Coverage - CIS, Linux
CIS CAT Assessor scan results
The following scans were performed on a default installation of the noted Operating System with the Sicura Enterprise profile enforced.
OS |
EE Profile |
Scan Type |
Benchmark Version |
Pass |
Fail |
Total % |
Certification Status |
AlmaLinux 8 |
cis:level:1:server |
Level 1 - Server |
3.0.0 |
192 |
16 |
92% |
Certified |
AlmaLinux 8 |
cis:level:2:server |
Level 2 - Server |
3.0.0 |
238 |
26 |
90% |
Certified |
AlmaLinux 9 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
204 |
13 |
94% |
Certified |
AlmaLinux 9 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
251 |
24 |
91% |
Certified |
Oracle Linux 8 |
cis:level:1:server |
Level 1 - Server |
3.0.0 |
194 |
14 |
93% |
Certified |
Oracle Linux 8 |
cis:level:2:server |
Level 2 - Server |
3.0.0 |
244 |
20 |
92% |
Certified |
Oracle Linux 9 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
205 |
12 |
94% |
Certified |
Oracle Linux 9 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
256 |
19 |
93% |
Certified |
Red Hat Enterprise 8 |
cis:level:1:server |
Level 1 - Server |
3.0.0 |
194 |
14 |
93% |
Certified |
Red Hat Enterprise 8 |
cis:level:2:server |
Level 2 - Server |
3.0.0 |
237 |
27 |
90% |
Certified |
Red Hat Enterprise 9 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
205 |
12 |
94% |
Certified |
Red Hat Enterprise 9 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
246 |
29 |
89% |
Certified |
Rocky Linux 8 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
194 |
14 |
93% |
Certified |
Rocky Linux 8 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
238 |
26 |
90% |
Certified |
Rocky Linux 9 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
205 |
12 |
94% |
Certified |
Rocky Linux 9 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
249 |
26 |
91% |
Certified |
NOTE: The product no longer supports any CentOS Operating System
Control Coverage
The following report details the status of each CIS recommendation in the SIMP EE compliance data.
Paper policy
controls refer to organizational policy requirements and cannot be reasonably enforced by SIMP at this time.
Mapped
controls have enforcement and reporting support.
Unmapped
controls are not supported at this time. A reason for the lack of support is provided for each unmapped control.
Summary
Detail
Unmapped Controls
The following controls are not mapped:
AlmaLinux 8 (21/287 [7%])
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.3.0.0.AlmaLinux8.1.2.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.3.0.0.AlmaLinux8.1.6.2_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.AlmaLinux8.1.6.3_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.AlmaLinux8.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.2.4_Ensure_root_password_is_set:def:1
- Title: Ensure root password is set
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- Title: Ensure journald log rotation is configured per site policy
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.12_Ensure_no_unowned_or_ungrouped_files_or_directories_exist:def:1
- Title: Ensure no unowned or ungrouped files or directories exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
AlmaLinux 9 (28/297 [9%])
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.9_Ensure_unused_filesystems_kernel_modules_are_not_available:def:1
- Title: Ensure unused filesystems kernel modules are not available
- NOTE: The product cannot decide which filesystem kernel modules are not needed.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.2.1.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.AlmaLinux9.1.2.1.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.3_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.5_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.6_Ensure_system_wide_crypto_policy_disables_chacha20-poly1305_for_ssh:def:1
- Title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.7_Ensure_system_wide_crypto_policy_disables_EtM_for_ssh:def:1
- Title: Ensure system wide crypto policy disables EtM for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.4_Ensure_root_account_access_is_controlled:def:1
- Title: Ensure root account access is controlled
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.1.2_Ensure_journald_log_file_access_is_configured:def:1
- Title: Ensure journald log file access is configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.1.3_Ensure_journald_log_file_rotation_is_configured:def:1
- Title: Ensure journald log file rotation is configured
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.1.4_Ensure_only_one_logging_system_is_in_use:def:1
- Title: Ensure only one logging system is in use
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.8_Ensure_rsyslog_logrotate_is_configured:def:1
- Title: Ensure rsyslog logrotate is configured
- NOTE: This is site-specific and cannot be managed by the product, though rsyslog and syslog log files are rotated by logrotate.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.4.1_Ensure_access_to_all_logfiles_has_been_configured:def:1
- Title: Ensure access to all logfiles has been configured
- NOTE: The permissions for /var/log are configured and set elsewhere. The product does not have the ability to run the expected remediation script.
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.12_Ensure_no_files_or_directories_without_an_owner_and_a_group_exist:def:1
- Title: Ensure no files or directories without an owner and a group exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
OracleLinux 8 (22/287 [7%])
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.OracleLinux8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.3.0.0.OracleLinux8.1.2.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.3.0.0.OracleLinux8.1.6.2_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.OracleLinux8.1.6.3_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.OracleLinux8.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.OracleLinux8.4.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.OracleLinux8.4.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.OracleLinux8.4.4.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: The product configures the pam and /etc/security files directly instead of using an authselect profile.
- oval:simp.cis.3.0.0.OracleLinux8.4.5.2.4_Ensure_root_password_is_set:def:1
- Title: Ensure root password is set
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- Title: Ensure journald log rotation is configured per site policy
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.3.0.0.OracleLinux8.6.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.OracleLinux8.6.1.12_Ensure_no_unowned_or_ungrouped_files_or_directories_exist:def:1
- Title: Ensure no unowned or ungrouped files or directories exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.OracleLinux8.6.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
OracleLinux 9 (29/298 [9%])
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.9_Ensure_unused_filesystems_kernel_modules_are_not_available:def:1
- Title: Ensure unused filesystems kernel modules are not available
- NOTE: The product cannot decide which filesystem kernel modules are not needed.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux9.1.2.1.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.OracleLinux9.1.2.1.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.2.0.0.OracleLinux9.1.6.3_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.OracleLinux9.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.OracleLinux9.1.6.5_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.OracleLinux9.1.6.6_Ensure_system_wide_crypto_policy_disables_chacha20-poly1305_for_ssh:def:1
- Title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.OracleLinux9.1.6.7_Ensure_system_wide_crypto_policy_disables_EtM_for_ssh:def:1
- Title: Ensure system wide crypto policy disables EtM for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.OracleLinux9.5.2.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.OracleLinux9.5.2.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.4_Ensure_root_account_access_is_controlled:def:1
- Title: Ensure root account access is controlled
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.1.2_Ensure_journald_log_file_access_is_configured:def:1
- Title: Ensure journald log file access is configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.OracleLinux9.6.2.1.3_Ensure_journald_log_file_rotation_is_configured:def:1
- Title: Ensure journald log file rotation is configured
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.2.0.0.OracleLinux9.6.2.1.4_Ensure_only_one_logging_system_is_in_use:def:1
- Title: Ensure only one logging system is in use
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.1.2_Ensure_systemd-journal-upload_authentication_is_configured:def:1
- Title: Ensure systemd-journal-upload authentication is configured
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.8_Ensure_rsyslog_logrotate_is_configured:def:1
- Title: Ensure rsyslog logrotate is configured
- NOTE: This is site-specific and cannot be managed by the product, though rsyslog and syslog log files are rotated by logrotate.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.4.1_Ensure_access_to_all_logfiles_has_been_configured:def:1
- Title: Ensure access to all logfiles has been configured
- NOTE: The permissions for /var/log are configured and set elsewhere. The product does not have the ability to run the expected remediation script.
- oval:simp.cis.2.0.0.OracleLinux9.7.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.OracleLinux9.7.1.12_Ensure_no_files_or_directories_without_an_owner_and_a_group_exist:def:1
- Title: Ensure no files or directories without an owner and a group exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.OracleLinux9.7.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
RedHat 8 (21/287 [7%])
- oval:simp.cis.3.0.0.RedHat8.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.3.0.0.RedHat8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.3.0.0.RedHat8.1.2.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.3.0.0.RedHat8.1.5.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.3.0.0.RedHat8.1.6.2_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.RedHat8.1.6.3_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.RedHat8.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.3.0.0.RedHat8.4.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.RedHat8.4.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.3.0.0.RedHat8.4.5.2.4_Ensure_root_password_is_set:def:1
- Title: Ensure root password is set
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.3.0.0.RedHat8.5.1.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.3.0.0.RedHat8.5.1.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.3.0.0.RedHat8.5.1.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- Title: Ensure journald log rotation is configured per site policy
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.3.0.0.RedHat8.6.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.RedHat8.6.1.12_Ensure_no_unowned_or_ungrouped_files_or_directories_exist:def:1
- Title: Ensure no unowned or ungrouped files or directories exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.3.0.0.RedHat8.6.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
RedHat 9 (29/297 [9%])
- oval:simp.cis.2.0.0.RedHat9.1.1.1.9_Ensure_unused_filesystems_kernel_modules_are_not_available:def:1
- Title: Ensure unused filesystems kernel modules are not available
- NOTE: The product cannot decide which filesystem kernel modules are not needed.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat9.1.2.1.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.RedHat9.1.2.1.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.RedHat9.1.3.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.2.0.0.RedHat9.1.6.3_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.RedHat9.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.RedHat9.1.6.5_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.RedHat9.1.6.6_Ensure_system_wide_crypto_policy_disables_chacha20-poly1305_for_ssh:def:1
- Title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.RedHat9.1.6.7_Ensure_system_wide_crypto_policy_disables_EtM_for_ssh:def:1
- Title: Ensure system wide crypto policy disables EtM for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.RedHat9.5.2.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.RedHat9.5.2.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.RedHat9.5.4.2.4_Ensure_root_account_access_is_controlled:def:1
- Title: Ensure root account access is controlled
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.2.0.0.RedHat9.6.2.1.2_Ensure_journald_log_file_access_is_configured:def:1
- Title: Ensure journald log file access is configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.RedHat9.6.2.1.3_Ensure_journald_log_file_rotation_is_configured:def:1
- Title: Ensure journald log file rotation is configured
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.2.0.0.RedHat9.6.2.1.4_Ensure_only_one_logging_system_is_in_use:def:1
- Title: Ensure only one logging system is in use
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.RedHat9.6.2.2.1.2_Ensure_systemd-journal-upload_authentication_is_configured:def:1
- Title: Ensure systemd-journal-upload authentication is configured
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.RedHat9.6.2.3.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.RedHat9.6.2.3.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.2.0.0.RedHat9.6.2.3.8_Ensure_rsyslog_logrotate_is_configured:def:1
- Title: Ensure rsyslog logrotate is configured
- NOTE: This is site-specific and cannot be managed by the product, though rsyslog and syslog log files are rotated by logrotate.
- oval:simp.cis.2.0.0.RedHat9.6.2.4.1_Ensure_access_to_all_logfiles_has_been_configured:def:1
- Title: Ensure access to all logfiles has been configured
- NOTE: The permissions for /var/log are configured and set elsewhere. The product does not have the ability to run the expected remediation script.
- oval:simp.cis.2.0.0.RedHat9.7.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.RedHat9.7.1.12_Ensure_no_files_or_directories_without_an_owner_and_a_group_exist:def:1
- Title: Ensure no files or directories without an owner and a group exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.RedHat9.7.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
Rocky 8 (21/287 [7%])
- oval:simp.cis.2.0.0.Rocky8.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.Rocky8.1.2.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.Rocky8.1.5.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.2.0.0.Rocky8.1.6.2_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky8.1.6.3_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky8.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky8.4.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.Rocky8.4.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.Rocky8.4.5.2.4_Ensure_root_password_is_set:def:1
- Title: Ensure root password is set
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.2.0.0.Rocky8.5.1.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.Rocky8.5.1.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.2.0.0.Rocky8.5.1.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- Title: Ensure journald log rotation is configured per site policy
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.2.0.0.Rocky8.6.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.Rocky8.6.1.12_Ensure_no_unowned_or_ungrouped_files_or_directories_exist:def:1
- Title: Ensure no unowned or ungrouped files or directories exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.Rocky8.6.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
Rocky 9 (28/297 [9%])
- oval:simp.cis.2.0.0.Rocky9.1.1.1.9_Ensure_unused_filesystems_kernel_modules_are_not_available:def:1
- Title: Ensure unused filesystems kernel modules are not available
- NOTE: The product cannot decide which filesystem kernel modules are not needed.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.2.1_Ensure_devshm_is_a_separate_partition:def:1
- Title: Ensure /dev/shm is a separate partition
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.3.1_Ensure_separate_partition_exists_for_home:def:1
- Title: Ensure separate partition exists for /home
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.4.1_Ensure_separate_partition_exists_for_var:def:1
- Title: Ensure separate partition exists for /var
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.5.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Title: Ensure separate partition exists for /var/tmp
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.6.1_Ensure_separate_partition_exists_for_varlog:def:1
- Title: Ensure separate partition exists for /var/log
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.1.2.7.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Title: Ensure separate partition exists for /var/log/audit
- NOTE: There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.Rocky9.1.2.1.1_Ensure_GPG_keys_are_configured:def:1
- Title: Ensure GPG keys are configured
- NOTE: The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.Rocky9.1.2.1.4_Ensure_package_manager_repositories_are_configured:def:1
- Title: Ensure package manager repositories are configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.Rocky9.1.3.1.6_Ensure_no_unconfined_services_exist:def:1
- Title: Ensure no unconfined services exist
- NOTE: We have no viable method of remediation.
- oval:simp.cis.2.0.0.Rocky9.1.6.3_Ensure_system_wide_crypto_policy_disables_sha1_hash_and_signature_support:def:1
- Title: Ensure system wide crypto policy disables sha1 hash and signature support
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky9.1.6.4_Ensure_system_wide_crypto_policy_disables_macs_less_than_128_bits:def:1
- Title: Ensure system wide crypto policy disables macs less than 128 bits
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky9.1.6.5_Ensure_system_wide_crypto_policy_disables_cbc_for_ssh:def:1
- Title: Ensure system wide crypto policy disables cbc for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky9.1.6.6_Ensure_system_wide_crypto_policy_disables_chacha20-poly1305_for_ssh:def:1
- Title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky9.1.6.7_Ensure_system_wide_crypto_policy_disables_EtM_for_ssh:def:1
- Title: Ensure system wide crypto policy disables EtM for ssh
- NOTE: The module the product uses to control crypto policy currently has no support for submodules. This may be implemented in a future release.
- oval:simp.cis.2.0.0.Rocky9.5.2.4_Ensure_users_must_provide_password_for_escalation:def:1
- Title: Ensure users must provide password for escalation
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.Rocky9.5.2.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Title: Ensure re-authentication for privilege escalation is not disabled globally
- NOTE: Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.Rocky9.5.4.2.4_Ensure_root_account_access_is_controlled:def:1
- Title: Ensure root account access is controlled
- NOTE: The product cannot determine what the password for root should be for any given system. The admin of the system will need to ensure this password is set according to their organization’s policies. This can also be set via hieradata.
- oval:simp.cis.2.0.0.Rocky9.6.2.1.2_Ensure_journald_log_file_access_is_configured:def:1
- Title: Ensure journald log file access is configured
- NOTE: This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.Rocky9.6.2.1.3_Ensure_journald_log_file_rotation_is_configured:def:1
- Title: Ensure journald log file rotation is configured
- NOTE: This is site-specific and cannot be managed by the product without proper hieradata an example of the hieradata that would be required follows “systemd::journald_settings::SystemMaxUse: ‘4G’ systemd::journald_settings::SystemKeepFree: ‘10G’ systemd::journald_settings::RuntimeMaxUse: ‘4G’ systemd::journald_settings::RuntimeKeepFree: ‘15G’ systemd::journald_settings::MaxFileSec: ‘1week’”
- oval:simp.cis.2.0.0.Rocky9.6.2.1.4_Ensure_only_one_logging_system_is_in_use:def:1
- Title: Ensure only one logging system is in use
- NOTE: This is site-specific and cannot be managed by the product.
- oval:simp.cis.2.0.0.Rocky9.6.2.3.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is configured to send logs to rsyslog
- NOTE: The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.Rocky9.6.2.3.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Title: Ensure rsyslog is configured to send logs to a remote log host
- NOTE: Sending logs to a remote server will be system-specific. Users can specify these settings via hieradata, however, the product cannot make this determiniation for its users.
- oval:simp.cis.2.0.0.Rocky9.6.2.3.8_Ensure_rsyslog_logrotate_is_configured:def:1
- Title: Ensure rsyslog logrotate is configured
- NOTE: This is site-specific and cannot be managed by the product, though rsyslog and syslog log files are rotated by logrotate.
- oval:simp.cis.2.0.0.Rocky9.6.2.4.1_Ensure_access_to_all_logfiles_has_been_configured:def:1
- Title: Ensure access to all logfiles has been configured
- NOTE: The permissions for /var/log are configured and set elsewhere. The product does not have the ability to run the expected remediation script.
- oval:simp.cis.2.0.0.Rocky9.7.1.11_Ensure_world_writable_files_and_directories_are_secured:def:1
- Title: Ensure world writable files and directories are secured
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.Rocky9.7.1.12_Ensure_no_files_or_directories_without_an_owner_and_a_group_exist:def:1
- Title: Ensure no files or directories without an owner and a group exist
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
- oval:simp.cis.2.0.0.Rocky9.7.1.13_Ensure_SUID_and_SGID_files_are_reviewed:def:1
- Title: Ensure SUID and SGID files are reviewed
- NOTE: To remediate this rule, the product would have to walk the entire file system to identify any files, which could be an extremely expensive operation for systems using shared file systems such as nfs.
Mapped
The following controls are mapped:
AlmaLinux 8 (266/287 [92%])
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.3.0.0.AlmaLinux8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.3.0.0.AlmaLinux8.1.2.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.3.0.0.AlmaLinux8.1.2.5_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.3.0.0.AlmaLinux8.1.3.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.3.0.0.AlmaLinux8.1.3.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- Title: Ensure permissions on bootloader config are configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.3.0.0.AlmaLinux8.1.4.1_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- Title: Ensure address space layout randomization (ASLR) is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.4.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.3.0.0.AlmaLinux8.1.4.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.4.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.3.0.0.AlmaLinux8.1.5.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.3.0.0.AlmaLinux8.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.3.0.0.AlmaLinux8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.0.0.AlmaLinux8.2.1.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.0.0.AlmaLinux8.2.1.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.2.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.2.3.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.2.3.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.2.3.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.2.3.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.3.0.0.AlmaLinux8.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.3.0.0.AlmaLinux8.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.3.0.0.AlmaLinux8.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.3.0.0.AlmaLinux8.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.3.0.0.AlmaLinux8.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.2.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.2.2_Ensure_host_based_firewall_loopback_traffic_is_configured:def:1
- Title: Ensure host based firewall loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.2.3_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.2.4_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.3.0.0.AlmaLinux8.3.4.2.5_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.3.0.0.AlmaLinux8.4.1.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.10_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.11_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.12_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.13_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.14_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.15_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.16_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.18_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.19_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.20_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.21_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.22_Ensure_sshd_crypto_policy_is_not_set:def:1
- Title: Ensure sshd crypto_policy is not set
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.4_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.5_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.6_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.7_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.8_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.2.9_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.3.0.0.AlmaLinux8.4.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: Pam is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.3.0.0.AlmaLinux8.4.4.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.1.1_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.1.2_Ensure_password_expiration_is_365_days_or_less:def:1
- Title: Ensure password expiration is 365 days or less
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- Title: Ensure password expiration warning days is 7 or more
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- Title: Ensure inactive password lock is 30 days or less
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.2.1_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- Title: Ensure default group for the root account is GID 0
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.2.2_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.2.3_Ensure_system_accounts_are_secured:def:1
- Title: Ensure system accounts are secured
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.0.0.AlmaLinux8.4.5.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- NOTE: Currently this is being properly set in several locations but is failing to remove an incorrect setting in /etc/bashrc.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.2_Ensure_rsyslog_service_is_enabled:def:1
- Title: Ensure rsyslog service is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- Title: Ensure rsyslog default file permissions are configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.5_Ensure_logging_is_configured:def:1
- Title: Ensure logging is configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.1.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Title: Ensure systemd-journal-remote is configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Title: Ensure systemd-journal-remote is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.1.4_Ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure journald is not configured to receive logs from a remote client
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.2_Ensure_journald_service_is_enabled:def:1
- Title: Ensure journald service is enabled
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- Title: Ensure journald is configured to compress large log files
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- Title: Ensure journald is configured to write logfiles to persistent disk
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is not configured to send logs to rsyslog
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.3_Ensure_logrotate_is_configured:def:1
- Title: Ensure logrotate is configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.1.4_Ensure_all_logfiles_have_appropriate_access_configured:def:1
- Title: Ensure all logfiles have appropriate access configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.1.1_Ensure_audit_is_installed:def:1
- Title: Ensure audit is installed
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.1.4_Ensure_auditd_service_is_enabled:def:1
- Title: Ensure auditd service is enabled
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are recorded
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are recorded
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are recorded
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.10_Ensure_audit_tools_belong_to_group_root:def:1
- Title: Ensure audit tools belong to group root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.1_Ensure_the_audit_log_directory_is_0750_or_more_restrictive:def:1
- Title: Ensure the audit log directory is 0750 or more restrictive
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.2_Ensure_audit_log_files_are_mode_0640_or_less_permissive:def:1
- Title: Ensure audit log files are mode 0640 or less permissive
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.3_Ensure_only_authorized_users_own_audit_log_files:def:1
- Title: Ensure only authorized users own audit log files
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.4_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files:def:1
- Title: Ensure only authorized groups are assigned ownership of audit log files
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive:def:1
- Title: Ensure audit configuration files are 640 or more restrictive
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.6_Ensure_audit_configuration_files_are_owned_by_root:def:1
- Title: Ensure audit configuration files are owned by root
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.7_Ensure_audit_configuration_files_belong_to_group_root:def:1
- Title: Ensure audit configuration files belong to group root
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.8_Ensure_audit_tools_are_755_or_more_restrictive:def:1
- Title: Ensure audit tools are 755 or more restrictive
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.AlmaLinux8.5.2.4.9_Ensure_audit_tools_are_owned_by_root:def:1
- Title: Ensure audit tools are owned by root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.AlmaLinux8.5.3.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.3.0.0.AlmaLinux8.5.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.3.0.0.AlmaLinux8.5.3.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.10_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.14_Audit_system_file_permissions:def:1
- Title: Audit system file permissions
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.3_Ensure_permissions_on_etcopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/opasswd are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.4_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.5_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.6_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.7_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.8_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.1.9_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.10_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.11_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.8_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- NOTE: The check for this can fail for various reasons, including the common dot setting the path to include common user customized directories that may not exist.
- oval:simp.cis.3.0.0.AlmaLinux8.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
AlmaLinux 9 (269/297 [90%])
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.2.0.0.AlmaLinux9.1.2.1.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.AlmaLinux9.1.2.1.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.2.0.0.AlmaLinux9.1.2.2.1_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.2.0.0.AlmaLinux9.1.3.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.1.4.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.2.0.0.AlmaLinux9.1.4.2_Ensure_access_to_bootloader_config_is_configured:def:1
- Title: Ensure access to bootloader config is configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.2.0.0.AlmaLinux9.1.5.1_Ensure_address_space_layout_randomization_is_enabled:def:1
- Title: Ensure address space layout randomization is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.5.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.2.0.0.AlmaLinux9.1.5.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.5.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.2.0.0.AlmaLinux9.1.6.2_Ensure_system_wide_crypto_policy_is_not_set_in_sshd_configuration:def:1
- Title: Ensure system wide crypto policy is not set in sshd configuration
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.2.0.0.AlmaLinux9.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.1.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.2.2.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.2.2.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.2.2.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.2.2.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.2.2.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.2.0.0.AlmaLinux9.2.3.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.AlmaLinux9.2.3.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.AlmaLinux9.2.3.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.2.0.0.AlmaLinux9.2.4.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.2.0.0.AlmaLinux9.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.2.0.0.AlmaLinux9.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.2.0.0.AlmaLinux9.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.2.0.0.AlmaLinux9.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.2.0.0.AlmaLinux9.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.2.0.0.AlmaLinux9.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.2.0.0.AlmaLinux9.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.2.0.0.AlmaLinux9.4.2.1_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.2.0.0.AlmaLinux9.4.2.2_Ensure_firewalld_loopback_traffic_is_configured:def:1
- Title: Ensure firewalld loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.AlmaLinux9.4.3.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.AlmaLinux9.4.3.2_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.AlmaLinux9.4.3.3_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.AlmaLinux9.4.3.4_Ensure_nftables_loopback_traffic_is_configured:def:1
- Title: Ensure nftables loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.10_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.11_Ensure_sshd_GSSAPIAuthentication_is_disabled:def:1
- Title: Ensure sshd GSSAPIAuthentication is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.12_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.13_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.14_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.15_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.16_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.18_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.19_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.20_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.21_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.22_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.4_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.5_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.6_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- NOTE: This can fail because included crypto-policies may contain newly found insecure MACS.
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.7_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.8_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.1.9_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.2.0.0.AlmaLinux9.5.2.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.1.3_Ensure_latest_version_of_libpwquality_is_installed:def:1
- Title: Ensure latest version of libpwquality is installed
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: Pam is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.2.0.0.AlmaLinux9.5.3.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.1_Ensure_password_expiration_is_configured:def:1
- Title: Ensure password expiration is configured
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.2_Ensure_minimum_password_days_is_configured:def:1
- Title: Ensure minimum password days is configured
- NOTE: PASS_MIN_DAYS is set to 1 in /etc/login.defs as requested and all non-system users will be corrected if they are not set correctly, however, the product does not manage the root or system accounts in this regard. Changing password settings on the system accounts could be dangerous for the system.
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.3_Ensure_password_expiration_warning_days_is_configured:def:1
- Title: Ensure password expiration warning days is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.4_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.5_Ensure_inactive_password_lock_is_configured:def:1
- Title: Ensure inactive password lock is configured
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.1.6_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.1_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.2_Ensure_root_is_the_only_GID_0_account:def:1
- Title: Ensure root is the only GID 0 account
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.3_Ensure_group_root_is_the_only_GID_0_group:def:1
- Title: Ensure group root is the only GID 0 group
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.5_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- NOTE: The check for this can fail for various reasons, including the common dot setting the path to include common user customized directories that may not exist.
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.6_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.7_Ensure_system_accounts_do_not_have_a_valid_login_shell:def:1
- Title: Ensure system accounts do not have a valid login shell
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.2.8_Ensure_accounts_without_a_valid_login_shell_are_locked:def:1
- Title: Ensure accounts without a valid login shell are locked
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.AlmaLinux9.5.4.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.1.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.2.0.0.AlmaLinux9.6.1.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.2.0.0.AlmaLinux9.6.1.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.1.1_Ensure_journald_service_is_enabled_and_active:def:1
- Title: Ensure journald service is enabled and active
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.1.2_Ensure_systemd-journal-upload_authentication_is_configured:def:1
- Title: Ensure systemd-journal-upload authentication is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.1.3_Ensure_systemd-journal-upload_is_enabled_and_active:def:1
- Title: Ensure systemd-journal-upload is enabled and active
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.1.4_Ensure_systemd-journal-remote_service_is_not_in_use:def:1
- Title: Ensure systemd-journal-remote service is not in use
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.2_Ensure_journald_ForwardToSyslog_is_disabled:def:1
- Title: Ensure journald ForwardToSyslog is disabled
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.3_Ensure_journald_Compress_is_configured:def:1
- Title: Ensure journald Compress is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.2.4_Ensure_journald_Storage_is_configured:def:1
- Title: Ensure journald Storage is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.2_Ensure_rsyslog_service_is_enabled_and_active:def:1
- Title: Ensure rsyslog service is enabled and active
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.4_Ensure_rsyslog_log_file_creation_mode_is_configured:def:1
- Title: Ensure rsyslog log file creation mode is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.5_Ensure_rsyslog_logging_is_configured:def:1
- Title: Ensure rsyslog logging is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.2.3.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.1.1_Ensure_auditd_packages_are_installed:def:1
- Title: Ensure auditd packages are installed
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.1.4_Ensure_auditd_service_is_enabled_and_active:def:1
- Title: Ensure auditd service is enabled and active
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- NOTE: The rule for this will look for the audit rules in /etc/audit/rules.d/50-time-change.rules, however, all custom audit rules specified in the product will live in /etc/audit/rules.d/50-time-change.rules.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.10_Ensure_audit_tools_group_owner_is_configured:def:1
- Title: Ensure audit tools group owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.1_Ensure_the_audit_log_file_directory_mode_is_configured:def:1
- Title: Ensure the audit log file directory mode is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.2_Ensure_audit_log_files_mode_is_configured:def:1
- Title: Ensure audit log files mode is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.3_Ensure_audit_log_files_owner_is_configured:def:1
- Title: Ensure audit log files owner is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.4_Ensure_audit_log_files_group_owner_is_configured:def:1
- Title: Ensure audit log files group owner is configured
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.5_Ensure_audit_configuration_files_mode_is_configured:def:1
- Title: Ensure audit configuration files mode is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.6_Ensure_audit_configuration_files_owner_is_configured:def:1
- Title: Ensure audit configuration files owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.7_Ensure_audit_configuration_files_group_owner_is_configured:def:1
- Title: Ensure audit configuration files group owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.8_Ensure_audit_tools_mode_is_configured:def:1
- Title: Ensure audit tools mode is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.AlmaLinux9.6.3.4.9_Ensure_audit_tools_owner_is_configured:def:1
- Title: Ensure audit tools owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.10_Ensure_permissions_on_etcsecurityopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/security/opasswd are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.3_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.4_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.5_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.6_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.8_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.1.9_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.8_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.2.0.0.AlmaLinux9.7.2.9_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
OracleLinux 8 (265/287 [92%])
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.3.0.0.OracleLinux8.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.3.0.0.OracleLinux8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.3.0.0.OracleLinux8.1.2.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.3.0.0.OracleLinux8.1.2.5_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.3.0.0.OracleLinux8.1.3.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.3.0.0.OracleLinux8.1.3.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- Title: Ensure permissions on bootloader config are configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.3.0.0.OracleLinux8.1.4.1_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- Title: Ensure address space layout randomization (ASLR) is enabled
- oval:simp.cis.3.0.0.OracleLinux8.1.4.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.3.0.0.OracleLinux8.1.4.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.3.0.0.OracleLinux8.1.4.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.3.0.0.OracleLinux8.1.5.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.3.0.0.OracleLinux8.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.3.0.0.OracleLinux8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.3.0.0.OracleLinux8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.3.0.0.OracleLinux8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.3.0.0.OracleLinux8.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.3.0.0.OracleLinux8.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.3.0.0.OracleLinux8.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.3.0.0.OracleLinux8.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.3.0.0.OracleLinux8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.3.0.0.OracleLinux8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.3.0.0.OracleLinux8.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.3.0.0.OracleLinux8.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.3.0.0.OracleLinux8.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.3.0.0.OracleLinux8.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.3.0.0.OracleLinux8.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.3.0.0.OracleLinux8.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.3.0.0.OracleLinux8.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.3.0.0.OracleLinux8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- oval:simp.cis.3.0.0.OracleLinux8.2.1.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: The rule expects time servers or pools to be configured, however, the product cannot make assumptions on which server or pools should be used per organization.
- oval:simp.cis.3.0.0.OracleLinux8.2.1.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.3.0.0.OracleLinux8.2.2.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.3.0.0.OracleLinux8.2.2.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.3.0.0.OracleLinux8.2.2.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.2.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.2.3.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.3.0.0.OracleLinux8.2.3.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.3.0.0.OracleLinux8.2.3.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.3.0.0.OracleLinux8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.3.0.0.OracleLinux8.2.3.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.3.0.0.OracleLinux8.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.3.0.0.OracleLinux8.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.3.0.0.OracleLinux8.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.3.0.0.OracleLinux8.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.3.0.0.OracleLinux8.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.3.0.0.OracleLinux8.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.3.0.0.OracleLinux8.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.3.0.0.OracleLinux8.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.3.0.0.OracleLinux8.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.3.0.0.OracleLinux8.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.3.0.0.OracleLinux8.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.3.0.0.OracleLinux8.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.3.0.0.OracleLinux8.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.3.0.0.OracleLinux8.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.3.0.0.OracleLinux8.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.3.0.0.OracleLinux8.3.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.3.0.0.OracleLinux8.3.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.3.0.0.OracleLinux8.3.4.2.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.OracleLinux8.3.4.2.2_Ensure_host_based_firewall_loopback_traffic_is_configured:def:1
- Title: Ensure host based firewall loopback traffic is configured
- NOTE: This rule is configured as requested on the system, however, the check for the rule assumes the default zone is public. This will cause the rule to fail because the default zone will be set to 99_simp. There is a ticket in with CIS requesting this check be fixed.
- oval:simp.cis.3.0.0.OracleLinux8.3.4.2.3_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.3.0.0.OracleLinux8.3.4.2.4_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.3.0.0.OracleLinux8.3.4.2.5_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.1.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.3.0.0.OracleLinux8.4.1.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.3.0.0.OracleLinux8.4.2.10_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.11_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.12_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.13_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.14_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.15_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.16_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.18_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.19_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.20_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.21_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.22_Ensure_sshd_crypto_policy_is_not_set:def:1
- Title: Ensure sshd crypto_policy is not set
- oval:simp.cis.3.0.0.OracleLinux8.4.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.4_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.3.0.0.OracleLinux8.4.2.5_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.6_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.7_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.3.0.0.OracleLinux8.4.2.8_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.2.9_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.3.0.0.OracleLinux8.4.3.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.3.0.0.OracleLinux8.4.3.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.3.0.0.OracleLinux8.4.3.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.3.0.0.OracleLinux8.4.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.3.0.0.OracleLinux8.4.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.3.0.0.OracleLinux8.4.4.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.3.0.0.OracleLinux8.4.4.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.3.0.0.OracleLinux8.4.4.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.OracleLinux8.4.4.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.4.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.4.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.3.0.0.OracleLinux8.4.4.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.3.0.0.OracleLinux8.4.5.1.1_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.5.1.2_Ensure_password_expiration_is_365_days_or_less:def:1
- Title: Ensure password expiration is 365 days or less
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.0.0.OracleLinux8.4.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- Title: Ensure password expiration warning days is 7 or more
- oval:simp.cis.3.0.0.OracleLinux8.4.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- Title: Ensure inactive password lock is 30 days or less
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.3.0.0.OracleLinux8.4.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.3.0.0.OracleLinux8.4.5.2.1_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- Title: Ensure default group for the root account is GID 0
- oval:simp.cis.3.0.0.OracleLinux8.4.5.2.2_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.3.0.0.OracleLinux8.4.5.2.3_Ensure_system_accounts_are_secured:def:1
- Title: Ensure system accounts are secured
- oval:simp.cis.3.0.0.OracleLinux8.4.5.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.3.0.0.OracleLinux8.4.5.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.0.0.OracleLinux8.4.5.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.2_Ensure_rsyslog_service_is_enabled:def:1
- Title: Ensure rsyslog service is enabled
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- Title: Ensure rsyslog default file permissions are configured
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.5_Ensure_logging_is_configured:def:1
- Title: Ensure logging is configured
- oval:simp.cis.3.0.0.OracleLinux8.5.1.1.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Title: Ensure systemd-journal-remote is configured
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Title: Ensure systemd-journal-remote is enabled
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.1.4_Ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure journald is not configured to receive logs from a remote client
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.2_Ensure_journald_service_is_enabled:def:1
- Title: Ensure journald service is enabled
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- Title: Ensure journald is configured to compress large log files
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- Title: Ensure journald is configured to write logfiles to persistent disk
- oval:simp.cis.3.0.0.OracleLinux8.5.1.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is not configured to send logs to rsyslog
- oval:simp.cis.3.0.0.OracleLinux8.5.1.3_Ensure_logrotate_is_configured:def:1
- Title: Ensure logrotate is configured
- oval:simp.cis.3.0.0.OracleLinux8.5.1.4_Ensure_all_logfiles_have_appropriate_access_configured:def:1
- Title: Ensure all logfiles have appropriate access configured
- oval:simp.cis.3.0.0.OracleLinux8.5.2.1.1_Ensure_audit_is_installed:def:1
- Title: Ensure audit is installed
- oval:simp.cis.3.0.0.OracleLinux8.5.2.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.1.4_Ensure_auditd_service_is_enabled:def:1
- Title: Ensure auditd service is enabled
- oval:simp.cis.3.0.0.OracleLinux8.5.2.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.3.0.0.OracleLinux8.5.2.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.3.0.0.OracleLinux8.5.2.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.3.0.0.OracleLinux8.5.2.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are recorded
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are recorded
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are recorded
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.10_Ensure_audit_tools_belong_to_group_root:def:1
- Title: Ensure audit tools belong to group root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.1_Ensure_the_audit_log_directory_is_0750_or_more_restrictive:def:1
- Title: Ensure the audit log directory is 0750 or more restrictive
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.2_Ensure_audit_log_files_are_mode_0640_or_less_permissive:def:1
- Title: Ensure audit log files are mode 0640 or less permissive
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.3_Ensure_only_authorized_users_own_audit_log_files:def:1
- Title: Ensure only authorized users own audit log files
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.4_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files:def:1
- Title: Ensure only authorized groups are assigned ownership of audit log files
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive:def:1
- Title: Ensure audit configuration files are 640 or more restrictive
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.6_Ensure_audit_configuration_files_are_owned_by_root:def:1
- Title: Ensure audit configuration files are owned by root
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.7_Ensure_audit_configuration_files_belong_to_group_root:def:1
- Title: Ensure audit configuration files belong to group root
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.8_Ensure_audit_tools_are_755_or_more_restrictive:def:1
- Title: Ensure audit tools are 755 or more restrictive
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.OracleLinux8.5.2.4.9_Ensure_audit_tools_are_owned_by_root:def:1
- Title: Ensure audit tools are owned by root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.OracleLinux8.5.3.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.3.0.0.OracleLinux8.5.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.3.0.0.OracleLinux8.5.3.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.OracleLinux8.6.1.10_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.14_Audit_system_file_permissions:def:1
- Title: Audit system file permissions
- oval:simp.cis.3.0.0.OracleLinux8.6.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.3_Ensure_permissions_on_etcopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/opasswd are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.4_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.5_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.6_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.7_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.8_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.1.9_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.2.10_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.3.0.0.OracleLinux8.6.2.11_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
- oval:simp.cis.3.0.0.OracleLinux8.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.3.0.0.OracleLinux8.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.3.0.0.OracleLinux8.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.3.0.0.OracleLinux8.6.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.3.0.0.OracleLinux8.6.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.3.0.0.OracleLinux8.6.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.3.0.0.OracleLinux8.6.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.3.0.0.OracleLinux8.6.2.8_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- oval:simp.cis.3.0.0.OracleLinux8.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
OracleLinux 9 (269/298 [90%])
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.2.0.0.OracleLinux9.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.2.0.0.OracleLinux9.1.2.1.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.OracleLinux9.1.2.1.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.2.0.0.OracleLinux9.1.2.2.1_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.2.0.0.OracleLinux9.1.3.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.2.0.0.OracleLinux9.1.4.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.2.0.0.OracleLinux9.1.4.2_Ensure_access_to_bootloader_config_is_configured:def:1
- Title: Ensure access to bootloader config is configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.2.0.0.OracleLinux9.1.5.1_Ensure_address_space_layout_randomization_is_enabled:def:1
- Title: Ensure address space layout randomization is enabled
- oval:simp.cis.2.0.0.OracleLinux9.1.5.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.2.0.0.OracleLinux9.1.5.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.2.0.0.OracleLinux9.1.5.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.2.0.0.OracleLinux9.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.2.0.0.OracleLinux9.1.6.2_Ensure_system_wide_crypto_policy_is_not_set_in_sshd_configuration:def:1
- Title: Ensure system wide crypto policy is not set in sshd configuration
- oval:simp.cis.2.0.0.OracleLinux9.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.2.0.0.OracleLinux9.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.2.0.0.OracleLinux9.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.2.0.0.OracleLinux9.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.2.0.0.OracleLinux9.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.2.0.0.OracleLinux9.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.2.0.0.OracleLinux9.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.2.0.0.OracleLinux9.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.2.0.0.OracleLinux9.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.2.0.0.OracleLinux9.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.2.0.0.OracleLinux9.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.2.0.0.OracleLinux9.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.2.0.0.OracleLinux9.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.OracleLinux9.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.2.0.0.OracleLinux9.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.2.0.0.OracleLinux9.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.2.0.0.OracleLinux9.2.1.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.2.0.0.OracleLinux9.2.1.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.2.0.0.OracleLinux9.2.1.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.1.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.2.2.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.2.0.0.OracleLinux9.2.2.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.2.0.0.OracleLinux9.2.2.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.2.0.0.OracleLinux9.2.2.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.2.0.0.OracleLinux9.2.2.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.2.0.0.OracleLinux9.2.3.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.OracleLinux9.2.3.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.OracleLinux9.2.3.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.2.0.0.OracleLinux9.2.4.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.2.0.0.OracleLinux9.2.4.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.2.0.0.OracleLinux9.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.2.0.0.OracleLinux9.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.2.0.0.OracleLinux9.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.2.0.0.OracleLinux9.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.2.0.0.OracleLinux9.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.2.0.0.OracleLinux9.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.2.0.0.OracleLinux9.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.2.0.0.OracleLinux9.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.2.0.0.OracleLinux9.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.2.0.0.OracleLinux9.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.2.0.0.OracleLinux9.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.2.0.0.OracleLinux9.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.2.0.0.OracleLinux9.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.2.0.0.OracleLinux9.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.2.0.0.OracleLinux9.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.2.0.0.OracleLinux9.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.2.0.0.OracleLinux9.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.2.0.0.OracleLinux9.4.2.1_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.2.0.0.OracleLinux9.4.2.2_Ensure_firewalld_loopback_traffic_is_configured:def:1
- Title: Ensure firewalld loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux9.4.3.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux9.4.3.2_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux9.4.3.3_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux9.4.3.4_Ensure_nftables_loopback_traffic_is_configured:def:1
- Title: Ensure nftables loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux9.5.1.10_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.11_Ensure_sshd_GSSAPIAuthentication_is_disabled:def:1
- Title: Ensure sshd GSSAPIAuthentication is disabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.12_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.13_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.14_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.15_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.16_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.18_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.19_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.20_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.21_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.22_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.1.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.4_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.5_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.6_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- NOTE: This can fail because included crypto-policies may contain newly found insecure MACS.
- oval:simp.cis.2.0.0.OracleLinux9.5.1.7_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.2.0.0.OracleLinux9.5.1.8_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.1.9_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.2.0.0.OracleLinux9.5.2.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.2.0.0.OracleLinux9.5.2.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.2.0.0.OracleLinux9.5.2.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.2.0.0.OracleLinux9.5.2.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.2.0.0.OracleLinux9.5.2.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.2.0.0.OracleLinux9.5.3.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.2.0.0.OracleLinux9.5.3.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.2.0.0.OracleLinux9.5.3.1.3_Ensure_latest_version_of_libpwquality_is_installed:def:1
- Title: Ensure latest version of libpwquality is installed
- oval:simp.cis.2.0.0.OracleLinux9.5.3.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: Pam is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.OracleLinux9.5.3.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.OracleLinux9.5.3.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.3.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.3.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.2.0.0.OracleLinux9.5.3.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.1_Ensure_password_expiration_is_configured:def:1
- Title: Ensure password expiration is configured
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.2_Ensure_minimum_password_days_is_configured:def:1
- Title: Ensure minimum password days is configured
- NOTE: PASS_MIN_DAYS is set to 1 in /etc/login.defs as requested and all non-system users will be corrected if they are not set correctly, however, the product does not manage the root or system accounts in this regard. Changing password settings on the system accounts could be dangerous for the system.
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.3_Ensure_password_expiration_warning_days_is_configured:def:1
- Title: Ensure password expiration warning days is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.4_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.5_Ensure_inactive_password_lock_is_configured:def:1
- Title: Ensure inactive password lock is configured
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.OracleLinux9.5.4.1.6_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.1_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.2_Ensure_root_is_the_only_GID_0_account:def:1
- Title: Ensure root is the only GID 0 account
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.3_Ensure_group_root_is_the_only_GID_0_group:def:1
- Title: Ensure group root is the only GID 0 group
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.5_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- NOTE: The check for this can fail for various reasons, including the common dot setting the path to include common user customized directories that may not exist.
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.6_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.7_Ensure_system_accounts_do_not_have_a_valid_login_shell:def:1
- Title: Ensure system accounts do not have a valid login shell
- oval:simp.cis.2.0.0.OracleLinux9.5.4.2.8_Ensure_accounts_without_a_valid_login_shell_are_locked:def:1
- Title: Ensure accounts without a valid login shell are locked
- oval:simp.cis.2.0.0.OracleLinux9.5.4.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.2.0.0.OracleLinux9.5.4.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.OracleLinux9.5.4.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.1.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.2.0.0.OracleLinux9.6.1.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.2.0.0.OracleLinux9.6.1.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.1.1_Ensure_journald_service_is_enabled_and_active:def:1
- Title: Ensure journald service is enabled and active
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.1.3_Ensure_systemd-journal-upload_is_enabled_and_active:def:1
- Title: Ensure systemd-journal-upload is enabled and active
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.1.4_Ensure_systemd-journal-remote_service_is_not_in_use:def:1
- Title: Ensure systemd-journal-remote service is not in use
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.2_Ensure_journald_ForwardToSyslog_is_disabled:def:1
- Title: Ensure journald ForwardToSyslog is disabled
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.3_Ensure_journald_Compress_is_configured:def:1
- Title: Ensure journald Compress is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.2.2.4_Ensure_journald_Storage_is_configured:def:1
- Title: Ensure journald Storage is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.2_Ensure_rsyslog_service_is_enabled_and_active:def:1
- Title: Ensure rsyslog service is enabled and active
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.4_Ensure_rsyslog_log_file_creation_mode_is_configured:def:1
- Title: Ensure rsyslog log file creation mode is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.5_Ensure_rsyslog_logging_is_configured:def:1
- Title: Ensure rsyslog logging is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.2.3.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.1.1_Ensure_auditd_packages_are_installed:def:1
- Title: Ensure auditd packages are installed
- oval:simp.cis.2.0.0.OracleLinux9.6.3.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- oval:simp.cis.2.0.0.OracleLinux9.6.3.1.4_Ensure_auditd_service_is_enabled_and_active:def:1
- Title: Ensure auditd service is enabled and active
- oval:simp.cis.2.0.0.OracleLinux9.6.3.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.3.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.2.0.0.OracleLinux9.6.3.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.2.0.0.OracleLinux9.6.3.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- NOTE: The rule for this will look for the audit rules in /etc/audit/rules.d/50-time-change.rules, however, all custom audit rules specified in the product will live in /etc/audit/rules.d/50-time-change.rules.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.10_Ensure_audit_tools_group_owner_is_configured:def:1
- Title: Ensure audit tools group owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.1_Ensure_the_audit_log_file_directory_mode_is_configured:def:1
- Title: Ensure the audit log file directory mode is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.2_Ensure_audit_log_files_mode_is_configured:def:1
- Title: Ensure audit log files mode is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.3_Ensure_audit_log_files_owner_is_configured:def:1
- Title: Ensure audit log files owner is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.4_Ensure_audit_log_files_group_owner_is_configured:def:1
- Title: Ensure audit log files group owner is configured
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.5_Ensure_audit_configuration_files_mode_is_configured:def:1
- Title: Ensure audit configuration files mode is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.6_Ensure_audit_configuration_files_owner_is_configured:def:1
- Title: Ensure audit configuration files owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.7_Ensure_audit_configuration_files_group_owner_is_configured:def:1
- Title: Ensure audit configuration files group owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.8_Ensure_audit_tools_mode_is_configured:def:1
- Title: Ensure audit tools mode is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.OracleLinux9.6.3.4.9_Ensure_audit_tools_owner_is_configured:def:1
- Title: Ensure audit tools owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.OracleLinux9.7.1.10_Ensure_permissions_on_etcsecurityopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/security/opasswd are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.3_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.4_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.5_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.6_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.8_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.1.9_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.2.0.0.OracleLinux9.7.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.2.0.0.OracleLinux9.7.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.2.0.0.OracleLinux9.7.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.2.0.0.OracleLinux9.7.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.2.0.0.OracleLinux9.7.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.2.0.0.OracleLinux9.7.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.2.0.0.OracleLinux9.7.2.8_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.2.0.0.OracleLinux9.7.2.9_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
RedHat 8 (266/287 [92%])
- oval:simp.cis.3.0.0.RedHat8.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.3.0.0.RedHat8.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.3.0.0.RedHat8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.3.0.0.RedHat8.1.2.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.3.0.0.RedHat8.1.2.5_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.3.0.0.RedHat8.1.3.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.3.0.0.RedHat8.1.3.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- Title: Ensure permissions on bootloader config are configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.3.0.0.RedHat8.1.4.1_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- Title: Ensure address space layout randomization (ASLR) is enabled
- oval:simp.cis.3.0.0.RedHat8.1.4.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.3.0.0.RedHat8.1.4.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.3.0.0.RedHat8.1.4.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.3.0.0.RedHat8.1.5.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.3.0.0.RedHat8.1.5.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.3.0.0.RedHat8.1.5.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.3.0.0.RedHat8.1.5.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.3.0.0.RedHat8.1.5.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.3.0.0.RedHat8.1.5.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.3.0.0.RedHat8.1.5.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.3.0.0.RedHat8.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.3.0.0.RedHat8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.3.0.0.RedHat8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.3.0.0.RedHat8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.3.0.0.RedHat8.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.3.0.0.RedHat8.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.3.0.0.RedHat8.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.3.0.0.RedHat8.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.3.0.0.RedHat8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.3.0.0.RedHat8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.3.0.0.RedHat8.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.3.0.0.RedHat8.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.3.0.0.RedHat8.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.3.0.0.RedHat8.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.3.0.0.RedHat8.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.3.0.0.RedHat8.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.3.0.0.RedHat8.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.3.0.0.RedHat8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.0.0.RedHat8.2.1.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.0.0.RedHat8.2.1.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.3.0.0.RedHat8.2.2.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.3.0.0.RedHat8.2.2.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.3.0.0.RedHat8.2.2.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.2.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.3.0.0.RedHat8.2.3.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.3.0.0.RedHat8.2.3.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.3.0.0.RedHat8.2.3.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.3.0.0.RedHat8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.3.0.0.RedHat8.2.3.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.3.0.0.RedHat8.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.3.0.0.RedHat8.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.3.0.0.RedHat8.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.3.0.0.RedHat8.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.3.0.0.RedHat8.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.3.0.0.RedHat8.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.3.0.0.RedHat8.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.3.0.0.RedHat8.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.3.0.0.RedHat8.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.3.0.0.RedHat8.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.3.0.0.RedHat8.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.3.0.0.RedHat8.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.3.0.0.RedHat8.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.3.0.0.RedHat8.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.3.0.0.RedHat8.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.3.0.0.RedHat8.3.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.3.0.0.RedHat8.3.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.3.0.0.RedHat8.3.4.2.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.RedHat8.3.4.2.2_Ensure_host_based_firewall_loopback_traffic_is_configured:def:1
- Title: Ensure host based firewall loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.RedHat8.3.4.2.3_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.3.0.0.RedHat8.3.4.2.4_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.3.0.0.RedHat8.3.4.2.5_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.3.0.0.RedHat8.4.1.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.3.0.0.RedHat8.4.1.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.3.0.0.RedHat8.4.1.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.3.0.0.RedHat8.4.1.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.3.0.0.RedHat8.4.2.10_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.3.0.0.RedHat8.4.2.11_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.12_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.13_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.14_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.15_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.16_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.18_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.3.0.0.RedHat8.4.2.19_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.3.0.0.RedHat8.4.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.20_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.3.0.0.RedHat8.4.2.21_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.3.0.0.RedHat8.4.2.22_Ensure_sshd_crypto_policy_is_not_set:def:1
- Title: Ensure sshd crypto_policy is not set
- oval:simp.cis.3.0.0.RedHat8.4.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.4_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.3.0.0.RedHat8.4.2.5_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.3.0.0.RedHat8.4.2.6_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.7_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.3.0.0.RedHat8.4.2.8_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.3.0.0.RedHat8.4.2.9_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.3.0.0.RedHat8.4.3.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.3.0.0.RedHat8.4.3.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.3.0.0.RedHat8.4.3.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.3.0.0.RedHat8.4.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.3.0.0.RedHat8.4.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.3.0.0.RedHat8.4.4.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.3.0.0.RedHat8.4.4.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.3.0.0.RedHat8.4.4.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- oval:simp.cis.3.0.0.RedHat8.4.4.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.RedHat8.4.4.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.3.0.0.RedHat8.4.4.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.3.0.0.RedHat8.4.4.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.3.0.0.RedHat8.4.4.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.3.0.0.RedHat8.4.4.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.3.0.0.RedHat8.4.4.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.3.0.0.RedHat8.4.4.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.3.0.0.RedHat8.4.4.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.3.0.0.RedHat8.4.4.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.3.0.0.RedHat8.4.4.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.3.0.0.RedHat8.4.4.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.3.0.0.RedHat8.4.4.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.3.0.0.RedHat8.4.5.1.1_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.3.0.0.RedHat8.4.5.1.2_Ensure_password_expiration_is_365_days_or_less:def:1
- Title: Ensure password expiration is 365 days or less
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.0.0.RedHat8.4.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- Title: Ensure password expiration warning days is 7 or more
- oval:simp.cis.3.0.0.RedHat8.4.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- Title: Ensure inactive password lock is 30 days or less
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.3.0.0.RedHat8.4.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.3.0.0.RedHat8.4.5.2.1_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- Title: Ensure default group for the root account is GID 0
- oval:simp.cis.3.0.0.RedHat8.4.5.2.2_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.3.0.0.RedHat8.4.5.2.3_Ensure_system_accounts_are_secured:def:1
- Title: Ensure system accounts are secured
- oval:simp.cis.3.0.0.RedHat8.4.5.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.3.0.0.RedHat8.4.5.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.0.0.RedHat8.4.5.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.3.0.0.RedHat8.5.1.1.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.3.0.0.RedHat8.5.1.1.2_Ensure_rsyslog_service_is_enabled:def:1
- Title: Ensure rsyslog service is enabled
- oval:simp.cis.3.0.0.RedHat8.5.1.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- Title: Ensure rsyslog default file permissions are configured
- oval:simp.cis.3.0.0.RedHat8.5.1.1.5_Ensure_logging_is_configured:def:1
- Title: Ensure logging is configured
- oval:simp.cis.3.0.0.RedHat8.5.1.1.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.3.0.0.RedHat8.5.1.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.3.0.0.RedHat8.5.1.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Title: Ensure systemd-journal-remote is configured
- oval:simp.cis.3.0.0.RedHat8.5.1.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Title: Ensure systemd-journal-remote is enabled
- oval:simp.cis.3.0.0.RedHat8.5.1.2.1.4_Ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure journald is not configured to receive logs from a remote client
- oval:simp.cis.3.0.0.RedHat8.5.1.2.2_Ensure_journald_service_is_enabled:def:1
- Title: Ensure journald service is enabled
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.3.0.0.RedHat8.5.1.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- Title: Ensure journald is configured to compress large log files
- oval:simp.cis.3.0.0.RedHat8.5.1.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- Title: Ensure journald is configured to write logfiles to persistent disk
- oval:simp.cis.3.0.0.RedHat8.5.1.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is not configured to send logs to rsyslog
- oval:simp.cis.3.0.0.RedHat8.5.1.3_Ensure_logrotate_is_configured:def:1
- Title: Ensure logrotate is configured
- oval:simp.cis.3.0.0.RedHat8.5.1.4_Ensure_all_logfiles_have_appropriate_access_configured:def:1
- Title: Ensure all logfiles have appropriate access configured
- oval:simp.cis.3.0.0.RedHat8.5.2.1.1_Ensure_audit_is_installed:def:1
- Title: Ensure audit is installed
- oval:simp.cis.3.0.0.RedHat8.5.2.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.RedHat8.5.2.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.3.0.0.RedHat8.5.2.1.4_Ensure_auditd_service_is_enabled:def:1
- Title: Ensure auditd service is enabled
- oval:simp.cis.3.0.0.RedHat8.5.2.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.3.0.0.RedHat8.5.2.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.3.0.0.RedHat8.5.2.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.3.0.0.RedHat8.5.2.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.3.0.0.RedHat8.5.2.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are recorded
- oval:simp.cis.3.0.0.RedHat8.5.2.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
- oval:simp.cis.3.0.0.RedHat8.5.2.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are recorded
- oval:simp.cis.3.0.0.RedHat8.5.2.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are recorded
- oval:simp.cis.3.0.0.RedHat8.5.2.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.3.0.0.RedHat8.5.2.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.3.0.0.RedHat8.5.2.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.3.0.0.RedHat8.5.2.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.0.0.RedHat8.5.2.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.3.0.0.RedHat8.5.2.4.10_Ensure_audit_tools_belong_to_group_root:def:1
- Title: Ensure audit tools belong to group root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.RedHat8.5.2.4.1_Ensure_the_audit_log_directory_is_0750_or_more_restrictive:def:1
- Title: Ensure the audit log directory is 0750 or more restrictive
- oval:simp.cis.3.0.0.RedHat8.5.2.4.2_Ensure_audit_log_files_are_mode_0640_or_less_permissive:def:1
- Title: Ensure audit log files are mode 0640 or less permissive
- oval:simp.cis.3.0.0.RedHat8.5.2.4.3_Ensure_only_authorized_users_own_audit_log_files:def:1
- Title: Ensure only authorized users own audit log files
- oval:simp.cis.3.0.0.RedHat8.5.2.4.4_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files:def:1
- Title: Ensure only authorized groups are assigned ownership of audit log files
- oval:simp.cis.3.0.0.RedHat8.5.2.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive:def:1
- Title: Ensure audit configuration files are 640 or more restrictive
- oval:simp.cis.3.0.0.RedHat8.5.2.4.6_Ensure_audit_configuration_files_are_owned_by_root:def:1
- Title: Ensure audit configuration files are owned by root
- oval:simp.cis.3.0.0.RedHat8.5.2.4.7_Ensure_audit_configuration_files_belong_to_group_root:def:1
- Title: Ensure audit configuration files belong to group root
- oval:simp.cis.3.0.0.RedHat8.5.2.4.8_Ensure_audit_tools_are_755_or_more_restrictive:def:1
- Title: Ensure audit tools are 755 or more restrictive
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.RedHat8.5.2.4.9_Ensure_audit_tools_are_owned_by_root:def:1
- Title: Ensure audit tools are owned by root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.RedHat8.5.3.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.3.0.0.RedHat8.5.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.3.0.0.RedHat8.5.3.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.3.0.0.RedHat8.6.1.10_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.14_Audit_system_file_permissions:def:1
- Title: Audit system file permissions
- oval:simp.cis.3.0.0.RedHat8.6.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.3_Ensure_permissions_on_etcopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/opasswd are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.4_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.5_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.6_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.7_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.8_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.3.0.0.RedHat8.6.1.9_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.3.0.0.RedHat8.6.2.10_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.3.0.0.RedHat8.6.2.11_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
- oval:simp.cis.3.0.0.RedHat8.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.3.0.0.RedHat8.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.3.0.0.RedHat8.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.3.0.0.RedHat8.6.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.3.0.0.RedHat8.6.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.3.0.0.RedHat8.6.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.3.0.0.RedHat8.6.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.3.0.0.RedHat8.6.2.8_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- oval:simp.cis.3.0.0.RedHat8.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
RedHat 9 (268/297 [90%])
- oval:simp.cis.2.0.0.RedHat9.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.2.0.0.RedHat9.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.2.0.0.RedHat9.1.2.1.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.RedHat9.1.2.1.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.2.0.0.RedHat9.1.2.2.1_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.2.0.0.RedHat9.1.3.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.2.0.0.RedHat9.1.3.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.2.0.0.RedHat9.1.3.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.2.0.0.RedHat9.1.3.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.2.0.0.RedHat9.1.3.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.2.0.0.RedHat9.1.3.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.2.0.0.RedHat9.1.3.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.2.0.0.RedHat9.1.4.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.2.0.0.RedHat9.1.4.2_Ensure_access_to_bootloader_config_is_configured:def:1
- Title: Ensure access to bootloader config is configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.2.0.0.RedHat9.1.5.1_Ensure_address_space_layout_randomization_is_enabled:def:1
- Title: Ensure address space layout randomization is enabled
- oval:simp.cis.2.0.0.RedHat9.1.5.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.2.0.0.RedHat9.1.5.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.2.0.0.RedHat9.1.5.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.2.0.0.RedHat9.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.2.0.0.RedHat9.1.6.2_Ensure_system_wide_crypto_policy_is_not_set_in_sshd_configuration:def:1
- Title: Ensure system wide crypto policy is not set in sshd configuration
- oval:simp.cis.2.0.0.RedHat9.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.2.0.0.RedHat9.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.2.0.0.RedHat9.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.2.0.0.RedHat9.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.2.0.0.RedHat9.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.2.0.0.RedHat9.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.2.0.0.RedHat9.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.2.0.0.RedHat9.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.2.0.0.RedHat9.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.2.0.0.RedHat9.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.2.0.0.RedHat9.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.2.0.0.RedHat9.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.2.0.0.RedHat9.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.RedHat9.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.2.0.0.RedHat9.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.2.0.0.RedHat9.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.2.0.0.RedHat9.2.1.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.2.0.0.RedHat9.2.1.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.2.0.0.RedHat9.2.1.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.1.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.2.0.0.RedHat9.2.2.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.2.0.0.RedHat9.2.2.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.2.0.0.RedHat9.2.2.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.2.0.0.RedHat9.2.2.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.2.0.0.RedHat9.2.2.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.2.0.0.RedHat9.2.3.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.RedHat9.2.3.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.RedHat9.2.3.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.2.0.0.RedHat9.2.4.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.2.0.0.RedHat9.2.4.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.2.0.0.RedHat9.2.4.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.2.0.0.RedHat9.2.4.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.2.0.0.RedHat9.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.2.0.0.RedHat9.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.2.0.0.RedHat9.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.2.0.0.RedHat9.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.2.0.0.RedHat9.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.2.0.0.RedHat9.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.2.0.0.RedHat9.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.2.0.0.RedHat9.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.2.0.0.RedHat9.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.2.0.0.RedHat9.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.2.0.0.RedHat9.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.2.0.0.RedHat9.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.2.0.0.RedHat9.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.2.0.0.RedHat9.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.2.0.0.RedHat9.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.2.0.0.RedHat9.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.2.0.0.RedHat9.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.2.0.0.RedHat9.4.2.1_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.2.0.0.RedHat9.4.2.2_Ensure_firewalld_loopback_traffic_is_configured:def:1
- Title: Ensure firewalld loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat9.4.3.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat9.4.3.2_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat9.4.3.3_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat9.4.3.4_Ensure_nftables_loopback_traffic_is_configured:def:1
- Title: Ensure nftables loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat9.5.1.10_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.2.0.0.RedHat9.5.1.11_Ensure_sshd_GSSAPIAuthentication_is_disabled:def:1
- Title: Ensure sshd GSSAPIAuthentication is disabled
- oval:simp.cis.2.0.0.RedHat9.5.1.12_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.2.0.0.RedHat9.5.1.13_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.2.0.0.RedHat9.5.1.14_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.15_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.16_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.18_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.19_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.2.0.0.RedHat9.5.1.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.2.0.0.RedHat9.5.1.20_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.2.0.0.RedHat9.5.1.21_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.2.0.0.RedHat9.5.1.22_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.2.0.0.RedHat9.5.1.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.2.0.0.RedHat9.5.1.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.2.0.0.RedHat9.5.1.4_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.2.0.0.RedHat9.5.1.5_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.6_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- NOTE: This can fail because included crypto-policies may contain newly found insecure MACS.
- oval:simp.cis.2.0.0.RedHat9.5.1.7_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.2.0.0.RedHat9.5.1.8_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.2.0.0.RedHat9.5.1.9_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.2.0.0.RedHat9.5.2.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.2.0.0.RedHat9.5.2.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.2.0.0.RedHat9.5.2.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.2.0.0.RedHat9.5.2.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.2.0.0.RedHat9.5.2.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.2.0.0.RedHat9.5.3.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.2.0.0.RedHat9.5.3.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.2.0.0.RedHat9.5.3.1.3_Ensure_latest_version_of_libpwquality_is_installed:def:1
- Title: Ensure latest version of libpwquality is installed
- oval:simp.cis.2.0.0.RedHat9.5.3.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: Pam is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.RedHat9.5.3.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.RedHat9.5.3.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.2.0.0.RedHat9.5.3.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.2.0.0.RedHat9.5.3.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.RedHat9.5.3.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.2.0.0.RedHat9.5.3.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.2.0.0.RedHat9.5.3.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.2.0.0.RedHat9.5.3.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.2.0.0.RedHat9.5.3.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.2.0.0.RedHat9.5.3.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.2.0.0.RedHat9.5.3.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.2.0.0.RedHat9.5.3.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.2.0.0.RedHat9.5.3.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.2.0.0.RedHat9.5.4.1.1_Ensure_password_expiration_is_configured:def:1
- Title: Ensure password expiration is configured
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.RedHat9.5.4.1.2_Ensure_minimum_password_days_is_configured:def:1
- Title: Ensure minimum password days is configured
- NOTE: PASS_MIN_DAYS is set to 1 in /etc/login.defs as requested and all non-system users will be corrected if they are not set correctly, however, the product does not manage the root or system accounts in this regard. Changing password settings on the system accounts could be dangerous for the system.
- oval:simp.cis.2.0.0.RedHat9.5.4.1.3_Ensure_password_expiration_warning_days_is_configured:def:1
- Title: Ensure password expiration warning days is configured
- oval:simp.cis.2.0.0.RedHat9.5.4.1.4_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.2.0.0.RedHat9.5.4.1.5_Ensure_inactive_password_lock_is_configured:def:1
- Title: Ensure inactive password lock is configured
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.RedHat9.5.4.1.6_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.2.0.0.RedHat9.5.4.2.1_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
- oval:simp.cis.2.0.0.RedHat9.5.4.2.2_Ensure_root_is_the_only_GID_0_account:def:1
- Title: Ensure root is the only GID 0 account
- oval:simp.cis.2.0.0.RedHat9.5.4.2.3_Ensure_group_root_is_the_only_GID_0_group:def:1
- Title: Ensure group root is the only GID 0 group
- oval:simp.cis.2.0.0.RedHat9.5.4.2.5_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- NOTE: The check for this can fail for various reasons, including the common dot setting the path to include common user customized directories that may not exist.
- oval:simp.cis.2.0.0.RedHat9.5.4.2.6_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.2.0.0.RedHat9.5.4.2.7_Ensure_system_accounts_do_not_have_a_valid_login_shell:def:1
- Title: Ensure system accounts do not have a valid login shell
- oval:simp.cis.2.0.0.RedHat9.5.4.2.8_Ensure_accounts_without_a_valid_login_shell_are_locked:def:1
- Title: Ensure accounts without a valid login shell are locked
- oval:simp.cis.2.0.0.RedHat9.5.4.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.2.0.0.RedHat9.5.4.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.RedHat9.5.4.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.2.0.0.RedHat9.6.1.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.2.0.0.RedHat9.6.1.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.2.0.0.RedHat9.6.1.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.RedHat9.6.2.1.1_Ensure_journald_service_is_enabled_and_active:def:1
- Title: Ensure journald service is enabled and active
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.RedHat9.6.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.2.0.0.RedHat9.6.2.2.1.3_Ensure_systemd-journal-upload_is_enabled_and_active:def:1
- Title: Ensure systemd-journal-upload is enabled and active
- oval:simp.cis.2.0.0.RedHat9.6.2.2.1.4_Ensure_systemd-journal-remote_service_is_not_in_use:def:1
- Title: Ensure systemd-journal-remote service is not in use
- oval:simp.cis.2.0.0.RedHat9.6.2.2.2_Ensure_journald_ForwardToSyslog_is_disabled:def:1
- Title: Ensure journald ForwardToSyslog is disabled
- oval:simp.cis.2.0.0.RedHat9.6.2.2.3_Ensure_journald_Compress_is_configured:def:1
- Title: Ensure journald Compress is configured
- oval:simp.cis.2.0.0.RedHat9.6.2.2.4_Ensure_journald_Storage_is_configured:def:1
- Title: Ensure journald Storage is configured
- oval:simp.cis.2.0.0.RedHat9.6.2.3.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.2.0.0.RedHat9.6.2.3.2_Ensure_rsyslog_service_is_enabled_and_active:def:1
- Title: Ensure rsyslog service is enabled and active
- oval:simp.cis.2.0.0.RedHat9.6.2.3.4_Ensure_rsyslog_log_file_creation_mode_is_configured:def:1
- Title: Ensure rsyslog log file creation mode is configured
- oval:simp.cis.2.0.0.RedHat9.6.2.3.5_Ensure_rsyslog_logging_is_configured:def:1
- Title: Ensure rsyslog logging is configured
- oval:simp.cis.2.0.0.RedHat9.6.2.3.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.RedHat9.6.3.1.1_Ensure_auditd_packages_are_installed:def:1
- Title: Ensure auditd packages are installed
- oval:simp.cis.2.0.0.RedHat9.6.3.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.RedHat9.6.3.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- oval:simp.cis.2.0.0.RedHat9.6.3.1.4_Ensure_auditd_service_is_enabled_and_active:def:1
- Title: Ensure auditd service is enabled and active
- oval:simp.cis.2.0.0.RedHat9.6.3.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.2.0.0.RedHat9.6.3.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.2.0.0.RedHat9.6.3.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.2.0.0.RedHat9.6.3.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.2.0.0.RedHat9.6.3.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.2.0.0.RedHat9.6.3.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.RedHat9.6.3.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.2.0.0.RedHat9.6.3.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- NOTE: The rule for this will look for the audit rules in /etc/audit/rules.d/50-time-change.rules, however, all custom audit rules specified in the product will live in /etc/audit/rules.d/50-time-change.rules.
- oval:simp.cis.2.0.0.RedHat9.6.3.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.RedHat9.6.3.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.2.0.0.RedHat9.6.3.4.10_Ensure_audit_tools_group_owner_is_configured:def:1
- Title: Ensure audit tools group owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.RedHat9.6.3.4.1_Ensure_the_audit_log_file_directory_mode_is_configured:def:1
- Title: Ensure the audit log file directory mode is configured
- oval:simp.cis.2.0.0.RedHat9.6.3.4.2_Ensure_audit_log_files_mode_is_configured:def:1
- Title: Ensure audit log files mode is configured
- oval:simp.cis.2.0.0.RedHat9.6.3.4.3_Ensure_audit_log_files_owner_is_configured:def:1
- Title: Ensure audit log files owner is configured
- oval:simp.cis.2.0.0.RedHat9.6.3.4.4_Ensure_audit_log_files_group_owner_is_configured:def:1
- Title: Ensure audit log files group owner is configured
- oval:simp.cis.2.0.0.RedHat9.6.3.4.5_Ensure_audit_configuration_files_mode_is_configured:def:1
- Title: Ensure audit configuration files mode is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.RedHat9.6.3.4.6_Ensure_audit_configuration_files_owner_is_configured:def:1
- Title: Ensure audit configuration files owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.RedHat9.6.3.4.7_Ensure_audit_configuration_files_group_owner_is_configured:def:1
- Title: Ensure audit configuration files group owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.RedHat9.6.3.4.8_Ensure_audit_tools_mode_is_configured:def:1
- Title: Ensure audit tools mode is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.RedHat9.6.3.4.9_Ensure_audit_tools_owner_is_configured:def:1
- Title: Ensure audit tools owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.RedHat9.7.1.10_Ensure_permissions_on_etcsecurityopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/security/opasswd are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.3_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.4_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.5_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.6_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.8_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.2.0.0.RedHat9.7.1.9_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.2.0.0.RedHat9.7.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.2.0.0.RedHat9.7.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.2.0.0.RedHat9.7.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.2.0.0.RedHat9.7.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.2.0.0.RedHat9.7.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.2.0.0.RedHat9.7.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.2.0.0.RedHat9.7.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.2.0.0.RedHat9.7.2.8_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.2.0.0.RedHat9.7.2.9_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
Rocky 8 (266/287 [92%])
- oval:simp.cis.2.0.0.Rocky8.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky8.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.Rocky8.1.2.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.2.0.0.Rocky8.1.2.5_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.2.0.0.Rocky8.1.3.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.2.0.0.Rocky8.1.3.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- Title: Ensure permissions on bootloader config are configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.2.0.0.Rocky8.1.4.1_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- Title: Ensure address space layout randomization (ASLR) is enabled
- oval:simp.cis.2.0.0.Rocky8.1.4.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.2.0.0.Rocky8.1.4.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.2.0.0.Rocky8.1.4.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.2.0.0.Rocky8.1.5.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.2.0.0.Rocky8.1.5.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.2.0.0.Rocky8.1.5.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.2.0.0.Rocky8.1.5.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.2.0.0.Rocky8.1.5.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.2.0.0.Rocky8.1.5.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.2.0.0.Rocky8.1.5.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.2.0.0.Rocky8.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.2.0.0.Rocky8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.2.0.0.Rocky8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.2.0.0.Rocky8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.2.0.0.Rocky8.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.2.0.0.Rocky8.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.2.0.0.Rocky8.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.2.0.0.Rocky8.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.2.0.0.Rocky8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.2.0.0.Rocky8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.2.0.0.Rocky8.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.2.0.0.Rocky8.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.2.0.0.Rocky8.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.2.0.0.Rocky8.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.Rocky8.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.2.0.0.Rocky8.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.2.0.0.Rocky8.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.2.0.0.Rocky8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.Rocky8.2.1.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.Rocky8.2.1.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.2.0.0.Rocky8.2.2.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.2.0.0.Rocky8.2.2.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.2.0.0.Rocky8.2.2.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.2.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.2.0.0.Rocky8.2.3.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.2.0.0.Rocky8.2.3.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.2.0.0.Rocky8.2.3.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.2.0.0.Rocky8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.2.0.0.Rocky8.2.3.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.2.0.0.Rocky8.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.2.0.0.Rocky8.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.2.0.0.Rocky8.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.2.0.0.Rocky8.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.2.0.0.Rocky8.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.2.0.0.Rocky8.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.2.0.0.Rocky8.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.2.0.0.Rocky8.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.2.0.0.Rocky8.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.2.0.0.Rocky8.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.2.0.0.Rocky8.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.2.0.0.Rocky8.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.2.0.0.Rocky8.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.2.0.0.Rocky8.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.2.0.0.Rocky8.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.2.0.0.Rocky8.3.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.2.0.0.Rocky8.3.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.2.0.0.Rocky8.3.4.2.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky8.3.4.2.2_Ensure_host_based_firewall_loopback_traffic_is_configured:def:1
- Title: Ensure host based firewall loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky8.3.4.2.3_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.2.0.0.Rocky8.3.4.2.4_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky8.3.4.2.5_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky8.4.1.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.2.0.0.Rocky8.4.1.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.2.0.0.Rocky8.4.1.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.2.0.0.Rocky8.4.1.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.2.0.0.Rocky8.4.2.10_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.2.0.0.Rocky8.4.2.11_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.12_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.13_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.14_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.15_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.16_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.18_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.2.0.0.Rocky8.4.2.19_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.2.0.0.Rocky8.4.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.20_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.2.0.0.Rocky8.4.2.21_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.2.0.0.Rocky8.4.2.22_Ensure_sshd_crypto_policy_is_not_set:def:1
- Title: Ensure sshd crypto_policy is not set
- oval:simp.cis.2.0.0.Rocky8.4.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.4_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.2.0.0.Rocky8.4.2.5_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.2.0.0.Rocky8.4.2.6_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.7_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.2.0.0.Rocky8.4.2.8_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.2.0.0.Rocky8.4.2.9_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.2.0.0.Rocky8.4.3.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.2.0.0.Rocky8.4.3.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.2.0.0.Rocky8.4.3.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.2.0.0.Rocky8.4.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.2.0.0.Rocky8.4.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.2.0.0.Rocky8.4.4.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.2.0.0.Rocky8.4.4.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.2.0.0.Rocky8.4.4.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- oval:simp.cis.2.0.0.Rocky8.4.4.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.Rocky8.4.4.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.2.0.0.Rocky8.4.4.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.2.0.0.Rocky8.4.4.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.Rocky8.4.4.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.2.0.0.Rocky8.4.4.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.2.0.0.Rocky8.4.4.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.2.0.0.Rocky8.4.4.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.2.0.0.Rocky8.4.4.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.2.0.0.Rocky8.4.4.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.2.0.0.Rocky8.4.4.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.2.0.0.Rocky8.4.4.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.2.0.0.Rocky8.4.4.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.2.0.0.Rocky8.4.5.1.1_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.2.0.0.Rocky8.4.5.1.2_Ensure_password_expiration_is_365_days_or_less:def:1
- Title: Ensure password expiration is 365 days or less
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.Rocky8.4.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- Title: Ensure password expiration warning days is 7 or more
- oval:simp.cis.2.0.0.Rocky8.4.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- Title: Ensure inactive password lock is 30 days or less
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.Rocky8.4.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.2.0.0.Rocky8.4.5.2.1_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- Title: Ensure default group for the root account is GID 0
- oval:simp.cis.2.0.0.Rocky8.4.5.2.2_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.2.0.0.Rocky8.4.5.2.3_Ensure_system_accounts_are_secured:def:1
- Title: Ensure system accounts are secured
- oval:simp.cis.2.0.0.Rocky8.4.5.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.2.0.0.Rocky8.4.5.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.Rocky8.4.5.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.2.0.0.Rocky8.5.1.1.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.2.0.0.Rocky8.5.1.1.2_Ensure_rsyslog_service_is_enabled:def:1
- Title: Ensure rsyslog service is enabled
- oval:simp.cis.2.0.0.Rocky8.5.1.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- Title: Ensure rsyslog default file permissions are configured
- oval:simp.cis.2.0.0.Rocky8.5.1.1.5_Ensure_logging_is_configured:def:1
- Title: Ensure logging is configured
- oval:simp.cis.2.0.0.Rocky8.5.1.1.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.Rocky8.5.1.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.2.0.0.Rocky8.5.1.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Title: Ensure systemd-journal-remote is configured
- oval:simp.cis.2.0.0.Rocky8.5.1.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Title: Ensure systemd-journal-remote is enabled
- oval:simp.cis.2.0.0.Rocky8.5.1.2.1.4_Ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure journald is not configured to receive logs from a remote client
- oval:simp.cis.2.0.0.Rocky8.5.1.2.2_Ensure_journald_service_is_enabled:def:1
- Title: Ensure journald service is enabled
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.Rocky8.5.1.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- Title: Ensure journald is configured to compress large log files
- oval:simp.cis.2.0.0.Rocky8.5.1.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- Title: Ensure journald is configured to write logfiles to persistent disk
- oval:simp.cis.2.0.0.Rocky8.5.1.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- Title: Ensure journald is not configured to send logs to rsyslog
- oval:simp.cis.2.0.0.Rocky8.5.1.3_Ensure_logrotate_is_configured:def:1
- Title: Ensure logrotate is configured
- oval:simp.cis.2.0.0.Rocky8.5.1.4_Ensure_all_logfiles_have_appropriate_access_configured:def:1
- Title: Ensure all logfiles have appropriate access configured
- oval:simp.cis.2.0.0.Rocky8.5.2.1.1_Ensure_audit_is_installed:def:1
- Title: Ensure audit is installed
- oval:simp.cis.2.0.0.Rocky8.5.2.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.Rocky8.5.2.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.Rocky8.5.2.1.4_Ensure_auditd_service_is_enabled:def:1
- Title: Ensure auditd service is enabled
- oval:simp.cis.2.0.0.Rocky8.5.2.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.2.0.0.Rocky8.5.2.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.2.0.0.Rocky8.5.2.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.2.0.0.Rocky8.5.2.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.2.0.0.Rocky8.5.2.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are recorded
- oval:simp.cis.2.0.0.Rocky8.5.2.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
- oval:simp.cis.2.0.0.Rocky8.5.2.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are recorded
- oval:simp.cis.2.0.0.Rocky8.5.2.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are recorded
- oval:simp.cis.2.0.0.Rocky8.5.2.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.2.0.0.Rocky8.5.2.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.Rocky8.5.2.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.2.0.0.Rocky8.5.2.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.Rocky8.5.2.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.2.0.0.Rocky8.5.2.4.10_Ensure_audit_tools_belong_to_group_root:def:1
- Title: Ensure audit tools belong to group root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky8.5.2.4.1_Ensure_the_audit_log_directory_is_0750_or_more_restrictive:def:1
- Title: Ensure the audit log directory is 0750 or more restrictive
- oval:simp.cis.2.0.0.Rocky8.5.2.4.2_Ensure_audit_log_files_are_mode_0640_or_less_permissive:def:1
- Title: Ensure audit log files are mode 0640 or less permissive
- oval:simp.cis.2.0.0.Rocky8.5.2.4.3_Ensure_only_authorized_users_own_audit_log_files:def:1
- Title: Ensure only authorized users own audit log files
- oval:simp.cis.2.0.0.Rocky8.5.2.4.4_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files:def:1
- Title: Ensure only authorized groups are assigned ownership of audit log files
- oval:simp.cis.2.0.0.Rocky8.5.2.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive:def:1
- Title: Ensure audit configuration files are 640 or more restrictive
- oval:simp.cis.2.0.0.Rocky8.5.2.4.6_Ensure_audit_configuration_files_are_owned_by_root:def:1
- Title: Ensure audit configuration files are owned by root
- oval:simp.cis.2.0.0.Rocky8.5.2.4.7_Ensure_audit_configuration_files_belong_to_group_root:def:1
- Title: Ensure audit configuration files belong to group root
- oval:simp.cis.2.0.0.Rocky8.5.2.4.8_Ensure_audit_tools_are_755_or_more_restrictive:def:1
- Title: Ensure audit tools are 755 or more restrictive
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky8.5.2.4.9_Ensure_audit_tools_are_owned_by_root:def:1
- Title: Ensure audit tools are owned by root
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky8.5.3.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.2.0.0.Rocky8.5.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.2.0.0.Rocky8.5.3.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky8.6.1.10_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.14_Audit_system_file_permissions:def:1
- Title: Audit system file permissions
- oval:simp.cis.2.0.0.Rocky8.6.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.3_Ensure_permissions_on_etcopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/opasswd are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.4_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.5_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.6_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.7_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.8_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.2.0.0.Rocky8.6.1.9_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.2.0.0.Rocky8.6.2.10_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.2.0.0.Rocky8.6.2.11_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured
- oval:simp.cis.2.0.0.Rocky8.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.2.0.0.Rocky8.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.2.0.0.Rocky8.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.2.0.0.Rocky8.6.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.2.0.0.Rocky8.6.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.2.0.0.Rocky8.6.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.2.0.0.Rocky8.6.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.2.0.0.Rocky8.6.2.8_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- oval:simp.cis.2.0.0.Rocky8.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
Rocky 9 (269/297 [90%])
- oval:simp.cis.2.0.0.Rocky9.1.1.1.1_Ensure_cramfs_kernel_module_is_not_available:def:1
- Title: Ensure cramfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.2_Ensure_freevxfs_kernel_module_is_not_available:def:1
- Title: Ensure freevxfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.3_Ensure_hfs_kernel_module_is_not_available:def:1
- Title: Ensure hfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.4_Ensure_hfsplus_kernel_module_is_not_available:def:1
- Title: Ensure hfsplus kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.5_Ensure_jffs2_kernel_module_is_not_available:def:1
- Title: Ensure jffs2 kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.6_Ensure_squashfs_kernel_module_is_not_available:def:1
- Title: Ensure squashfs kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.7_Ensure_udf_kernel_module_is_not_available:def:1
- Title: Ensure udf kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.1.8_Ensure_usb-storage_kernel_module_is_not_available:def:1
- Title: Ensure usb-storage kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.1.1.2.1.1_Ensure_tmp_is_a_separate_partition:def:1
- Title: Ensure /tmp is a separate partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.1.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- Title: Ensure nodev option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.1.3_Ensure_nosuid_option_set_on_tmp_partition:def:1
- Title: Ensure nosuid option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.1.4_Ensure_noexec_option_set_on_tmp_partition:def:1
- Title: Ensure noexec option set on /tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.2.2_Ensure_nodev_option_set_on_devshm_partition:def:1
- Title: Ensure nodev option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.2.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- Title: Ensure nosuid option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.2.4_Ensure_noexec_option_set_on_devshm_partition:def:1
- Title: Ensure noexec option set on /dev/shm partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.3.2_Ensure_nodev_option_set_on_home_partition:def:1
- Title: Ensure nodev option set on /home partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.3.3_Ensure_nosuid_option_set_on_home_partition:def:1
- Title: Ensure nosuid option set on /home partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.4.2_Ensure_nodev_option_set_on_var_partition:def:1
- Title: Ensure nodev option set on /var partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.4.3_Ensure_nosuid_option_set_on_var_partition:def:1
- Title: Ensure nosuid option set on /var partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.5.2_Ensure_nodev_option_set_on_vartmp_partition:def:1
- Title: Ensure nodev option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.5.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- Title: Ensure nosuid option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.5.4_Ensure_noexec_option_set_on_vartmp_partition:def:1
- Title: Ensure noexec option set on /var/tmp partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.6.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- Title: Ensure nodev option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.6.3_Ensure_nosuid_option_set_on_varlog_partition:def:1
- Title: Ensure nosuid option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.6.4_Ensure_noexec_option_set_on_varlog_partition:def:1
- Title: Ensure noexec option set on /var/log partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.7.2_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nodev option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.7.3_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- Title: Ensure nosuid option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky9.1.1.2.7.4_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- Title: Ensure noexec option set on /var/log/audit partition
- oval:simp.cis.2.0.0.Rocky9.1.2.1.2_Ensure_gpgcheck_is_globally_activated:def:1
- Title: Ensure gpgcheck is globally activated
- NOTE: Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.Rocky9.1.2.1.3_Ensure_repo_gpgcheck_is_globally_activated:def:1
- Title: Ensure repo_gpgcheck is globally activated
- oval:simp.cis.2.0.0.Rocky9.1.2.2.1_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- Title: Ensure updates, patches, and additional security software are installed
- oval:simp.cis.2.0.0.Rocky9.1.3.1.1_Ensure_SELinux_is_installed:def:1
- Title: Ensure SELinux is installed
- oval:simp.cis.2.0.0.Rocky9.1.3.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- Title: Ensure SELinux is not disabled in bootloader configuration
- oval:simp.cis.2.0.0.Rocky9.1.3.1.3_Ensure_SELinux_policy_is_configured:def:1
- Title: Ensure SELinux policy is configured
- oval:simp.cis.2.0.0.Rocky9.1.3.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- Title: Ensure the SELinux mode is not disabled
- oval:simp.cis.2.0.0.Rocky9.1.3.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- Title: Ensure the SELinux mode is enforcing
- oval:simp.cis.2.0.0.Rocky9.1.3.1.7_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- Title: Ensure the MCS Translation Service (mcstrans) is not installed
- NOTE: The mcstrans package is not installed, however, the scanner is still flagging this rpm as being on the system.
- oval:simp.cis.2.0.0.Rocky9.1.3.1.8_Ensure_SETroubleshoot_is_not_installed:def:1
- Title: Ensure SETroubleshoot is not installed
- oval:simp.cis.2.0.0.Rocky9.1.4.1_Ensure_bootloader_password_is_set:def:1
- Title: Ensure bootloader password is set
- NOTE: The rule checks specifically for ‘GRUB2_PASSWORD=’ in /boot/grub2/user.cfg, however, the product sets the grub password via /boot/grub2/grub.cfg with the password_pbkdf2 parameter.
- oval:simp.cis.2.0.0.Rocky9.1.4.2_Ensure_access_to_bootloader_config_is_configured:def:1
- Title: Ensure access to bootloader config is configured
- NOTE: The product does not utilize /boot/grub2/user.cfg, however, the rule will check for its existence and fail.
- oval:simp.cis.2.0.0.Rocky9.1.5.1_Ensure_address_space_layout_randomization_is_enabled:def:1
- Title: Ensure address space layout randomization is enabled
- oval:simp.cis.2.0.0.Rocky9.1.5.2_Ensure_ptrace_scope_is_restricted:def:1
- Title: Ensure ptrace_scope is restricted
- oval:simp.cis.2.0.0.Rocky9.1.5.3_Ensure_core_dump_backtraces_are_disabled:def:1
- Title: Ensure core dump backtraces are disabled
- oval:simp.cis.2.0.0.Rocky9.1.5.4_Ensure_core_dump_storage_is_disabled:def:1
- Title: Ensure core dump storage is disabled
- oval:simp.cis.2.0.0.Rocky9.1.6.1_Ensure_system_wide_crypto_policy_is_not_set_to_legacy:def:1
- Title: Ensure system wide crypto policy is not set to legacy
- oval:simp.cis.2.0.0.Rocky9.1.6.2_Ensure_system_wide_crypto_policy_is_not_set_in_sshd_configuration:def:1
- Title: Ensure system wide crypto policy is not set in sshd configuration
- oval:simp.cis.2.0.0.Rocky9.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- Title: Ensure message of the day is configured properly
- oval:simp.cis.2.0.0.Rocky9.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- Title: Ensure local login warning banner is configured properly
- oval:simp.cis.2.0.0.Rocky9.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- Title: Ensure remote login warning banner is configured properly
- oval:simp.cis.2.0.0.Rocky9.1.7.4_Ensure_access_to_etcmotd_is_configured:def:1
- Title: Ensure access to /etc/motd is configured
- oval:simp.cis.2.0.0.Rocky9.1.7.5_Ensure_access_to_etcissue_is_configured:def:1
- Title: Ensure access to /etc/issue is configured
- oval:simp.cis.2.0.0.Rocky9.1.7.6_Ensure_access_to_etcissue.net_is_configured:def:1
- Title: Ensure access to /etc/issue.net is configured
- oval:simp.cis.2.0.0.Rocky9.1.8.10_Ensure_XDMCP_is_not_enabled:def:1
- Title: Ensure XDMCP is not enabled
- oval:simp.cis.2.0.0.Rocky9.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- Title: Ensure GNOME Display Manager is removed
- oval:simp.cis.2.0.0.Rocky9.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- Title: Ensure GDM login banner is configured
- oval:simp.cis.2.0.0.Rocky9.1.8.3_Ensure_GDM_disable-user-list_option_is_enabled:def:1
- Title: Ensure GDM disable-user-list option is enabled
- oval:simp.cis.2.0.0.Rocky9.1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle:def:1
- Title: Ensure GDM screen locks when the user is idle
- oval:simp.cis.2.0.0.Rocky9.1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden:def:1
- Title: Ensure GDM screen locks cannot be overridden
- oval:simp.cis.2.0.0.Rocky9.1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled:def:1
- Title: Ensure GDM automatic mounting of removable media is disabled
- NOTE: This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.Rocky9.1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden:def:1
- Title: Ensure GDM disabling automatic mounting of removable media is not overridden
- oval:simp.cis.2.0.0.Rocky9.1.8.8_Ensure_GDM_autorun-never_is_enabled:def:1
- Title: Ensure GDM autorun-never is enabled
- oval:simp.cis.2.0.0.Rocky9.1.8.9_Ensure_GDM_autorun-never_is_not_overridden:def:1
- Title: Ensure GDM autorun-never is not overridden
- oval:simp.cis.2.0.0.Rocky9.2.1.10_Ensure_nis_server_services_are_not_in_use:def:1
- Title: Ensure nis server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.11_Ensure_print_server_services_are_not_in_use:def:1
- Title: Ensure print server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.12_Ensure_rpcbind_services_are_not_in_use:def:1
- Title: Ensure rpcbind services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.13_Ensure_rsync_services_are_not_in_use:def:1
- Title: Ensure rsync services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.14_Ensure_snmp_services_are_not_in_use:def:1
- Title: Ensure snmp services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.15_Ensure_telnet_server_services_are_not_in_use:def:1
- Title: Ensure telnet server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.16_Ensure_tftp_server_services_are_not_in_use:def:1
- Title: Ensure tftp server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.17_Ensure_web_proxy_server_services_are_not_in_use:def:1
- Title: Ensure web proxy server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.18_Ensure_web_server_services_are_not_in_use:def:1
- Title: Ensure web server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.19_Ensure_xinetd_services_are_not_in_use:def:1
- Title: Ensure xinetd services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.1_Ensure_autofs_services_are_not_in_use:def:1
- Title: Ensure autofs services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.20_Ensure_X_window_server_services_are_not_in_use:def:1
- Title: Ensure X window server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.21_Ensure_mail_transfer_agents_are_configured_for_local-only_mode:def:1
- Title: Ensure mail transfer agents are configured for local-only mode
- oval:simp.cis.2.0.0.Rocky9.2.1.22_Ensure_only_approved_services_are_listening_on_a_network_interface:def:1
- Title: Ensure only approved services are listening on a network interface
- oval:simp.cis.2.0.0.Rocky9.2.1.2_Ensure_avahi_daemon_services_are_not_in_use:def:1
- Title: Ensure avahi daemon services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.3_Ensure_dhcp_server_services_are_not_in_use:def:1
- Title: Ensure dhcp server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.4_Ensure_dns_server_services_are_not_in_use:def:1
- Title: Ensure dns server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.5_Ensure_dnsmasq_services_are_not_in_use:def:1
- Title: Ensure dnsmasq services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.6_Ensure_samba_file_server_services_are_not_in_use:def:1
- Title: Ensure samba file server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.7_Ensure_ftp_server_services_are_not_in_use:def:1
- Title: Ensure ftp server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.8_Ensure_message_access_server_services_are_not_in_use:def:1
- Title: Ensure message access server services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.1.9_Ensure_network_file_system_services_are_not_in_use:def:1
- Title: Ensure network file system services are not in use
- oval:simp.cis.2.0.0.Rocky9.2.2.1_Ensure_ftp_client_is_not_installed:def:1
- Title: Ensure ftp client is not installed
- oval:simp.cis.2.0.0.Rocky9.2.2.2_Ensure_ldap_client_is_not_installed:def:1
- Title: Ensure ldap client is not installed
- oval:simp.cis.2.0.0.Rocky9.2.2.3_Ensure_nis_client_is_not_installed:def:1
- Title: Ensure nis client is not installed
- oval:simp.cis.2.0.0.Rocky9.2.2.4_Ensure_telnet_client_is_not_installed:def:1
- Title: Ensure telnet client is not installed
- oval:simp.cis.2.0.0.Rocky9.2.2.5_Ensure_tftp_client_is_not_installed:def:1
- Title: Ensure tftp client is not installed
- oval:simp.cis.2.0.0.Rocky9.2.3.1_Ensure_time_synchronization_is_in_use:def:1
- Title: Ensure time synchronization is in use
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.Rocky9.2.3.2_Ensure_chrony_is_configured:def:1
- Title: Ensure chrony is configured
- NOTE: We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.Rocky9.2.3.3_Ensure_chrony_is_not_run_as_the_root_user:def:1
- Title: Ensure chrony is not run as the root user
- oval:simp.cis.2.0.0.Rocky9.2.4.1.1_Ensure_cron_daemon_is_enabled_and_active:def:1
- Title: Ensure cron daemon is enabled and active
- oval:simp.cis.2.0.0.Rocky9.2.4.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- Title: Ensure permissions on /etc/crontab are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.hourly are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- Title: Ensure permissions on /etc/cron.daily are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.weekly are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- Title: Ensure permissions on /etc/cron.monthly are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- Title: Ensure permissions on /etc/cron.d are configured
- oval:simp.cis.2.0.0.Rocky9.2.4.1.8_Ensure_crontab_is_restricted_to_authorized_users:def:1
- Title: Ensure crontab is restricted to authorized users
- NOTE: Simply including the cron module will be enough to restrict access to cron.allow and cron.deny will be removed if it exists.
- oval:simp.cis.2.0.0.Rocky9.2.4.2.1_Ensure_at_is_restricted_to_authorized_users:def:1
- Title: Ensure at is restricted to authorized users
- NOTE: Simply including the at module will be enough to restrict access to at.allow and at.deny will be removed if it exist.
- oval:simp.cis.2.0.0.Rocky9.3.1.1_Ensure_IPv6_status_is_identified:def:1
- Title: Ensure IPv6 status is identified
- NOTE: This rule is more of a system audit than hard guidance. Should ipv6 actually be enabled, there will be some additional configuration that should happen that the product will take care of by default.
- oval:simp.cis.2.0.0.Rocky9.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- Title: Ensure wireless interfaces are disabled
- oval:simp.cis.2.0.0.Rocky9.3.1.3_Ensure_bluetooth_services_are_not_in_use:def:1
- Title: Ensure bluetooth services are not in use
- oval:simp.cis.2.0.0.Rocky9.3.2.1_Ensure_dccp_kernel_module_is_not_available:def:1
- Title: Ensure dccp kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.3.2.2_Ensure_tipc_kernel_module_is_not_available:def:1
- Title: Ensure tipc kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.3.2.3_Ensure_rds_kernel_module_is_not_available:def:1
- Title: Ensure rds kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.3.2.4_Ensure_sctp_kernel_module_is_not_available:def:1
- Title: Ensure sctp kernel module is not available
- oval:simp.cis.2.0.0.Rocky9.3.3.10_Ensure_tcp_syn_cookies_is_enabled:def:1
- Title: Ensure tcp syn cookies is enabled
- oval:simp.cis.2.0.0.Rocky9.3.3.11_Ensure_ipv6_router_advertisements_are_not_accepted:def:1
- Title: Ensure ipv6 router advertisements are not accepted
- oval:simp.cis.2.0.0.Rocky9.3.3.1_Ensure_ip_forwarding_is_disabled:def:1
- Title: Ensure ip forwarding is disabled
- oval:simp.cis.2.0.0.Rocky9.3.3.2_Ensure_packet_redirect_sending_is_disabled:def:1
- Title: Ensure packet redirect sending is disabled
- oval:simp.cis.2.0.0.Rocky9.3.3.3_Ensure_bogus_icmp_responses_are_ignored:def:1
- Title: Ensure bogus icmp responses are ignored
- oval:simp.cis.2.0.0.Rocky9.3.3.4_Ensure_broadcast_icmp_requests_are_ignored:def:1
- Title: Ensure broadcast icmp requests are ignored
- oval:simp.cis.2.0.0.Rocky9.3.3.5_Ensure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure icmp redirects are not accepted
- oval:simp.cis.2.0.0.Rocky9.3.3.6_Ensure_secure_icmp_redirects_are_not_accepted:def:1
- Title: Ensure secure icmp redirects are not accepted
- oval:simp.cis.2.0.0.Rocky9.3.3.7_Ensure_reverse_path_filtering_is_enabled:def:1
- Title: Ensure reverse path filtering is enabled
- NOTE: The correct values will be set in the running configuration, /etc/sysctl.d/99-sysctl.conf, and /usr/lib/sysctl.d/50-redhat.conf. However, /usr/lib/sysctl.d/50-default.conf will not be configured. If this isn’t changed manually, the check for the rule will fail even though this value will be ignored when the value is set in the running configuration and the other files listed.
- oval:simp.cis.2.0.0.Rocky9.3.3.8_Ensure_source_routed_packets_are_not_accepted:def:1
- Title: Ensure source routed packets are not accepted
- oval:simp.cis.2.0.0.Rocky9.3.3.9_Ensure_suspicious_packets_are_logged:def:1
- Title: Ensure suspicious packets are logged
- oval:simp.cis.2.0.0.Rocky9.4.1.1_Ensure_nftables_is_installed:def:1
- Title: Ensure nftables is installed
- oval:simp.cis.2.0.0.Rocky9.4.1.2_Ensure_a_single_firewall_configuration_utility_is_in_use:def:1
- Title: Ensure a single firewall configuration utility is in use
- oval:simp.cis.2.0.0.Rocky9.4.2.1_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- Title: Ensure firewalld drops unnecessary services and ports
- oval:simp.cis.2.0.0.Rocky9.4.2.2_Ensure_firewalld_loopback_traffic_is_configured:def:1
- Title: Ensure firewalld loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky9.4.3.1_Ensure_nftables_base_chains_exist:def:1
- Title: Ensure nftables base chains exist
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky9.4.3.2_Ensure_nftables_established_connections_are_configured:def:1
- Title: Ensure nftables established connections are configured
- NOTE: Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky9.4.3.3_Ensure_nftables_default_deny_firewall_policy:def:1
- Title: Ensure nftables default deny firewall policy
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky9.4.3.4_Ensure_nftables_loopback_traffic_is_configured:def:1
- Title: Ensure nftables loopback traffic is configured
- NOTE: Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.Rocky9.5.1.10_Ensure_sshd_DisableForwarding_is_enabled:def:1
- Title: Ensure sshd DisableForwarding is enabled
- oval:simp.cis.2.0.0.Rocky9.5.1.11_Ensure_sshd_GSSAPIAuthentication_is_disabled:def:1
- Title: Ensure sshd GSSAPIAuthentication is disabled
- oval:simp.cis.2.0.0.Rocky9.5.1.12_Ensure_sshd_HostbasedAuthentication_is_disabled:def:1
- Title: Ensure sshd HostbasedAuthentication is disabled
- oval:simp.cis.2.0.0.Rocky9.5.1.13_Ensure_sshd_IgnoreRhosts_is_enabled:def:1
- Title: Ensure sshd IgnoreRhosts is enabled
- oval:simp.cis.2.0.0.Rocky9.5.1.14_Ensure_sshd_LoginGraceTime_is_configured:def:1
- Title: Ensure sshd LoginGraceTime is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.15_Ensure_sshd_LogLevel_is_configured:def:1
- Title: Ensure sshd LogLevel is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.16_Ensure_sshd_MaxAuthTries_is_configured:def:1
- Title: Ensure sshd MaxAuthTries is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.17_Ensure_sshd_MaxStartups_is_configured:def:1
- Title: Ensure sshd MaxStartups is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.18_Ensure_sshd_MaxSessions_is_configured:def:1
- Title: Ensure sshd MaxSessions is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.19_Ensure_sshd_PermitEmptyPasswords_is_disabled:def:1
- Title: Ensure sshd PermitEmptyPasswords is disabled
- oval:simp.cis.2.0.0.Rocky9.5.1.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- Title: Ensure permissions on /etc/ssh/sshd_config are configured
- oval:simp.cis.2.0.0.Rocky9.5.1.20_Ensure_sshd_PermitRootLogin_is_disabled:def:1
- Title: Ensure sshd PermitRootLogin is disabled
- oval:simp.cis.2.0.0.Rocky9.5.1.21_Ensure_sshd_PermitUserEnvironment_is_disabled:def:1
- Title: Ensure sshd PermitUserEnvironment is disabled
- oval:simp.cis.2.0.0.Rocky9.5.1.22_Ensure_sshd_UsePAM_is_enabled:def:1
- Title: Ensure sshd UsePAM is enabled
- oval:simp.cis.2.0.0.Rocky9.5.1.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH private host key files are configured
- oval:simp.cis.2.0.0.Rocky9.5.1.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- Title: Ensure permissions on SSH public host key files are configured
- oval:simp.cis.2.0.0.Rocky9.5.1.4_Ensure_sshd_Ciphers_are_configured:def:1
- Title: Ensure sshd Ciphers are configured
- oval:simp.cis.2.0.0.Rocky9.5.1.5_Ensure_sshd_KexAlgorithms_is_configured:def:1
- Title: Ensure sshd KexAlgorithms is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.6_Ensure_sshd_MACs_are_configured:def:1
- Title: Ensure sshd MACs are configured
- NOTE: This can fail because included crypto-policies may contain newly found insecure MACS.
- oval:simp.cis.2.0.0.Rocky9.5.1.7_Ensure_sshd_access_is_configured:def:1
- Title: Ensure sshd access is configured
- *NOTE: The product cannot make assumptions on which users/groups require access to ssh to specific machines. The user will have to determine this and configure accordingly using one of the following methods in hieradata:
ssh::server::conf::allowusers:
- user1
- user2
ssh::server::conf::allowgroups:
- group1
- group2
ssh::server::conf::denyusers:
- user3
ssh::server::conf::denygroups:
- group3*
- oval:simp.cis.2.0.0.Rocky9.5.1.8_Ensure_sshd_Banner_is_configured:def:1
- Title: Ensure sshd Banner is configured
- oval:simp.cis.2.0.0.Rocky9.5.1.9_Ensure_sshd_ClientAliveInterval_and_ClientAliveCountMax_are_configured:def:1
- Title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
- oval:simp.cis.2.0.0.Rocky9.5.2.1_Ensure_sudo_is_installed:def:1
- Title: Ensure sudo is installed
- oval:simp.cis.2.0.0.Rocky9.5.2.2_Ensure_sudo_commands_use_pty:def:1
- Title: Ensure sudo commands use pty
- oval:simp.cis.2.0.0.Rocky9.5.2.3_Ensure_sudo_log_file_exists:def:1
- Title: Ensure sudo log file exists
- oval:simp.cis.2.0.0.Rocky9.5.2.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- Title: Ensure sudo authentication timeout is configured correctly
- oval:simp.cis.2.0.0.Rocky9.5.2.7_Ensure_access_to_the_su_command_is_restricted:def:1
- Title: Ensure access to the su command is restricted
- oval:simp.cis.2.0.0.Rocky9.5.3.1.1_Ensure_latest_version_of_pam_is_installed:def:1
- Title: Ensure latest version of pam is installed
- oval:simp.cis.2.0.0.Rocky9.5.3.1.2_Ensure_latest_version_of_authselect_is_installed:def:1
- Title: Ensure latest version of authselect is installed
- oval:simp.cis.2.0.0.Rocky9.5.3.1.3_Ensure_latest_version_of_libpwquality_is_installed:def:1
- Title: Ensure latest version of libpwquality is installed
- oval:simp.cis.2.0.0.Rocky9.5.3.2.1_Ensure_active_authselect_profile_includes_pam_modules:def:1
- Title: Ensure active authselect profile includes pam modules
- NOTE: Pam is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.Rocky9.5.3.2.2_Ensure_pam_faillock_module_is_enabled:def:1
- Title: Ensure pam_faillock module is enabled
- NOTE: The pam faillock module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.Rocky9.5.3.2.3_Ensure_pam_pwquality_module_is_enabled:def:1
- Title: Ensure pam_pwquality module is enabled
- oval:simp.cis.2.0.0.Rocky9.5.3.2.4_Ensure_pam_pwhistory_module_is_enabled:def:1
- Title: Ensure pam_pwhistory module is enabled
- oval:simp.cis.2.0.0.Rocky9.5.3.2.5_Ensure_pam_unix_module_is_enabled:def:1
- Title: Ensure pam_unix module is enabled
- NOTE: The pam unix module is in use, however, the regex used to test for this line existing isn’t picking up the format we’re using for the line including the module.
- oval:simp.cis.2.0.0.Rocky9.5.3.3.1.1_Ensure_password_failed_attempts_lockout_is_configured:def:1
- Title: Ensure password failed attempts lockout is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.1.2_Ensure_password_unlock_time_is_configured:def:1
- Title: Ensure password unlock time is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.1.3_Ensure_password_failed_attempts_lockout_includes_root_account:def:1
- Title: Ensure password failed attempts lockout includes root account
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.1_Ensure_password_number_of_changed_characters_is_configured:def:1
- Title: Ensure password number of changed characters is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.2_Ensure_password_length_is_configured:def:1
- Title: Ensure password length is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.3_Ensure_password_complexity_is_configured:def:1
- Title: Ensure password complexity is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.4_Ensure_password_same_consecutive_characters_is_configured:def:1
- Title: Ensure password same consecutive characters is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.5_Ensure_password_maximum_sequential_characters_is_configured:def:1
- Title: Ensure password maximum sequential characters is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.6_Ensure_password_dictionary_check_is_enabled:def:1
- Title: Ensure password dictionary check is enabled
- oval:simp.cis.2.0.0.Rocky9.5.3.3.2.7_Ensure_password_quality_is_enforced_for_the_root_user:def:1
- Title: Ensure password quality is enforced for the root user
- NOTE: The password quality will be enforced for root on the ‘password requisite pam_pwquality.so’ lines of /etc/pam.d/system-auth and /etc/pam.d/password-auth. This check will fail because the assessor does not check in this location, it expects it to show up in /etc/security/pwquality.conf.
- oval:simp.cis.2.0.0.Rocky9.5.3.3.3.1_Ensure_password_history_remember_is_configured:def:1
- Title: Ensure password history remember is configured
- oval:simp.cis.2.0.0.Rocky9.5.3.3.3.2_Ensure_password_history_is_enforced_for_the_root_user:def:1
- Title: Ensure password history is enforced for the root user
- oval:simp.cis.2.0.0.Rocky9.5.3.3.3.3_Ensure_pam_pwhistory_includes_use_authtok:def:1
- Title: Ensure pam_pwhistory includes use_authtok
- oval:simp.cis.2.0.0.Rocky9.5.3.3.4.1_Ensure_pam_unix_does_not_include_nullok:def:1
- Title: Ensure pam_unix does not include nullok
- oval:simp.cis.2.0.0.Rocky9.5.3.3.4.2_Ensure_pam_unix_does_not_include_remember:def:1
- Title: Ensure pam_unix does not include remember
- oval:simp.cis.2.0.0.Rocky9.5.3.3.4.3_Ensure_pam_unix_includes_a_strong_password_hashing_algorithm:def:1
- Title: Ensure pam_unix includes a strong password hashing algorithm
- oval:simp.cis.2.0.0.Rocky9.5.3.3.4.4_Ensure_pam_unix_includes_use_authtok:def:1
- Title: Ensure pam_unix includes use_authtok
- oval:simp.cis.2.0.0.Rocky9.5.4.1.1_Ensure_password_expiration_is_configured:def:1
- Title: Ensure password expiration is configured
- NOTE: The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.Rocky9.5.4.1.2_Ensure_minimum_password_days_is_configured:def:1
- Title: Ensure minimum password days is configured
- NOTE: PASS_MIN_DAYS is set to 1 in /etc/login.defs as requested and all non-system users will be corrected if they are not set correctly, however, the product does not manage the root or system accounts in this regard. Changing password settings on the system accounts could be dangerous for the system.
- oval:simp.cis.2.0.0.Rocky9.5.4.1.3_Ensure_password_expiration_warning_days_is_configured:def:1
- Title: Ensure password expiration warning days is configured
- oval:simp.cis.2.0.0.Rocky9.5.4.1.4_Ensure_strong_password_hashing_algorithm_is_configured:def:1
- Title: Ensure strong password hashing algorithm is configured
- oval:simp.cis.2.0.0.Rocky9.5.4.1.5_Ensure_inactive_password_lock_is_configured:def:1
- Title: Ensure inactive password lock is configured
- NOTE: The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.Rocky9.5.4.1.6_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- Title: Ensure all users last password change date is in the past
- oval:simp.cis.2.0.0.Rocky9.5.4.2.1_Ensure_root_is_the_only_UID_0_account:def:1
- Title: Ensure root is the only UID 0 account
- oval:simp.cis.2.0.0.Rocky9.5.4.2.2_Ensure_root_is_the_only_GID_0_account:def:1
- Title: Ensure root is the only GID 0 account
- oval:simp.cis.2.0.0.Rocky9.5.4.2.3_Ensure_group_root_is_the_only_GID_0_group:def:1
- Title: Ensure group root is the only GID 0 group
- oval:simp.cis.2.0.0.Rocky9.5.4.2.5_Ensure_root_path_integrity:def:1
- Title: Ensure root path integrity
- NOTE: The check for this can fail for various reasons, including the common dot setting the path to include common user customized directories that may not exist.
- oval:simp.cis.2.0.0.Rocky9.5.4.2.6_Ensure_root_user_umask_is_configured:def:1
- Title: Ensure root user umask is configured
- oval:simp.cis.2.0.0.Rocky9.5.4.2.7_Ensure_system_accounts_do_not_have_a_valid_login_shell:def:1
- Title: Ensure system accounts do not have a valid login shell
- oval:simp.cis.2.0.0.Rocky9.5.4.2.8_Ensure_accounts_without_a_valid_login_shell_are_locked:def:1
- Title: Ensure accounts without a valid login shell are locked
- oval:simp.cis.2.0.0.Rocky9.5.4.3.1_Ensure_nologin_is_not_listed_in_etcshells:def:1
- Title: Ensure nologin is not listed in /etc/shells
- oval:simp.cis.2.0.0.Rocky9.5.4.3.2_Ensure_default_user_shell_timeout_is_configured:def:1
- Title: Ensure default user shell timeout is configured
-
*NOTE: The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.Rocky9.5.4.3.3_Ensure_default_user_umask_is_configured:def:1
- Title: Ensure default user umask is configured
- oval:simp.cis.2.0.0.Rocky9.6.1.1_Ensure_AIDE_is_installed:def:1
- Title: Ensure AIDE is installed
- oval:simp.cis.2.0.0.Rocky9.6.1.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- Title: Ensure filesystem integrity is regularly checked
- oval:simp.cis.2.0.0.Rocky9.6.1.3_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools:def:1
- Title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky9.6.2.1.1_Ensure_journald_service_is_enabled_and_active:def:1
- Title: Ensure journald service is enabled and active
- NOTE: Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.Rocky9.6.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- Title: Ensure systemd-journal-remote is installed
- oval:simp.cis.2.0.0.Rocky9.6.2.2.1.2_Ensure_systemd-journal-upload_authentication_is_configured:def:1
- Title: Ensure systemd-journal-upload authentication is configured
- oval:simp.cis.2.0.0.Rocky9.6.2.2.1.3_Ensure_systemd-journal-upload_is_enabled_and_active:def:1
- Title: Ensure systemd-journal-upload is enabled and active
- oval:simp.cis.2.0.0.Rocky9.6.2.2.1.4_Ensure_systemd-journal-remote_service_is_not_in_use:def:1
- Title: Ensure systemd-journal-remote service is not in use
- oval:simp.cis.2.0.0.Rocky9.6.2.2.2_Ensure_journald_ForwardToSyslog_is_disabled:def:1
- Title: Ensure journald ForwardToSyslog is disabled
- oval:simp.cis.2.0.0.Rocky9.6.2.2.3_Ensure_journald_Compress_is_configured:def:1
- Title: Ensure journald Compress is configured
- oval:simp.cis.2.0.0.Rocky9.6.2.2.4_Ensure_journald_Storage_is_configured:def:1
- Title: Ensure journald Storage is configured
- oval:simp.cis.2.0.0.Rocky9.6.2.3.1_Ensure_rsyslog_is_installed:def:1
- Title: Ensure rsyslog is installed
- oval:simp.cis.2.0.0.Rocky9.6.2.3.2_Ensure_rsyslog_service_is_enabled_and_active:def:1
- Title: Ensure rsyslog service is enabled and active
- oval:simp.cis.2.0.0.Rocky9.6.2.3.4_Ensure_rsyslog_log_file_creation_mode_is_configured:def:1
- Title: Ensure rsyslog log file creation mode is configured
- oval:simp.cis.2.0.0.Rocky9.6.2.3.5_Ensure_rsyslog_logging_is_configured:def:1
- Title: Ensure rsyslog logging is configured
- oval:simp.cis.2.0.0.Rocky9.6.2.3.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Title: Ensure rsyslog is not configured to receive logs from a remote client
- NOTE: Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.Rocky9.6.3.1.1_Ensure_auditd_packages_are_installed:def:1
- Title: Ensure auditd packages are installed
- oval:simp.cis.2.0.0.Rocky9.6.3.1.2_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- Title: Ensure auditing for processes that start prior to auditd is enabled
- NOTE: This value is set in /etc/default/grub, however, the scanner doesn’t scan for the value here.
- oval:simp.cis.2.0.0.Rocky9.6.3.1.3_Ensure_audit_backlog_limit_is_sufficient:def:1
- Title: Ensure audit_backlog_limit is sufficient
- oval:simp.cis.2.0.0.Rocky9.6.3.1.4_Ensure_auditd_service_is_enabled_and_active:def:1
- Title: Ensure auditd service is enabled and active
- oval:simp.cis.2.0.0.Rocky9.6.3.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- Title: Ensure audit log storage size is configured
- oval:simp.cis.2.0.0.Rocky9.6.3.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- Title: Ensure audit logs are not automatically deleted
- oval:simp.cis.2.0.0.Rocky9.6.3.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- Title: Ensure system is disabled when audit logs are full
- oval:simp.cis.2.0.0.Rocky9.6.3.2.4_Ensure_system_warns_when_audit_logs_are_low_on_space:def:1
- Title: Ensure system warns when audit logs are low on space
- oval:simp.cis.2.0.0.Rocky9.6.3.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- Title: Ensure successful file system mounts are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.11_Ensure_session_initiation_information_is_collected:def:1
- Title: Ensure session initiation information is collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.12_Ensure_login_and_logout_events_are_collected:def:1
- Title: Ensure login and logout events are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- Title: Ensure file deletion events by users are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- Title: Ensure events that modify the system’s Mandatory Access Controls are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chcon command are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the setfacl command are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the chacl command are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_collected:def:1
- Title: Ensure successful and unsuccessful attempts to use the usermod command are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- Title: Ensure kernel module loading unloading and modification is collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- Title: Ensure changes to system administration scope (sudoers) is collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- Title: Ensure the audit configuration is immutable
- oval:simp.cis.2.0.0.Rocky9.6.3.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Title: Ensure the running and on disk configuration is the same
- NOTE: Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.Rocky9.6.3.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- Title: Ensure actions as another user are always logged
- oval:simp.cis.2.0.0.Rocky9.6.3.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- Title: Ensure events that modify the sudo log file are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- Title: Ensure events that modify date and time information are collected
- NOTE: The rule for this will look for the audit rules in /etc/audit/rules.d/50-time-change.rules, however, all custom audit rules specified in the product will live in /etc/audit/rules.d/50-time-change.rules.
- oval:simp.cis.2.0.0.Rocky9.6.3.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- Title: Ensure events that modify the system’s network environment are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- Title: Ensure use of privileged commands are collected
- NOTE: The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.Rocky9.6.3.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- Title: Ensure unsuccessful file access attempts are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- Title: Ensure events that modify user/group information are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- Title: Ensure discretionary access control permission modification events are collected
- oval:simp.cis.2.0.0.Rocky9.6.3.4.10_Ensure_audit_tools_group_owner_is_configured:def:1
- Title: Ensure audit tools group owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky9.6.3.4.1_Ensure_the_audit_log_file_directory_mode_is_configured:def:1
- Title: Ensure the audit log file directory mode is configured
- oval:simp.cis.2.0.0.Rocky9.6.3.4.2_Ensure_audit_log_files_mode_is_configured:def:1
- Title: Ensure audit log files mode is configured
- oval:simp.cis.2.0.0.Rocky9.6.3.4.3_Ensure_audit_log_files_owner_is_configured:def:1
- Title: Ensure audit log files owner is configured
- oval:simp.cis.2.0.0.Rocky9.6.3.4.4_Ensure_audit_log_files_group_owner_is_configured:def:1
- Title: Ensure audit log files group owner is configured
- oval:simp.cis.2.0.0.Rocky9.6.3.4.5_Ensure_audit_configuration_files_mode_is_configured:def:1
- Title: Ensure audit configuration files mode is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.Rocky9.6.3.4.6_Ensure_audit_configuration_files_owner_is_configured:def:1
- Title: Ensure audit configuration files owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.Rocky9.6.3.4.7_Ensure_audit_configuration_files_group_owner_is_configured:def:1
- Title: Ensure audit configuration files group owner is configured
- NOTE: This will fail even if all of the configuration files in question are owned by the root group.
- oval:simp.cis.2.0.0.Rocky9.6.3.4.8_Ensure_audit_tools_mode_is_configured:def:1
- Title: Ensure audit tools mode is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky9.6.3.4.9_Ensure_audit_tools_owner_is_configured:def:1
- Title: Ensure audit tools owner is configured
- NOTE: The product writes the rules for checking the system’s audit tools into /etc/aide.conf.d/audit_config.aide, however, the scanner only looks for files that end in .conf in the aide.conf.d directory so the scan will fail.
- oval:simp.cis.2.0.0.Rocky9.7.1.10_Ensure_permissions_on_etcsecurityopasswd_are_configured:def:1
- Title: Ensure permissions on /etc/security/opasswd are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.1_Ensure_permissions_on_etcpasswd_are_configured:def:1
- Title: Ensure permissions on /etc/passwd are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.2_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- Title: Ensure permissions on /etc/passwd- are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.3_Ensure_permissions_on_etcgroup_are_configured:def:1
- Title: Ensure permissions on /etc/group are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.4_Ensure_permissions_on_etcgroup-_are_configured:def:1
- Title: Ensure permissions on /etc/group- are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.5_Ensure_permissions_on_etcshadow_are_configured:def:1
- Title: Ensure permissions on /etc/shadow are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.6_Ensure_permissions_on_etcshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/shadow- are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.8_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- Title: Ensure permissions on /etc/gshadow- are configured
- oval:simp.cis.2.0.0.Rocky9.7.1.9_Ensure_permissions_on_etcshells_are_configured:def:1
- Title: Ensure permissions on /etc/shells are configured
- oval:simp.cis.2.0.0.Rocky9.7.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- Title: Ensure accounts in /etc/passwd use shadowed passwords
- oval:simp.cis.2.0.0.Rocky9.7.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- Title: Ensure /etc/shadow password fields are not empty
- oval:simp.cis.2.0.0.Rocky9.7.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- Title: Ensure all groups in /etc/passwd exist in /etc/group
- oval:simp.cis.2.0.0.Rocky9.7.2.4_Ensure_no_duplicate_UIDs_exist:def:1
- Title: Ensure no duplicate UIDs exist
- oval:simp.cis.2.0.0.Rocky9.7.2.5_Ensure_no_duplicate_GIDs_exist:def:1
- Title: Ensure no duplicate GIDs exist
- oval:simp.cis.2.0.0.Rocky9.7.2.6_Ensure_no_duplicate_user_names_exist:def:1
- Title: Ensure no duplicate user names exist
- oval:simp.cis.2.0.0.Rocky9.7.2.7_Ensure_no_duplicate_group_names_exist:def:1
- Title: Ensure no duplicate group names exist
- oval:simp.cis.2.0.0.Rocky9.7.2.8_Ensure_local_interactive_user_home_directories_are_configured:def:1
- Title: Ensure local interactive user home directories are configured
- oval:simp.cis.2.0.0.Rocky9.7.2.9_Ensure_local_interactive_user_dot_files_access_is_configured:def:1
- Title: Ensure local interactive user dot files access is configured