installed
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.3.3 Ensure sudo log file exists

8.9 Centralize Audit Logs

• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog

Access, Authentication and Authorization

• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

Additional Process Hardening

• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted

Automated

• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity

Command Line Warning Banners

• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured

Configure /dev/shm

• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition

Configure /home

• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition

Configure /tmp

• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition

Configure /var

• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition

Configure /var/log

• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition

Configure /var/log/audit

• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition

Configure /var/tmp

• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition

Configure AppArmor

• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing

Configure Data Retention

• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full

Configure IPv4 iptables

• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports

Configure IPv6 ip6tables

• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

Configure Logging

• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

Configure PAM

• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards

Configure SSH Server

• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

Configure Software Updates

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

Configure System Accounting (auditd)

• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root

Configure Time Synchronization

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled

Configure UncomplicatedFirewall

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy

Configure auditd file access

• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root

Configure auditd rules

• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected

Configure chrony

• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running

Configure iptables

• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

Configure iptables software

• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables

Configure journald

• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client

Configure nftables

• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled

Configure ntp

• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled

Configure privilege escalation

• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted

Configure rsyslog

• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

Configure systemd-timesyncd

• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running

Configure time-based job schedulers

• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users

Disable Automounting

• 1.1.9 Disable Automounting

Disable unused filesystems

• 1.1.10 Disable USB Storage
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled

Disable unused network protocols and devices

• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled

Ensure auditing is enabled

• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient

Ensure journald is configured to send logs to a remote log host

• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client

Ensure time synchronization is in use

• 2.1.1.1 Ensure a single time synchronization daemon is in use

Filesystem Configuration

• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition

Filesystem Integrity Checking

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked

Firewall Configuration

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

GNOME Display Manager

• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden

IG1

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.9 Disable Automounting
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist

IG2

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist

IG3

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist

Initial Setup

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden

Level 1

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity

Level 2

• 1.1.10 Disable USB Storage
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.7.1 Ensure separate partition exists for /home
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 2.2.3 Ensure CUPS is not installed
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.3.4 Ensure users must provide password for privilege escalation

Local User and Group Settings

• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity

Logging and Auditing

• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

M1018

• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.4 Ensure SSH access is limited

M1022

• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.4 Ensure shadow group is empty
• 6.2.9 Ensure root PATH Integrity

M1026

• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 4.1.3.6 Ensure use of privileged commands are collected
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.3.7 Ensure access to the su command is restricted
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 6.2.10 Ensure root is the only UID 0 account

M1027

• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist

M1028

• 1.8.3 Ensure GDM disable-user-list option is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables

M1029

• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host

M1030

• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted

M1031

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 6.2.15 Ensure no local interactive user has .forward files

M1034

• 4.1.3.10 Ensure successful file system mounts are collected

M1035

• 5.2.17 Ensure SSH warning banner is configured
• 5.2.6 Ensure SSH PAM is enabled

M1036

• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less

M1037

• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

M1038

• 1.1.9 Disable Automounting
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition

M1041

• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used

M1042

• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

M1046

• 1.4.1 Ensure bootloader password is set

M1047

• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.8 Ensure events that modify user/group information are collected

M1050

• 1.1.10 Disable USB Storage
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.8.10 Ensure XDCMP is not enabled

M1051

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

M1053

• 3.3.6 Ensure bogus ICMP responses are ignored
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.2.1.3 Ensure journald is configured to compress large log files

MA1027

• 5.5.1.1 Ensure minimum days between password changes is configured

MA1041

• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards

Mandatory Access Control

• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing

Manual

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 2.4 Ensure nonessential services are removed or masked
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables

Network Configuration

• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

Network Parameters (Host Only)

• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled

Network Parameters (Host and Router)

• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted

Secure Boot Settings

• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode

Server

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity

Service Clients

• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed

Services

• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed

Set Shadow Password Suite Parameters

• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

Special Purpose Services

• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed

System File Permissions

• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist

System Maintenance

• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity

T1003

• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.4 Ensure shadow group is empty

T1003.008

• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.4 Ensure shadow group is empty

T1005

• 1.1.10 Disable USB Storage
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.5.4 Ensure core dumps are restricted
• 2.2.11 Ensure Samba is not installed
• 4.2.2.1 Ensure rsyslog is installed

T1011

• 3.1.2 Ensure wireless interfaces are disabled

T1018

• 1.7.3 Ensure remote login warning banner is configured properly
• 2.2.15 Ensure mail transfer agent is configured for local-only mode

T1021

• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.4 Ensure SSH access is limited
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

T1021.004

• 5.2.4 Ensure SSH access is limited
• 5.2.6 Ensure SSH PAM is enabled

T1036

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked

T1036.002

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked

T1036.003

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked

T1036.005

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked

T1039

• 2.2.11 Ensure Samba is not installed

T1040

• 1.8.10 Ensure XDCMP is not enabled
• 2.3.2 Ensure rsh client is not installed
• 2.3.4 Ensure telnet client is not installed
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used

T1048

• 5.2.16 Ensure SSH AllowTcpForwarding is disabled

T1048.002

• 5.2.16 Ensure SSH AllowTcpForwarding is disabled

T1049

• 6.2.16 Ensue no local interactive user has .rhosts files

T1053

• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users

T1053.003

• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users

T1055

• 1.5.2 Ensure prelink is not installed

T1055.001

• 1.5.2 Ensure prelink is not installed

T1055.009

• 1.5.2 Ensure prelink is not installed

T1056

• 1.8.10 Ensure XDCMP is not enabled

T1056.001

• 1.8.10 Ensure XDCMP is not enabled

T1065

• 1.5.2 Ensure prelink is not installed

T1068

• 1.1.9 Disable Automounting
• 1.2.1 Ensure package manager repositories are configured
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled

T1070

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

T1070.002

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

T1078

• 1.8.3 Ensure GDM disable-user-list option is enabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.3.1 Ensure sudo is installed
• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.2 Ensure system accounts are secured
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist

T1078.001

• 1.8.3 Ensure GDM disable-user-list option is enabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.2 Ensure system accounts are secured
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist

T1078.002

• 1.8.3 Ensure GDM disable-user-list option is enabled
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1078.003

• 1.8.3 Ensure GDM disable-user-list option is enabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.3.1 Ensure sudo is installed
• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.2 Ensure system accounts are secured
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist

T1078.004

• 5.4.1 Ensure password creation requirements are configured
• 5.4.3 Ensure password reuse is limited
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1082

• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly

T1083

• 2.2.11 Ensure Samba is not installed
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.2.4 Ensure rsyslog default file permissions are configured

T1087

• 1.8.3 Ensure GDM disable-user-list option is enabled

T1087.001

• 1.8.3 Ensure GDM disable-user-list option is enabled

T1087.002

• 1.8.3 Ensure GDM disable-user-list option is enabled

T1091

• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden

T1098

• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

T1098.004

• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

T1105

• 2.2.16 Ensure rsync service is either not installed or masked

T1110

• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1110.001

• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1110.002

• 5.4.1 Ensure password creation requirements are configured
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1110.003

• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1110.004

• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.4.3 Ensure password reuse is limited
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

T1114

• 6.2.15 Ensure no local interactive user has .forward files

T1114.003

• 6.2.15 Ensure no local interactive user has .forward files

T1135

• 2.2.11 Ensure Samba is not installed

T1152

• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.17 Ensure local interactive user dot files are not group or world writable

T1152.001

• 6.2.14 Ensure no local interactive user has .netrc files

T1152.003

• 6.2.17 Ensure local interactive user dot files are not group or world writable

T1152.004

• 6.2.17 Ensure local interactive user dot files are not group or world writable

T1195

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

T1195.001

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

T1195.002

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured

T1200

• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition

T1203

• 1.1.9 Disable Automounting
• 1.2.1 Ensure package manager repositories are configured
• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed

T1204

• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 6.2.9 Ensure root PATH Integrity

T1204.002

• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 6.2.9 Ensure root PATH Integrity

T1210

• 1.2.1 Ensure package manager repositories are configured
• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 5.2.12 Ensure SSH X11 forwarding is disabled

T1211

• 1.1.9 Disable Automounting
• 1.2.1 Ensure package manager repositories are configured

T1212

• 1.1.9 Disable Automounting
• 1.2.1 Ensure package manager repositories are configured

T1222

• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group

T1222.001

• 6.2.17 Ensure local interactive user dot files are not group or world writable

T1222.002

• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group

T1498

• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled

T1498.001

• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled

T1498.002

• 2.1.4.2 Ensure ntp is configured with authorized timeserver

T1499

• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.7.1 Ensure separate partition exists for /home
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less

T1499.001

• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.7.1 Ensure separate partition exists for /home
• 3.3.8 Ensure TCP SYN Cookies is enabled

T1499.002

• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less

T1542

• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured

T1543

• 1.8.1 Ensure GNOME Display Manager is removed
• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

T1543.002

• 1.8.1 Ensure GNOME Display Manager is removed
• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

T1548

• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.4.3 Ensure authentication required for single user mode
• 5.3.2 Ensure sudo commands use pty
• 5.3.7 Ensure access to the su command is restricted
• 5.5.3 Ensure default group for the root account is GID 0
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.2.10 Ensure root is the only UID 0 account

T1548.001

• 1.1.9 Disable Automounting
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables

T1548.003

• 5.3.2 Ensure sudo commands use pty

T1552

• 5.2.2 Ensure permissions on SSH private host key files are configured

T1552.004

• 5.2.2 Ensure permissions on SSH private host key files are configured

T1557

• 1.8.10 Ensure XDCMP is not enabled
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.3 Ensure permissions on SSH public host key files are configured

T1562

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 3.3.4 Ensure suspicious packets are logged
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.3.3 Ensure sudo log file exists

T1562.001

• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.2.1.2 Ensure journald service is enabled
• 4.2.2.2 Ensure rsyslog service is enabled
• 5.1.1 Ensure cron daemon is enabled and running

T1562.002

• 4.2.1.3 Ensure journald is configured to compress large log files

T1562.004

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

T1562.006

• 3.3.4 Ensure suspicious packets are logged
• 3.3.6 Ensure bogus ICMP responses are ignored
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.3.3 Ensure sudo log file exists

T1565

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 5.5.4 Ensure default user umask is 027 or more restrictive

T1565.001

• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 5.5.4 Ensure default user umask is 027 or more restrictive

T1565.003

• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing

T1570

• 2.2.16 Ensure rsync service is either not installed or masked
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed

T1572

• 5.2.16 Ensure SSH AllowTcpForwarding is disabled

T1590

• 3.3.1 Ensure source routed packets are not accepted

T1590.005

• 3.3.1 Ensure source routed packets are not accepted

T1592

• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly

T1592.004

• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly

T1595

• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled

T1595.001

• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled

T1595.002

• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled

TA0001

• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.3.1 Ensure sudo is installed
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 6.2.10 Ensure root is the only UID 0 account

TA0002

• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.8.1 Ensure GNOME Display Manager is removed
• 1.8.10 Ensure XDCMP is not enabled
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 4.1.3.6 Ensure use of privileged commands are collected
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users

TA0003

• 1.4.1 Ensure bootloader password is set
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.3.2 Ensure sudo commands use pty
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group

TA0004

• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.8 Ensure events that modify user/group information are collected
• 5.3.3 Ensure sudo log file exists
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist

TA0005

• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 3.3.4 Ensure suspicious packets are logged
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.5 Ensure logging is configured
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.3.7 Ensure access to the su command is restricted
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist

TA0006

• 1.1.3.1 Ensure separate partition exists for /var
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.9 Ensure root PATH Integrity

TA0007

• 1.4.2 Ensure permissions on bootloader config are configured
• 1.5.4 Ensure core dumps are restricted
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.8.2 Ensure GDM login banner is configured
• 1.8.3 Ensure GDM disable-user-list option is enabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.2.17 Ensure SSH warning banner is configured
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.2.16 Ensue no local interactive user has .rhosts files

TA0008

• 2.4 Ensure nonessential services are removed or masked
• 2.2.1 Ensure X Window System is not installed
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.4 Ensure SSH access is limited
• 5.2.7 Ensure SSH root login is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

TA0009

• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.3 Ensure secure ICMP redirects are not accepted

TA0010

• 3.1.2 Ensure wireless interfaces are disabled
• 4.1.3.10 Ensure successful file system mounts are collected
• 6.2.15 Ensure no local interactive user has .forward files

TA0011

• 3.5.1.1 Ensure ufw is installed
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports

TA0040

• 1.3.2 Ensure filesystem integrity is regularly checked
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less

User Accounts and Environment

• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past

Workstation

• 1.9 Ensure updates, patches, and additional security software are installed
• 1.1.10 Disable USB Storage
• 1.1.9 Disable Automounting
• 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
• 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
• 1.1.1.3 Ensure mounting of udf filesystems is disabled
• 1.1.2.1 Ensure /tmp is a separate partition
• 1.1.2.2 Ensure nodev option set on /tmp partition
• 1.1.2.3 Ensure noexec option set on /tmp partition
• 1.1.2.4 Ensure nosuid option set on /tmp partition
• 1.1.3.1 Ensure separate partition exists for /var
• 1.1.3.2 Ensure nodev option set on /var partition
• 1.1.3.3 Ensure nosuid option set on /var partition
• 1.1.4.1 Ensure separate partition exists for /var/tmp
• 1.1.4.2 Ensure noexec option set on /var/tmp partition
• 1.1.4.3 Ensure nosuid option set on /var/tmp partition
• 1.1.4.4 Ensure nodev option set on /var/tmp partition
• 1.1.5.1 Ensure separate partition exists for /var/log
• 1.1.5.2 Ensure nodev option set on /var/log partition
• 1.1.5.3 Ensure noexec option set on /var/log partition
• 1.1.5.4 Ensure nosuid option set on /var/log partition
• 1.1.6.1 Ensure separate partition exists for /var/log/audit
• 1.1.6.2 Ensure noexec option set on /var/log/audit partition
• 1.1.6.3 Ensure nodev option set on /var/log/audit partition
• 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
• 1.1.7.1 Ensure separate partition exists for /home
• 1.1.7.2 Ensure nodev option set on /home partition
• 1.1.7.3 Ensure nosuid option set on /home partition
• 1.1.8.1 Ensure nodev option set on /dev/shm partition
• 1.1.8.2 Ensure noexec option set on /dev/shm partition
• 1.1.8.3 Ensure nosuid option set on /dev/shm partition
• 1.2.1 Ensure package manager repositories are configured
• 1.2.2 Ensure GPG keys are configured
• 1.3.1 Ensure AIDE is installed
• 1.3.2 Ensure filesystem integrity is regularly checked
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure permissions on bootloader config are configured
• 1.4.3 Ensure authentication required for single user mode
• 1.5.1 Ensure address space layout randomization (ASLR) is enabled
• 1.5.2 Ensure prelink is not installed
• 1.5.3 Ensure Automatic Error Reporting is not enabled
• 1.5.4 Ensure core dumps are restricted
• 1.6.1.1 Ensure AppArmor is installed
• 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
• 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.6.1.4 Ensure all AppArmor Profiles are enforcing
• 1.7.1 Ensure message of the day is configured properly
• 1.7.2 Ensure local login warning banner is configured properly
• 1.7.3 Ensure remote login warning banner is configured properly
• 1.7.4 Ensure permissions on /etc/motd are configured
• 1.7.5 Ensure permissions on /etc/issue are configured
• 1.7.6 Ensure permissions on /etc/issue.net are configured
• 1.8.10 Ensure XDCMP is not enabled
• 1.8.4 Ensure GDM screen locks when the user is idle
• 1.8.5 Ensure GDM screen locks cannot be overridden
• 1.8.6 Ensure GDM automatic mounting of removable media is disabled
• 1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.8.8 Ensure GDM autorun-never is enabled
• 1.8.9 Ensure GDM autorun-never is not overridden
• 2.4 Ensure nonessential services are removed or masked
• 2.1.1.1 Ensure a single time synchronization daemon is in use
• 2.1.2.1 Ensure chrony is configured with authorized timeserver
• 2.1.2.2 Ensure chrony is running as user _chrony
• 2.1.2.3 Ensure chrony is enabled and running
• 2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.1.3.2 Ensure systemd-timesyncd is enabled and running
• 2.1.4.1 Ensure ntp access control is configured
• 2.1.4.2 Ensure ntp is configured with authorized timeserver
• 2.1.4.3 Ensure ntp is running as user ntp
• Ensure mounting of cramfs filesystems is disabled
• 2.2.10 Ensure IMAP and POP3 server are not installed
• 2.2.11 Ensure Samba is not installed
• 2.2.12 Ensure HTTP Proxy Server is not installed
• 2.2.13 Ensure SNMP Server is not installed
• 2.2.14 Ensure NIS Server is not installed
• 2.2.15 Ensure mail transfer agent is configured for local-only mode
• 2.2.16 Ensure rsync service is either not installed or masked
• 2.2.2 Ensure Avahi Server is not installed
• 2.2.3 Ensure CUPS is not installed
• 2.2.4 Ensure DHCP Server is not installed
• 2.2.5 Ensure LDAP server is not installed
• 2.2.6 Ensure NFS is not installed
• 2.2.7 Ensure DNS Server is not installed
• 2.2.8 Ensure FTP Server is not installed
• 2.2.9 Ensure HTTP server is not installed
• 2.3.1 Ensure NIS Client is not installed
• 2.3.2 Ensure rsh client is not installed
• 2.3.3 Ensure talk client is not installed
• 2.3.4 Ensure telnet client is not installed
• 2.3.5 Ensure LDAP client is not installed
• 2.3.6 Ensure RPC is not installed
• 3.1.1 Ensure system is checked to determine if IPv6 is enabled
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure DCCP is disabled
• 3.1.4 Ensure SCTP is disabled
• 3.1.5 Ensure RDS is disabled
• 3.1.6 Ensure TIPC is disabled
• 3.2.1 Ensure packet redirect sending is disabled
• 3.2.2 Ensure IP forwarding is disabled
• 3.3.1 Ensure source routed packets are not accepted
• 3.3.2 Ensure ICMP redirects are not accepted
• 3.3.3 Ensure secure ICMP redirects are not accepted
• 3.3.4 Ensure suspicious packets are logged
• 3.3.5 Ensure broadcast ICMP requests are ignored
• 3.3.6 Ensure bogus ICMP responses are ignored
• 3.3.7 Ensure Reverse Path Filtering is enabled
• 3.3.8 Ensure TCP SYN Cookies is enabled
• 3.3.9 Ensure IPv6 router advertisements are not accepted
• 3.5.1.1 Ensure ufw is installed
• 3.5.1.2 Ensure iptables-persistent is not installed with ufw
• 3.5.1.3 Ensure ufw service is enabled
• 3.5.1.4 Ensure ufw loopback traffic is configured
• 3.5.1.5 Ensure ufw outbound connections are configured
• 3.5.1.6 Ensure ufw firewall rules exist for all open ports
• 3.5.1.7 Ensure ufw default deny firewall policy
• 3.5.2.1 Ensure nftables is installed
• 3.5.2.10 Ensure nftables rules are permanent
• 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
• 3.5.2.3 Ensure iptables are flushed with nftables
• 3.5.2.4 Ensure a nftables table exists
• 3.5.2.5 Ensure nftables base chains exist
• 3.5.2.6 Ensure nftables loopback traffic is configured
• 3.5.2.7 Ensure nftables outbound and established connections are configured
• 3.5.2.8 Ensure nftables default deny firewall policy
• 3.5.2.9 Ensure nftables service is enabled
• 3.5.3.1.1 Ensure iptables packages are installed
• 3.5.3.1.2 Ensure nftables is not installed with iptables
• 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 3.5.3.2.1 Ensure iptables default deny firewall policy
• 3.5.3.2.2 Ensure iptables loopback traffic is configured
• 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
• 3.5.3.3.1 Ensure ip6tables default deny firewall policy
• 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
• 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
• 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
• 4.1.1.1 Ensure auditd is installed
• 4.1.1.2 Ensure auditd service is enabled and active
• 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 4.1.1.4 Ensure audit_backlog_limit is sufficient
• 4.1.2.1 Ensure audit log storage size is configured
• 4.1.2.2 Ensure audit logs are not automatically deleted
• 4.1.2.3 Ensure system is disabled when audit logs are full
• 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected
• 4.1.3.10 Ensure successful file system mounts are collected
• 4.1.3.11 Ensure session initiation information is collected
• 4.1.3.12 Ensure login and logout events are collected
• 4.1.3.13 Ensure file deletion events by users are collected
• 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorde
• 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 4.1.3.19 Ensure kernel module loading unloading and modification is collected
• 4.1.3.2 Ensure actions as another user are always logged
• 4.1.3.20 Ensure the audit configuration is immutable
• 4.1.3.21 Ensure the running and on disk configuration is the same
• 4.1.3.3 Ensure events that modify the sudo log file are collected
• 4.1.3.4 Ensure events that modify date and time information are collected
• 4.1.3.5 Ensure events that modify the system's network environment are collected
• 4.1.3.6 Ensure use of privileged commands are collected
• 4.1.3.7 Ensure unsuccessful file access attempts are collected
• 4.1.3.8 Ensure events that modify user/group information are collected
• 4.1.3.9 Ensure discretionary access control permission modification events are collected
• 4.1.4.1 Ensure audit log files are mode 0640 or less permissive
• 4.1.4.10 Ensure audit tools belong to group root
• 4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tool
• 4.1.4.2 Ensure only authorized users own audit log files
• 4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 4.1.4.4 Ensure the audit log directory is 0750 or more restrictive
• 4.1.4.5 Ensure audit configuration files are 640 or more restrictive
• 4.1.4.6 Ensure audit configuration files are owned by root
• 4.1.4.7 Ensure audit configuration files belong to group root
• 4.1.4.8 Ensure audit tools are 755 or more restrictive
• 4.1.4.9 Ensure audit tools are owned by root
• 4.2.3 Ensure all logfiles have appropriate permissions and ownership
• 4.2.1.2 Ensure journald service is enabled
• 4.2.1.3 Ensure journald is configured to compress large log files
• 4.2.1.4 Ensure journald is configured to write logfiles to persistent disk
• 4.2.1.5 Ensure journald is not configured to send logs to rsyslog
• 4.2.1.6 Ensure journald log rotation is configured per site policy
• 4.2.1.7 Ensure journald default file permissions configured
• 4.2.1.1.1 Ensure systemd-journal-remote is installed
• 4.2.1.1.2 Ensure systemd-journal-remote is configured
• 4.2.1.1.3 Ensure systemd-journal-remote is enabled
• 4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client
• 4.2.2.1 Ensure rsyslog is installed
• 4.2.2.2 Ensure rsyslog service is enabled
• 4.2.2.3 Ensure journald is configured to send logs to rsyslog
• 4.2.2.4 Ensure rsyslog default file permissions are configured
• 4.2.2.5 Ensure logging is configured
• 4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host
• 4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
• 5.1.1 Ensure cron daemon is enabled and running
• 5.1.2 Ensure permissions on /etc/crontab are configured
• 5.1.3 Ensure permissions on /etc/cron.hourly are configured
• 5.1.4 Ensure permissions on /etc/cron.daily are configured
• 5.1.5 Ensure permissions on /etc/cron.weekly are configured
• 5.1.6 Ensure permissions on /etc/cron.monthly are configured
• 5.1.7 Ensure permissions on /etc/cron.d are configured
• 5.1.8 Ensure cron is restricted to authorized users
• 5.1.9 Ensure at is restricted to authorized users
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled
• 5.2.11 Ensure SSH IgnoreRhosts is enabled
• 5.2.12 Ensure SSH X11 forwarding is disabled
• 5.2.13 Ensure only strong Ciphers are used
• 5.2.14 Ensure only strong MAC algorithms are used
• 5.2.15 Ensure only strong Key Exchange algorithms are used
• 5.2.16 Ensure SSH AllowTcpForwarding is disabled
• 5.2.17 Ensure SSH warning banner is configured
• 5.2.18 Ensure SSH MaxAuthTries is set to 4 or less
• 5.2.19 Ensure SSH MaxStartups is configured
• 5.2.2 Ensure permissions on SSH private host key files are configured
• 5.2.20 Ensure SSH MaxSessions is set to 10 or less
• 5.2.21 Ensure SSH LoginGraceTime is set to one minute or less
• 5.2.22 Ensure SSH Idle Timeout Interval is configured
• 5.2.3 Ensure permissions on SSH public host key files are configured
• 5.2.4 Ensure SSH access is limited
• 5.2.5 Ensure SSH LogLevel is appropriate
• 5.2.6 Ensure SSH PAM is enabled
• 5.2.7 Ensure SSH root login is disabled
• 5.2.8 Ensure SSH HostbasedAuthentication is disabled
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled
• 5.3.1 Ensure sudo is installed
• 5.3.2 Ensure sudo commands use pty
• 5.3.3 Ensure sudo log file exists
• 5.3.4 Ensure users must provide password for privilege escalation
• 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.3.6 Ensure sudo authentication timeout is configured correctly
• 5.3.7 Ensure access to the su command is restricted
• 5.4.1 Ensure password creation requirements are configured
• 5.4.2 Ensure lockout for failed password attempts is configured
• 5.4.3 Ensure password reuse is limited
• 5.4.4 Ensure password hashing algorithm is up to date with the latest standards
• 5.5.2 Ensure system accounts are secured
• 5.5.3 Ensure default group for the root account is GID 0
• 5.5.4 Ensure default user umask is 027 or more restrictive
• 5.5.5 Ensure default user shell timeout is 900 seconds or less
• 5.5.1.1 Ensure minimum days between password changes is configured
• 5.5.1.2 Ensure password expiration is 365 days or less
• 5.5.1.3 Ensure password expiration warning days is 7 or more
• 5.5.1.4 Ensure inactive password lock is 30 days or less
• 5.5.1.5 Ensure all users last password change date is in the past
• 6.1.1 Ensure permissions on /etc/passwd are configured
• 6.1.10 Ensure no unowned files or directories exist
• 6.1.11 Ensure no ungrouped files or directories exist
• 6.1.12 Audit SUID executables
• 6.1.13 Audit SGID executables
• 6.1.2 Ensure permissions on /etc/passwd- are configured
• 6.1.3 Ensure permissions on /etc/group are configured
• 6.1.4 Ensure permissions on /etc/group- are configured
• 6.1.5 Ensure permissions on /etc/shadow are configured
• 6.1.6 Ensure permissions on /etc/shadow- are configured
• 6.1.7 Ensure permissions on /etc/gshadow are configured
• E6.1.8 Ensure permissions on /etc/gshadow- are configured
• 6.1.9 Ensure no world writable files exist
• 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 6.2.10 Ensure root is the only UID 0 account
• 6.2.11 Ensure local interactive user home directories exist
• 6.2.12 Ensure local interactive users own their home directories
• 6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive
• 6.2.14 Ensure no local interactive user has .netrc files
• 6.2.15 Ensure no local interactive user has .forward files
• 6.2.16 Ensue no local interactive user has .rhosts files
• 6.2.17 Ensure local interactive user dot files are not group or world writable
• 6.2.2 Ensure /etc/shadow password fields are not empty
• 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 6.2.4 Ensure shadow group is empty
• 6.2.5 Ensure no duplicate UIDs exist
• 6.2.6 Ensure no duplicate GIDs exist
• 6.2.7 Ensure no duplicate user names exist
• 6.2.8 Ensure no duplicate group names exist
• 6.2.9 Ensure root PATH Integrity