北屋教程网

Set
Correctly

Control

Yes

No

4

Logging and Auditing

4.1

Configure System Accounting (auditd)

4.1.1

Ensure auditing is enabled

4.1.1.1

Ensure auditd is installed (Automated)

4.1.1.2

Ensure auditd service is enabled and running (Automated)

4.1.1.3

Ensure auditing for processes that start prior to auditd is
enabled (Automated)

4.1.2

Configure Data Retention

4.1.2.1

Ensure audit log storage size is configured (Automated)

4.1.2.2

Ensure audit logs are not automatically deleted
(Automated)

4.1.2.3

Ensure system is disabled when audit logs are full
(Automated)

4.1.2.4

Ensure audit_backlog_limit is sufficient (Automated)

4.1.3

Ensure events that modify date and time information are
collected (Automated)

4.1.4

Ensure events that modify user/group information are
collected (Automated)

4.1.5

Ensure events that modify the system's network
environment are collected (Automated)

4.1.6

Ensure events that modify the system's Mandatory Access
Controls are collected (Automated)

4.1.7

Ensure login and logout events are collected (Automated)

4.1.8

Ensure session initiation information is collected
(Automated)

4.1.9

Ensure discretionary access control permission
modification events are collected (Automated)

4.1.10

Ensure unsuccessful unauthorized file access attempts are
collected (Automated)

4.1.11

Ensure use of privileged commands is collected
(Automated)

4.1.12

Ensure successful file system mounts are collected
(Automated)

4.1.13

Ensure file deletion events by users are collected
(Automated)

4.1.14

Ensure changes to system administration scope (sudoers) is
collected (Automated)

4.1.15

Ensure system administrator actions (sudolog) are collected
(Automated)

4.1.16

Ensure kernel module loading and unloading is collected
(Automated)

4.1.17

Ensure the audit configuration is immutable (Automated)

4.2

Configure Logging

4.2.1

Configure rsyslog

4.2.1.1

Ensure rsyslog is installed (Automated)

4.2.1.2

Ensure rsyslog Service is enabled and running (Automated)

4.2.1.3

Ensure rsyslog default file permissions configured
(Automated)

4.2.1.4

Ensure logging is configured (Manual)

4.2.1.5

Ensure rsyslog is configured to send logs to a remote log
host (Automated)

4.2.1.6

Ensure remote rsyslog messages are only accepted on
designated log hosts. (Manual)

4.2.2

Configure journald

4.2.2.1

Ensure journald is configured to send logs to rsyslog
(Automated)

4.2.2.2

Ensure journald is configured to compress large log files
(Automated)

4.2.2.3

Ensure journald is configured to write logfiles to persistent
disk (Automated)

4.2.3

Ensure permissions on all logfiles are configured
(Automated)

4.2.4

Ensure logrotate is configured (Manual)

5

Access, Authentication and Authorization

5.1

Configure time-based job schedulers

5.1.1

Ensure cron daemon is enabled and running (Automated)

5.1.2

Ensure permissions on /etc/crontab are configured
(Automated)

5.1.3

Ensure permissions on /etc/cron.hourly are configured
(Automated)

5.1.4

Ensure permissions on /etc/cron.daily are configured
(Automated)

5.1.5

Ensure permissions on /etc/cron.weekly are configured
(Automated)

5.1.6

Ensure permissions on /etc/cron.monthly are configured
(Automated)

5.1.7

Ensure permissions on /etc/cron.d are configured
(Automated)

5.1.8

Ensure cron is restricted to authorized users (Automated)

5.1.9

Ensure at is restricted to authorized users (Automated)

5.2

Configure SSH Server

5.2.1

Ensure permissions on /etc/ssh/sshd_config are configured
(Automated)

5.2.2

Ensure permissions on SSH private host key files are
configured (Automated)

5.2.3

Ensure permissions on SSH public host key files are
configured (Automated)

5.2.4

Ensure SSH access is limited (Automated)

5.2.5

Ensure SSH LogLevel is appropriate (Automated)

5.2.6

Ensure SSH X11 forwarding is disabled (Automated)

5.2.7

Ensure SSH MaxAuthTries is set to 4 or less (Automated)

5.2.8

Ensure SSH IgnoreRhosts is enabled (Automated)

5.2.9

Ensure SSH HostbasedAuthentication is disabled
(Automated)

5.2.10

Ensure SSH root login is disabled (Automated)

5.2.11

Ensure SSH PermitEmptyPasswords is disabled
(Automated)

5.2.12

Ensure SSH PermitUserEnvironment is disabled
(Automated)

5.2.13

Ensure only strong Ciphers are used (Automated)

5.2.14

Ensure only strong MAC algorithms are used (Automated)

5.2.15

Ensure only strong Key Exchange algorithms are used
(Automated)

5.2.16

Ensure SSH Idle Timeout Interval is configured (Automated)

5.2.17

Ensure SSH LoginGraceTime is set to one minute or less
(Automated)

5.2.18

Ensure SSH warning banner is configured (Automated)

5.2.19

Ensure SSH PAM is enabled (Automated)

5.2.20

Ensure SSH AllowTcpForwarding is disabled (Automated)

5.2.21

Ensure SSH MaxStartups is configured (Automated)

5.2.22

Ensure SSH MaxSessions is limited (Automated)

5.3

Configure PAM

5.3.1

Ensure password creation requirements are configured
(Automated)

5.3.2

Ensure lockout for failed password attempts is configured
(Automated)

5.3.3

Ensure password hashing algorithm is SHA-512
(Automated)

5.3.4

Ensure password reuse is limited (Automated)

5.4

User Accounts and Environment

5.4.1

Set Shadow Password Suite Parameters

5.4.1.1

Ensure password expiration is 365 days or less (Automated)

5.4.1.2

Ensure minimum days between password changes is
configured (Automated)

5.4.1.3

Ensure password expiration warning days is 7 or more
(Automated)

5.4.1.4

Ensure inactive password lock is 30 days or less
(Automated)

5.4.1.5

Ensure all users last password change date is in the past
(Automated)

5.4.2

Ensure system accounts are secured (Automated)

5.4.3

Ensure default group for the root account is GID 0
(Automated)

5.4.4

Ensure default user shell timeout is configured (Automated)

5.4.5

Ensure default user umask is configured (Automated)

5.5

Ensure root login is restricted to system console (Manual)

5.6

Ensure access to the su command is restricted (Automated)

6

System Maintenance

6.1

System File Permissions

6.1.1

Audit system file permissions (Manual)

6.1.2

Ensure permissions on /etc/passwd are configured
(Automated)

6.1.3

Ensure permissions on /etc/shadow are configured
(Automated)

6.1.4

Ensure permissions on /etc/group are configured
(Automated)

6.1.5

Ensure permissions on /etc/gshadow are configured
(Automated)

6.1.6

Ensure permissions on /etc/passwd- are configured
(Automated)

6.1.7

Ensure permissions on /etc/shadow- are configured
(Automated)

6.1.8

Ensure permissions on /etc/group- are configured
(Automated)

6.1.9

Ensure permissions on /etc/gshadow- are configured
(Automated)

6.1.10

Ensure no world writable files exist (Automated)

6.1.11

Ensure no unowned files or directories exist (Automated)

6.1.12

Ensure no ungrouped files or directories exist (Automated)

6.1.13

Audit SUID executables (Manual)

6.1.14

Audit SGID executables (Manual)

6.2

User and Group Settings

6.2.1

Ensure accounts in /etc/passwd use shadowed passwords
(Automated)

6.2.2

Ensure /etc/shadow password fields are not empty
(Automated)

6.2.3

Ensure root is the only UID 0 account (Automated)

6.2.4

Ensure root PATH Integrity (Automated)

6.2.5

Ensure all users' home directories exist (Automated)

6.2.6

Ensure users' home directories permissions are 750 or
more restrictive (Automated)

6.2.7

Ensure users own their home directories (Automated)

6.2.8

Ensure users' dot files are not group or world writable
(Automated)

6.2.9

Ensure no users have .forward files (Automated)

6.2.10

Ensure no users have .netrc files (Automated)

6.2.11

Ensure users' .netrc Files are not group or world accessible
(Automated)

6.2.12

Ensure no users have .rhosts files (Automated)

6.2.13

Ensure all groups in /etc/passwd exist in /etc/group
(Automated)

6.2.14

Ensure no duplicate UIDs exist (Automated)

6.2.15

Ensure no duplicate GIDs exist (Automated)

6.2.16

Ensure no duplicate user names exist (Automated)

6.2.17

Ensure no duplicate group names exist (Automated)

6.2.18

Ensure shadow group is empty (Automated)