...
| chapter | section | index | title | v8.x.x enabled | page |
| 1 | Initial Setup | 20 | |||
| 1.1 | Filesystem Configuration | 20 | |||
| 1.1.1.1 | Ensure mounting of cramfs filesystems is disabled | always21 | |||
| 1.1.1.2 | Ensure mounting of freevxfs filesystems is disabled | always23 | |||
| 1.1.1.3 | Ensure mounting of jffs2 filesystems is disabled | always | 25 | ||
| 1.1.1.4 | Ensure mounting of hfs filesystems is disabled | always | 27 | ||
| 1.1.1.5 | Ensure mounting of hfsplus filesystems is disabled | always | 29 | ||
| 1.1.1.6 | Ensure mounting of udf filesystems is disabled | always31 | |||
| 1.1.2 | Ensure separate partition exists for /tmp | always | 33 | ||
| 1.1.3 | Ensure nodev option set on /tmp partition | always | 35 | ||
| 1.1.4 | Ensure nosuid option set on /tmp partition | always | 36 | ||
| 1.1.5 | Ensure separate partition exists for /var | always37 | |||
| 1.1.6 | Ensure separate partition exists for /var/tmp | always | 38 | ||
| 1.1.7 | Ensure nodev option set on /var/tmp partition | always40 | |||
| 1.1.8 | Ensure nosuid option set on /var/tmp partition | always41 | |||
| 1.1.9 | Ensure noexec option set on /var/tmp partition | always42 | |||
| 1.1.10 | Ensure separate partition exists for /var/log | always | 43 | ||
| 1.1.11 | Ensure separate partition exists for /var/log/audit | always | 45 | ||
| 1.1.12 | Ensure separate partition exists for /home | always | 47 | ||
| 1.1.13 | Ensure nodev option set on /home partition | always | 48 | ||
| 1.1.14 | Ensure nodev option set on /dev/shm partition (/run) | always49 | |||
| 1.1.15 | Ensure nosuid option set on /dev/shm partition (/run) | always | 50 | ||
| 1.1.16 | Ensure noexec option set on /dev/shm partition (/run) | always51 | |||
| 1.1.17 | Ensure nodev option set on removable media partitions | always52 | |||
| 1.1.18 | Ensure nosuid option set on removable media partitions | always53 | |||
| 1.1.19 | Ensure noexec option set on removable media partitions | always54 | |||
| 1.1.20 | Ensure sticky bit is set on all world-writable directories | always | 55 | ||
| 1.1.21 | Disable Automounting | always | 56 | ||
| 1.2 | Configure Software Updates58 | ||||
| 1.2.1 | Ensure package manager repositories are configured | always | 58 | ||
| 1.2.2 | Ensure GPG keys are configured | always60 | |||
| 1.3 | Filesystem Integrity Checking61 | ||||
| 1.3.1 | Ensure AIDE is installed | always61 | |||
| 1.3.2 | Ensure filesystem integrity is regularly checked | always | 63 | ||
| 11.4 | Secure Boot Settings | 65 | |||
| 1.4.1 | Ensure permissions on bootloader config are configured | always | 65 | ||
| 1.4.2 | Ensure bootloader password is set | always67 | |||
| 1.4.3 | Ensure authentication required for single user mode | always70 | |||
| 1.5 | Additional Process Hardening | 71 | |||
| 1.5.1 | Ensure core dumps are restricted | always | 71 | ||
| 1.5.2 | Ensure XD/NX support is enabled | always73 | |||
| 1.5.3 | Ensure address space layout randomization (ASLR) is enabled | always | 75 | ||
| 1.5.4 | Ensure prelink is disabled | always | 77 | ||
| 1.6 | Mandatory Access Control | 78 | |||
| 1.6.1.1 | Ensure SELinux is not disabled in bootloader configuration | always | 81 | ||
| 1.6.1.2 | Ensure the SELinux state is enforcing | always83 | |||
| 1.6.1.3 | Ensure SELinux policy is configured | always | 84 | ||
| 1.6.1.4 | Ensure no unconfined daemons exist | always85 | |||
| 1.6.2.1 | Ensure AppArmor is not disabled in bootloader configuration | always88 | |||
| 1.6.2.2 | Ensure all AppArmor Profiles are enforcing | always90 | |||
| 1.6.3 | Ensure SELinux or AppArmor are installed | always | 92 | ||
| 1.7 | Warning Banners | 93 | |||
| 1.7.1.1 | Ensure message of the day is configured properly | always | 94 | ||
| 1.7.1.2 | Ensure local login warning banner is configured properly | always96 | |||
| 1.7.1.3 | Ensure remote login warning banner is configured properly | always | 98 | ||
| 1.7.1.4 | Ensure permissions on /etc/motd are configured | always100 | |||
| 1.7.1.5 | Ensure permissions on /etc/issue are configured | always101 | |||
| 1.7.1.6 | Ensure permissions on /etc/issue.net are configured | always102 | |||
| 1.7.2 | Ensure GDM login banner is configured | always103 | |||
| 1.8 | Ensure updates patches and additional security software are installed | 104 | |||
| 2 | Services | 106 | |||
| 2.1 | inetd Services | 107 | |||
| 2.1.1 | Ensure chargen services are not enabled | always107 | |||
| 2.1.2 | Ensure daytime services are not enabled | always | 109 | ||
| 2.1.3 | Ensure discard services are not enabled | always110 | |||
| 2.1.4 | Ensure echo services are not enabled | always111 | |||
| 2.1.5 | Ensure time services are not enabled | always112 | |||
| 2.1.6 | Ensure rsh server is not enabled | always | 113 | ||
| 2.1.7 | Ensure talk server is not enabled | always115 | |||
| 2.1.8 | Ensure telnet server is not enabled | always116 | |||
| 2.1.9 | Ensure tftp server is not enabled | always118 | |||
| 2.1.10 | Ensure xinetd is not enabled | always119 | |||
| 2.1.11 | Ensure openbsd-inetd is not installed | always | 120 | ||
| 2.2 | Special Purpose Services | 121 | |||
| 2.2.1.1 | Ensure time synchronization is in use | always122 | |||
| 2.2.1.2 | Ensure ntp is configured | always | 124 | ||
| 2.2.1.3 | Ensure chrony is configured | always | 126 | ||
| 2.2.2 | Ensure X Window System is not installed | always | 128 | ||
| 2.2.3 | Ensure Avahi Server is not enabled | always | 129 | ||
| 2.2.4 | Ensure CUPS is not enabled | always130 | |||
| 2.2.5 | Ensure DHCP Server is not enabled | always132 | |||
| 2.2.6 | Ensure LDAP server is not enabled | always | 134 | ||
| 2.2.7 | Ensure NFS and RPC are not enabled | always | 136 | ||
| 2.2.8 | Ensure DNS Server is not enabled | always138 | |||
| 2.2.9 | Ensure FTP Server is not enabled | always139 | |||
| 2.2.10 | Ensure HTTP server is not enabled | always141 | |||
| 2.2.11 | Ensure IMAP and POP3 server is not enabled | always | 142 | ||
| 2.2.12 | Ensure Samba is not enabled | always | 143 | ||
| 2.2.13 | Ensure HTTP Proxy Server is not enabled | always | 144 | ||
| 2.2.14 | Ensure SNMP Server is not enabled | always145 | |||
| 2.2.15 | Ensure mail transfer agent is configured for local-only mode | always147 | |||
| 2.2.16 | Ensure rsync service is not enabled | always149 | |||
| 2.2.17 | Ensure NIS Server is not enabled | always150 | |||
| 2.3 | Service Clients151 | ||||
| 2.3.1 | Ensure NIS Client is not installed | always151 | |||
| 2.3.2 | Ensure rsh client is not installed | always | 153 | ||
| 2.3.3 | Ensure talk client is not installed | always155 | |||
| 2.3.4 | Ensure telnet client is not installed | always156 | |||
| 2.3.5 | Ensure LDAP client is not installed | always | 158 | ||
| 3 | Network Configuration | 159 | |||
| 3.1 | Network Parameters (Host Only) | 160 | |||
| 3.1.1 | Ensure IP forwarding is disabled | always | 160 | ||
| 3.1.2 | Ensure packet redirect sending is disabled | always162 | |||
| 3.2 | Network Parameters (Host and Router) | 164 | |||
| 3.2.1 | Ensure source routed packets are not accepted | always | 164 | ||
| 3.2.2 | Ensure ICMP redirects are not accepted | always | 166 | ||
| 3.2.3 | Ensure secure ICMP redirects are not accepted | always168 | |||
| 3.2.4 | Ensure suspicious packets are logged | always170 | |||
| 3.2.5 | Ensure broadcast ICMP requests are ignored | always172 | |||
| 3.2.6 | Ensure bogus ICMP responses are ignored | always | 174 | ||
| 3.2.7 | Ensure Reverse Path Filtering is enabled | always | 176 | ||
| 3.2.8 | Ensure TCP SYN Cookies is enabled | always178 | |||
| 3.3 | Ipv6180 | ||||
| 3.3.1 | Ensure IPv6 router advertisements are not accepted | always | 180 | ||
| 3.3.2 | Ensure IPv6 redirects are not accepted | always | 182 | ||
| 3.3.3 | Ensure IPv6 is disabled | always184 | |||
| 3.4 | TCP Wrappers186 | ||||
| 3.4.1 | Ensure TCP Wrappers is installed | always | 186 | ||
| 3.4.2 | Ensure /etc/hosts.allow is configured | always | 188 | ||
| 3.4.3 | Ensure /etc/hosts.deny is configured | always | 190 | ||
| 3.4.4 | Ensure permissions on /etc/hosts.allow are configured | always191 | |||
| 3.4.5 | Ensure permissions on /etc/hosts.deny are configured | always | 192 | ||
| 3.5 | Uncommon Network Protocols | 193 | |||
| 3.5.1 | Ensure DCCP is disabled | always | 193 | ||
| 3.5.2 | Ensure SCTP is disabled | always195 | |||
| 3.5.3 | Ensure RDS is disabled | always | 197 | ||
| 3.5.4 | Ensure TIPC is disabled | always198 | |||
| 3.6 | Firewall Configuration199 | ||||
| 3.6.1 | Ensure iptables is installed | always200 | |||
| 3.6.2 | Ensure default deny firewall policy | always | 201 | ||
| 3.6.3 | Ensure loopback traffic is configured | always | 203 | ||
| 3.6.4 | Ensure outbound and established connections are configured | always | 205 | ||
| 3.6.5 | Ensure firewall rules exist for all open ports | always | 207 | ||
| 3.7 | Ensure wireless interfaces are disabled | always209 | |||
| 4 | Logging and Auditing | 211 | |||
| 4.1 | Configure System Accounting (auditd)212 | ||||
| 4.1.1.1 | Ensure audit log storage size is configured | always213 | |||
| 4.1.1.2 | Ensure system is disabled when audit logs are full | always215 | |||
| 4.1.1.3 | Ensure audit logs are not automatically deleted | always216 | |||
| 4.1.2 | Ensure auditd service is enabled | needs STIG | 217 | ||
| 4.1.3 | Ensure auditing for processes that start prior to auditd is enabled | needs STIG | 218 | ||
| 4.1.4 | Ensure events that modify date and time information are collected | needs STIG220 | |||
| 4.1.5 | Ensure events that modify user/group information are collected | needs STIG | 223 | ||
| 4.1.6 | Ensure events that modify the system's network environment are collected | needs STIG225 | |||
| 4.1.7 | Ensure events that modify the system's Mandatory Access Controls are collected | needs STIG228 | |||
| 4.1.8 | Ensure login and logout events are collected | needs STIG230 | |||
| 4.1.9 | Ensure session initiation information is collected | needs STIG232 | |||
| 4.1.10 | Ensure discretionary access control permission modification events are collected | needs STIG | 234 | ||
| 4.1.11 | Ensure unsuccessful unauthorized file access attempts are collected | needs STIG | 238 | ||
| 4.1.12 | Ensure use of privileged commands is collected | needs STIG | 241 | ||
| 4.1.13 | Ensure successful file system mounts are collected | needs STIG243 | |||
| 4.1.14 | Ensure file deletion events by users are collected | needs STIG246 | |||
| 4.1.15 | Ensure changes to system administration scope (sudoers) is collected | needs STIG | 248 | ||
| 4.1.16 | Ensure system administrator actions (sudolog) are collected | needs STIG | 250 | ||
| 4.1.17 | Ensure kernel module loading and unloading is collected | needs STIG252 | |||
| 4.1.18 | Ensure the audit configuration is immutable | needs STIG | 255 | ||
| 4.2 | Configure Logging | 257 | |||
| 4.2.1.1 | Ensure rsyslog Service is enabled | always | 258 | ||
| 4.2.1.2 | Ensure logging is configured | always | 260 | ||
| 4.2.1.3 | Ensure rsyslog default file permissions configured | always262 | |||
| 4.2.1.4 | Ensure rsyslog is configured to send logs to a remote log host | always | 264 | ||
| 4.2.1.5 | Ensure remote rsyslog messages are only accepted on designated log hosts | always266 | |||
| 4.2.2.1 | Ensure syslog-ng service is enabled | always268 | |||
| 4.2.2.2 | Ensure logging is configured | always270 | |||
| 4.2.2.3 | Ensure syslog-ng default file permissions configured | always | 273 | ||
| 4.2.2.4 | Ensure syslog-ng is configured to send logs to a remote log host | always | 275 | ||
| 4.2.2.5 | Ensure remote syslog-ng messages are only accepted on designated log hosts] | always | 277 | ||
| 4.2.3 | Ensure rsyslog or syslog-ng is installed | always279 | |||
| 4.2.4 | Ensure permissions on all logfiles are configured | always | 281 | ||
| 4.3 | Ensure logrotate is configured | always282 | |||
| 5 | Access, Authentication and Authorization283 | ||||
| 5.1 | Configure cron284 | ||||
| 5.1.1 | Ensure cron daemon is enabled | always284 | |||
| 5.1.2 | Ensure permissions on /etc/crontab are configured | always | 285 | ||
| 5.1.3 | Ensure permissions on /etc/cron.hourly are configured | always | 287 | ||
| 5.1.4 | Ensure permissions on /etc/cron.daily are configured | always | 289 | ||
| 5.1.5 | Ensure permissions on /etc/cron.weekly are configured | always291 | |||
| 5.1.6 | Ensure permissions on /etc/cron.monthly are configured | always | 293 | ||
| 5.1.7 | Ensure permissions on /etc/cron.d are configured | always295 | |||
| 5.1.8 | Ensure at/cron is restricted to authorized users | always297 | |||
| 5.2 | SSH Server Configuration | always299 | |||
| 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured | always299 | |||
| 5.2.2 | Ensure SSH Protocol is set to 2 | always | 301 | ||
| 5.2.3 | Ensure SSH LogLevel is set to INFO | always | 302 | ||
| 5.2.4 | Ensure SSH X11 forwarding is disabled | always303 | |||
| 5.2.5 | Ensure SSH MaxAuthTries is set to 4 or less | always304 | |||
| 5.2.6 | Ensure SSH IgnoreRhosts is enabled | always | 305 | ||
| 5.2.7 | Ensure SSH HostbasedAuthentication is disabled | always | 306 | ||
| 5.2.8 | Ensure SSH root login is disabled | always | 307 | ||
| 5.2.9 | Ensure SSH PermitEmptyPasswords is disabled | always308 | |||
| 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | always | 309 | ||
| 5.2.11 | Ensure only approved MAC algorithms are used | always | 310 | ||
| 5.2.12 | Ensure SSH Idle Timeout Interval is configured | always | 312 | ||
| 5.2.13 | Ensure SSH LoginGraceTime is set to one minute or less | always314 | |||
| 5.2.14 | Ensure SSH access is limited | always | 315 | ||
| 5.2.15 | Ensure SSH warning banner is configured | always317 | |||
| 5.3 | Configure PAM318 | ||||
| 5.3.1 | Ensure password creation requirements are configured | always318 | |||
| 5.3.2 | Ensure lockout for failed password attempts is configured | always | 321 | ||
| 5.3.3 | Ensure password reuse is limited | always | 323 | ||
| 5.3.4 | Ensure password hashing algorithm is SHA-512 | always | 325 | ||
| 5.4 | User Accounts and Environment | 327 | |||
| 5.4.1.1 | Ensure password expiration is 365 days or less | always328 | |||
| 5.4.1.2 | Ensure minimum days between password changes is 7 or more | always | 330 | ||
| 5.4.1.3 | Ensure password expiration warning days is 7 or more | always332 | |||
| 5.4.1.4 | Ensure inactive password lock is 30 days or less | always334 | |||
| 5.4.1.5 | Ensure all users last password change date is in the past | always336 | |||
| 5.4.2 | Ensure system accounts are non-login | always337 | |||
| 5.4.3 | Ensure default group for the root account is GID 0 | always | 339 | ||
| 5.4.4 | Ensure default user umask is 027 or more restrictive | always | 340 | ||
| 5.4.5 | Ensure default user shell timeout is 900 seconds or less | always342 | |||
| 5.5 | Ensure root login is restricted to system console | always | 344 | ||
| 5.6 | Ensure access to the su command is restricted | always345 | |||
| 6 | System Maintenance347 | ||||
| 6.1 | System File Permissions348 | ||||
| 6.1.1 | Audit system file permissions | always348 | |||
| 6.1.2 | Ensure permissions on /etc/passwd are configured | always | 350 | ||
| 6.1.3 | Ensure permissions on /etc/shadow are configured | always | 351 | ||
| 6.1.4 | Ensure permissions on /etc/group are configured | always | 353 | ||
| 6.1.5 | Ensure permissions on /etc/gshadow are configured | always354 | |||
| 6.1.6 | Ensure permissions on /etc/passwd- are configured | always355 | |||
| 6.1.7 | Ensure permissions on /etc/shadow- are configured | always | 356 | ||
| 6.1.8 | Ensure permissions on /etc/group- are configured | always | 358 | ||
| 6.1.9 | Ensure permissions on /etc/gshadow- are configured | always359 | |||
| 6.1.10 | Ensure no world writable files exist | always | 361 | ||
| 6.1.11 | Ensure no unowned files or directories exist | always | 363 | ||
| 6.1.12 | Ensure no ungrouped files or directories exist | always | 364 | ||
| 6.1.13 | Audit SUID executables | always | 365 | ||
| 6.1.14 | Audit SGID executables | always367 | |||
| 6.2 | User and Group Settings | 369 | |||
| 6.2.1 | Ensure password fields are not empty | always369 | |||
| 6.2.2 | Ensure no legacy "+" entries exist in /etc/passwd | always371 | |||
| 6.2.3 | Ensure no legacy "+" entries exist in /etc/shadow | always372 | |||
| 6.2.4 | Ensure no legacy "+" entries exist in /etc/group | always | 373 | ||
| 6.2.5 | Ensure root is the only UID 0 account | always | 374 | ||
| 6.2.6 | Ensure root PATH Integrity | always | 375 | ||
| 6.2.7 | Ensure all users' home directories exist | always377 | |||
| 6.2.8 | Ensure users' home directories permissions are 750 or more restrictive | always | 378 | ||
| 6.2.9 | Ensure users own their home directories | always380 | |||
| 6.2.10 | Ensure users' dot files are not group or world writable | always382 | |||
| 6.2.11 | Ensure no users have .forward files | always384 | |||
| 6.2.12 | Ensure no users have .netrc files | always386 | |||
| 6.2.13 | Ensure users' .netrc Files are not group or world accessible | always | 388 | ||
| 6.2.14 | Ensure no users have .rhosts files | always | 391 | ||
| 6.2.15 | Ensure all groups in /etc/passwd exist in /etc/group | always | 393 | ||
| 6.2.16 | Ensure no duplicate UIDs exist | always394 | |||
| 6.2.17 | Ensure no duplicate GIDs exist | always | 395 | ||
| 6.2.18 | Ensure no duplicate user names exist | always397 | |||
| 6.2.19 | Ensure no duplicate group names exist | always398 | |||
| 6.2.20 | Ensure shadow group is empty | always400 | |||
CIS vs STIG solved only conflict:
CIS recommendation 5.2.11 states that we need to "Ensure only approved MAC algorithms are used", however STIG V-23826 requires that the SSH daemon only uses a FIPS 140-2 validated cryptographic module (operating in FIPS mode). And after some research, this document: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2907.pdf indicates that if we use the CIS settings for this parameter, we still satisfy the FIPS 140-2 validated cryptographic module and in consequence STIG V-23826 as well.
So the MAC parameter on sshd_conf for STIG changed from this:
MACs hmac-sha1
...