Coverage - CIS, Linux
CIS CAT Assessor scan results
The following scans were performed on a default installation of the noted Operating System with the SIMP Enterprise profile enforced.
| OS |
EE Profile |
Scan Type |
Benchmark Version |
Pass |
Fail |
Total % |
Certification Status |
| CentOS 7 |
cis:level:1:server |
Level 1 - Server |
3.1.2 |
178 |
14 |
93% |
Certified |
| CentOS 7 |
cis:level:2:server |
Level 2 - Server |
3.1.2 |
206 |
19 |
92% |
Certified |
| Oracle Linux 7 |
cis:level:1:server |
Level 1 - Server |
3.1.1 |
183 |
9 |
95% |
Certified |
| Oracle Linux 7 |
cis:level:2:server |
Level 2 - Server |
3.1.1 |
211 |
14 |
94% |
Certified |
| Oracle Linux 8 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
169 |
34 |
83% |
Certified |
| Oracle Linux 8 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
191 |
52 |
78% |
Certified |
| Red Hat Enterprise 7 |
cis:level:1:server |
Level 1 - Server |
3.1.2 |
182 |
10 |
94% |
Certified |
| Red Hat Enterprise 7 |
cis:level:2:server |
Level 2 - Server |
3.1.2 |
209 |
16 |
92% |
Certified |
| Red Hat Enterprise 8 |
cis:level:1:server |
Level 1 - Server |
2.0.0 |
168 |
36 |
82% |
Certified |
| Red Hat Enterprise 8 |
cis:level:2:server |
Level 2 - Server |
2.0.0 |
197 |
47 |
80% |
Certified |
NOTE: CIS has removed their benchmark for CentOS 8. Enforcement for CIS Level 1 Server and Level 2 Server are possible through Sicura, but we can no longer scan those profiles.
Control Coverage
The following report details the status of each CIS recommendation in the SIMP EE compliance data.
Paper policy controls refer to organizational policy requirements and cannot be reasonably enforced by SIMP at this time.Mapped controls have enforcement and reporting support.Unmapped controls are not supported at this time. A reason for the lack of support is provided for each unmapped control.
Summary
| OS | Unmapped Controls | Paper Policy | Mapped | Total |
| — | — | — | — | — |
| CentOS 7 | | 14 (5%) | 232 (94%) | 246 |
| CentOS 8 | | 23 (8%) | 248 (91%) | 271 |
| OracleLinux 7 | | 14 (5%) | 232 (94%) | 246 |
| OracleLinux 8 | | 24 (8%) | 247 (91%) | 271 |
| RedHat 7 | | 15 (6%) | 233 (93%) | 248 |
| RedHat 8 | | 25 (9%) | 247 (90%) | 272 |
Detail
Paper Policy
The following controls require administrative documentation:
CentOS 7 (14/246 [5%])
- oval:simp.cis.3.1.2.CentOS7.1.1.10_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.2.CentOS7.1.1.11_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.2.CentOS7.1.1.15_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.2.CentOS7.1.1.16_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.2.CentOS7.1.1.17_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.2.CentOS7.1.2.2_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- Package manager configuration is site-specific.
- oval:simp.cis.3.1.2.CentOS7.1.5.2_Ensure_XDNX_support_is_enabled:def:1
- Ensure XD/NX support is enabled
- We do not support 32-bit kernels. Any additional remediation is at the hardware/BIOS level.
- oval:simp.cis.3.1.2.CentOS7.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.3.1.2.CentOS7.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.2.CentOS7.6.1.10_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.2.CentOS7.6.1.11_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.2.CentOS7.6.1.12_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.2.CentOS7.6.1.13_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.2.CentOS7.6.1.14_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
CentOS 8 (23/271 [8%])
- oval:simp.cis.2.0.0.CentOS8.1.1.3.1_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.CentOS8.1.1.4.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.CentOS8.1.1.5.1_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.CentOS8.1.1.6.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.CentOS8.1.1.7.1_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.CentOS8.1.1.7.4_Ensure_usrquota_option_set_on_home_partition:def:1
- Ensure usrquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.CentOS8.1.1.7.5_Ensure_grpquota_option_set_on_home_partition:def:1
- Ensure grpquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.CentOS8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Ensure GPG keys are configured
- The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.CentOS8.1.2.3_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.CentOS8.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.2.0.0.CentOS8.4.2.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Ensure journald is configured to send logs to rsyslog
- The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.CentOS8.4.2.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Ensure rsyslog is configured to send logs to a remote log host
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.CentOS8.4.2.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Ensure systemd-journal-remote is configured
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.CentOS8.4.2.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Ensure systemd-journal-remote is enabled
- The product cannot appropriately configure the systemd-journald-remote service because it is highly system-specific. Since the product cannot configure the service, it cannot control whether the service runs or not.
- oval:simp.cis.2.0.0.CentOS8.4.2.2.7_Ensure_journald_default_file_permissions_configured:def:1
- Ensure journald default file permissions configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.CentOS8.5.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Ensure users must provide password for escalation
- Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.CentOS8.5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Ensure re-authentication for privilege escalation is not disabled globally
- Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.CentOS8.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- The product doesn’t have the capability to run and identify discrepencies in the output of an audit run. The product also cannot accept any risk on behalf of the user.
- oval:simp.cis.2.0.0.CentOS8.6.1.11_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.CentOS8.6.1.12_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.CentOS8.6.1.13_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.CentOS8.6.1.14_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.CentOS8.6.1.15_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
OracleLinux 7 (14/246 [5%])
- oval:simp.cis.3.1.1.OracleLinux7.1.1.10_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.OracleLinux7.1.1.11_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.OracleLinux7.1.1.15_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.OracleLinux7.1.1.16_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.OracleLinux7.1.1.17_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.OracleLinux7.1.2.2_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- Package manager configuration is site-specific.
- oval:simp.cis.3.1.1.OracleLinux7.1.5.2_Ensure_XDNX_support_is_enabled:def:1
- Ensure XD/NX support is enabled
- We do not support 32-bit kernels. Any additional remediation is at the hardware/BIOS level.
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.10_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.11_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.12_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.13_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.OracleLinux7.6.1.14_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
OracleLinux 8 (24/271 [8%])
- oval:simp.cis.2.0.0.OracleLinux8.1.1.3.1_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.4.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.5.1_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.6.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.7.1_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.7.4_Ensure_usrquota_option_set_on_home_partition:def:1
- Ensure usrquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.7.5_Ensure_grpquota_option_set_on_home_partition:def:1
- Ensure grpquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.OracleLinux8.1.2.1_Ensure_GPG_keys_are_configured:def:1
- Ensure GPG keys are configured
- The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.OracleLinux8.1.2.3_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Ensure journald is configured to send logs to rsyslog
- The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Ensure rsyslog is configured to send logs to a remote log host
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Ensure systemd-journal-remote is configured
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Ensure systemd-journal-remote is enabled
- The product cannot appropriately configure the systemd-journald-remote service because it is highly system-specific. Since the product cannot configure the service, it cannot control whether the service runs or not.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.7_Ensure_journald_default_file_permissions_configured:def:1
- Ensure journald default file permissions configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.OracleLinux8.5.2.4_Ensure_SSH_access_is_limited:def:1
- Ensure SSH access is limited
- The product cannot reliably determine the users or groups that need to access a given system, this configuration will be system-specific and could lock legitimate users out if assumptions are made.
- oval:simp.cis.2.0.0.OracleLinux8.5.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Ensure users must provide password for escalation
- Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.OracleLinux8.5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Ensure re-authentication for privilege escalation is not disabled globally
- Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- The product doesn’t have the capability to run and identify discrepencies in the output of an audit run. The product also cannot accept any risk on behalf of the user.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.11_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.12_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.13_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.14_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.15_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
RedHat 7 (15/248 [6%])
- oval:simp.cis.3.1.1.RedHat7.1.1.10_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.RedHat7.1.1.11_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.RedHat7.1.1.15_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.RedHat7.1.1.16_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.RedHat7.1.1.17_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.3.1.1.RedHat7.1.2.2_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- Package manager configuration is site-specific.
- oval:simp.cis.3.1.1.RedHat7.1.2.4_Ensure_Red_Hat_Subscription_Manager_connection_is_configured:def:1
- Ensure Red Hat Subscription Manager connection is configured
- Package manager configuration is site-specific.
- oval:simp.cis.3.1.1.RedHat7.1.5.2_Ensure_XDNX_support_is_enabled:def:1
- Ensure XD/NX support is enabled
- We do not support 32-bit kernels. Any additional remediation is at the hardware/BIOS level.
- oval:simp.cis.3.1.1.RedHat7.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.3.1.1.RedHat7.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.RedHat7.6.1.10_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.RedHat7.6.1.11_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.RedHat7.6.1.12_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.RedHat7.6.1.13_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.3.1.1.RedHat7.6.1.14_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
RedHat 8 (25/272 [9%])
- oval:simp.cis.2.0.0.RedHat8.1.1.3.1_Ensure_separate_partition_exists_for_var:def:1
- Ensure separate partition exists for /var
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat8.1.1.4.1_Ensure_separate_partition_exists_for_vartmp:def:1
- Ensure separate partition exists for /var/tmp
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat8.1.1.5.1_Ensure_separate_partition_exists_for_varlog:def:1
- Ensure separate partition exists for /var/log
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat8.1.1.6.1_Ensure_separate_partition_exists_for_varlogaudit:def:1
- Ensure separate partition exists for /var/log/audit
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat8.1.1.7.1_Ensure_separate_partition_exists_for_home:def:1
- Ensure separate partition exists for /home
- There is no way to safely change this on a running system.
- oval:simp.cis.2.0.0.RedHat8.1.1.7.4_Ensure_usrquota_option_set_on_home_partition:def:1
- Ensure usrquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.RedHat8.1.1.7.5_Ensure_grpquota_option_set_on_home_partition:def:1
- Ensure grpquota option set on /home partition
- Since mountpoints cannot be safely managed automatically, this option will not be set by the product.
- oval:simp.cis.2.0.0.RedHat8.1.2.1_Ensure_Red_Hat_Subscription_Manager_connection_is_configured:def:1
- Ensure Red Hat Subscription Manager connection is configured
- Package manager configuration is site-specific.
- oval:simp.cis.2.0.0.RedHat8.1.2.2_Ensure_GPG_keys_are_configured:def:1
- Ensure GPG keys are configured
- The rule states that gpg keys should be configured based on site polic. The product cannot make assumptions about the user’s site policy in regard to gpg key settings.
- oval:simp.cis.2.0.0.RedHat8.1.2.4_Ensure_package_manager_repositories_are_configured:def:1
- Ensure package manager repositories are configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.RedHat8.1.6.1.6_Ensure_no_unconfined_services_exist:def:1
- Ensure no unconfined services exist
- We have no viable method of remediation.
- oval:simp.cis.2.0.0.RedHat8.4.2.1.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- Ensure journald is configured to send logs to rsyslog
- The rules request that journald both be configured to send logs to rsyslog and to not send logs to rsyslog. Since the rules directly conflict with each other, the product will enforce the rule that doesn’t rely on the existence and configuration of an rsyslog server with highly system-specific configuration.
- oval:simp.cis.2.0.0.RedHat8.4.2.1.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- Ensure rsyslog is configured to send logs to a remote log host
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.RedHat8.4.2.2.1.2_Ensure_systemd-journal-remote_is_configured:def:1
- Ensure systemd-journal-remote is configured
- This is specific to the organization and can not be set by our product.
- oval:simp.cis.2.0.0.RedHat8.4.2.2.1.3_Ensure_systemd-journal-remote_is_enabled:def:1
- Ensure systemd-journal-remote is enabled
- The product cannot appropriately configure the systemd-journald-remote service because it is highly system-specific. Since the product cannot configure the service, it cannot control whether the service runs or not.
- oval:simp.cis.2.0.0.RedHat8.4.2.2.7_Ensure_journald_default_file_permissions_configured:def:1
- Ensure journald default file permissions configured
- This is site-specific and cannot be managed by the product
- oval:simp.cis.2.0.0.RedHat8.5.2.4_Ensure_SSH_access_is_limited:def:1
- Ensure SSH access is limited
- The product cannot reliably determine the users or groups that need to access a given system, this configuration will be system-specific and could lock legitimate users out if assumptions are made.
- oval:simp.cis.2.0.0.RedHat8.5.3.4_Ensure_users_must_provide_password_for_escalation:def:1
- Ensure users must provide password for escalation
- Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.RedHat8.5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally:def:1
- Ensure re-authentication for privilege escalation is not disabled globally
- Users had to make a conscious decision to set “!authenticate” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- oval:simp.cis.2.0.0.RedHat8.6.1.1_Audit_system_file_permissions:def:1
- Audit system file permissions
- The product doesn’t have the capability to run and identify discrepencies in the output of an audit run. The product also cannot accept any risk on behalf of the user.
- oval:simp.cis.2.0.0.RedHat8.6.1.11_Ensure_no_world_writable_files_exist:def:1
- Ensure no world writable files exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.RedHat8.6.1.12_Ensure_no_unowned_files_or_directories_exist:def:1
- Ensure no unowned files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.RedHat8.6.1.13_Ensure_no_ungrouped_files_or_directories_exist:def:1
- Ensure no ungrouped files or directories exist
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.RedHat8.6.1.14_Audit_SUID_executables:def:1
- Audit SUID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- oval:simp.cis.2.0.0.RedHat8.6.1.15_Audit_SGID_executables:def:1
- Audit SGID executables
- We do not currently have a mechanism for scanning the filesystem for enforcement.
Mapped
The following controls are mapped:
CentOS 7 (232/246 [94%])
- oval:simp.cis.3.1.2.CentOS7.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.2_Ensure_tmp_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.4_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.5_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.6_Ensure_devshm_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.7_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.8_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.9_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.12_Ensure_vartmp_partition_includes_the_noexec_option:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.13_Ensure_vartmp_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.14_Ensure_vartmp_partition_includes_the_nosuid_option:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.18_Ensure_home_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.19_Ensure_removable_media_partitions_include_noexec_option:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.20_Ensure_nodev_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.21_Ensure_nosuid_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.23_Disable_Automounting:def:1
- oval:simp.cis.3.1.2.CentOS7.1.1.24_Disable_USB_Storage:def:1
- oval:simp.cis.3.1.2.CentOS7.1.2.1_Ensure_GPG_keys_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.2.3_Ensure_gpgcheck_is_globally_activated:def:1
- Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.3.1.2.CentOS7.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.3.1.2.CentOS7.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.3.1.2.CentOS7.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.4.3_Ensure_authentication_required_for_single_user_mode:def:1
- oval:simp.cis.3.1.2.CentOS7.1.5.1_Ensure_core_dumps_are_restricted:def:1
- oval:simp.cis.3.1.2.CentOS7.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.5.4_Ensure_prelink_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.4_Ensure_the_SELinux_mode_is_enforcing_or_permissive:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.3.1.2.CentOS7.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.8.4_Ensure_XDCMP_is_not_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.1.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.1.2.CentOS7.2.2.1.3_Ensure_ntp_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.2_Ensure_X11_Server_components_are_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.6_Ensure_LDAP_server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.7_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.8_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.9_Ensure_HTTP_server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.10_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.11_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.13_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.14_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.15_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.16_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.17_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.18_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.3.1.2.CentOS7.2.2.19_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.3.1.2.CentOS7.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.3.1.2.CentOS7.3.1.1_Disable_IPv6:def:1
- Disabled via sysctl instead of kernel command line
- oval:simp.cis.3.1.2.CentOS7.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.3.1.2.CentOS7.3.4.1_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.4.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.2.1_Ensure_nftables_is_installed:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.5_Ensure_an_nftables_table_exists:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.6_Ensure_nftables_base_chains_exist:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.2.11_Ensure_nftables_rules_are_permanent:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.3.2.6_Ensure_iptables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.3.1.2.CentOS7.3.5.3.3.6_Ensure_ip6tables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.1.2_Ensure_auditd_service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.2.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.4_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.7_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.8_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.11_Ensure_use_of_privileged_commands_is_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.1.2.CentOS7.4.1.12_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected:def:1
- oval:simp.cis.3.1.2.CentOS7.4.1.17_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.2_Ensure_rsyslog_Service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.3_Ensure_rsyslog_default_file_permissions_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.4_Ensure_logging_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts.:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.4.2.4_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.1_Ensure_cron_daemon_is_enabled_and_running:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.2.CentOS7.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.2.CentOS7.5.2.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.3.1.2.CentOS7.5.2.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.3.1.2.CentOS7.5.2.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.4_Ensure_SSH_access_is_limited:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.6_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.10_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.13_Ensure_only_strong_Ciphers_are_used:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.14_Ensure_only_strong_MAC_algorithms_are_used:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.18_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.19_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.21_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.3.22_Ensure_SSH_MaxSessions_is_limited:def:1
- oval:simp.cis.3.1.2.CentOS7.5.4.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.4.3_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.3.1.2.CentOS7.5.4.4_Ensure_password_reuse_is_limited:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.2.CentOS7.5.5.1.2_Ensure_minimum_days_between_password_changes_is_configured:def:1
- The product sets PASS_MIN_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.2.CentOS7.5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.3_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.3.1.2.CentOS7.5.5.4_Ensure_default_user_shell_timeout_is_configured:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.1.2.CentOS7.5.5.5_Ensure_default_user_umask_is_configured:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.3.1.2.CentOS7.5.6_Ensure_root_login_is_restricted_to_system_console:def:1
- oval:simp.cis.3.1.2.CentOS7.5.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.2_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.3_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.5_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.6_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.8_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.4_Ensure_shadow_group_is_empty:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.7_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.8_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.10_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.11_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.12_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.13_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.14_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.15Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.16Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.3.1.2.CentOS7.6.2.17Ensure_no_users_have.rhosts_files:def:1
CentOS 8 (248/271 [91%])
- oval:simp.cis.2.0.0.CentOS8.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.2.1_Ensure_tmp_is_a_separate_partition:def:1
- /tmp will be configured as a bindmount with the following options: bind,nodev,noexec,nosuid. The test for this rule, however, is looking for /tmp in /etc/fstab.
- oval:simp.cis.2.0.0.CentOS8.1.1.2.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.2.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.3.2_Ensure_nodev_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.3.3_Ensure_noexec_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.3.4_Ensure_nosuid_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.5.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.5.3_Ensure_noexec_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.7.2_Ensure_nodev_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.7.3_Ensure_nosuid_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.8.1_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.8.2_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.9_Disable_Automounting:def:1
- oval:simp.cis.2.0.0.CentOS8.1.1.10_Disable_USB_Storage:def:1
- oval:simp.cis.2.0.0.CentOS8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.CentOS8.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.2.0.0.CentOS8.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.2.0.0.CentOS8.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.4.3_Ensure_authentication_is_required_when_booting_into_rescue_mode:def:1
- oval:simp.cis.2.0.0.CentOS8.1.5.1_Ensure_core_dump_storage_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.5.2_Ensure_core_dump_backtraces_are_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.8.4_Ensure_XDMCP_is_not_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.8.5_Ensure_automatic_mounting_of_removable_media_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.1.10_Ensure_system-wide_crypto_policy_is_not_legacy:def:1
- oval:simp.cis.2.0.0.CentOS8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.2.0.0.CentOS8.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.CentOS8.2.2.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.2_Ensure_xorg-x11-server-common_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.6_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.7_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.8_Ensure_VSFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.9_Ensure_TFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.10_Ensure_a_web_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.11_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.12_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.13_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.14_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.15_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.16_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.17_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.18_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.19_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.2.0.0.CentOS8.2.2.20_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.3.6_Ensure_TFTP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.2.0.0.CentOS8.3.1.1_Verify_if_IPv6_is_enabled_on_the_system:def:1
- oval:simp.cis.2.0.0.CentOS8.3.1.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.1.3_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.1.4_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.2.1_Ensure_nftables_is_installed:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.5_Ensure_an_nftables_table_exists:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.6_Ensure_nftables_base_chains_exist:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.2.11_Ensure_nftables_rules_are_permanent:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.3.2.6_Ensure_iptables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.CentOS8.3.4.3.3.6_Ensure_ip6tables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.1.2_Ensure_auditd_service_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.1.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.CentOS8.4.1.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.11_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.12_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.2.0.0.CentOS8.4.1.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.CentOS8.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.1.2_Ensure_rsyslog_service_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.1.5_Ensure_logging_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.1.7_Ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client:def:1
- Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.CentOS8.4.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.2.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.2.2_Ensure_journald_service_is_enabled:def:1
- Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.CentOS8.4.2.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- oval:simp.cis.2.0.0.CentOS8.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- btmp, lastlog, and wtmp will not have any permissions stripped from them. Doing so could cause login issues for users.
- oval:simp.cis.2.0.0.CentOS8.4.3_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.1_Ensure_cron_daemon_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.CentOS8.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.4_Ensure_SSH_access_is_limited:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.6_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.7_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.12_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.13_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.14_Ensure_system-wide_crypto_policy_is_not_over-ridden:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.15_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.16_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.17_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.18_Ensure_SSH_MaxSessions_is_set_to_10_or_less:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.19_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.2.0.0.CentOS8.5.2.20_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.3.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.2.0.0.CentOS8.5.3.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.2.0.0.CentOS8.5.3.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.2.0.0.CentOS8.5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- oval:simp.cis.2.0.0.CentOS8.5.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.2.0.0.CentOS8.5.4.1_Ensure_custom_authselect_profile_is_used:def:1
- oval:simp.cis.2.0.0.CentOS8.5.4.2_Ensure_authselect_includes_with-faillock:def:1
- oval:simp.cis.2.0.0.CentOS8.5.5.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.5.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.5.3_Ensure_password_reuse_is_limited:def:1
- Password reuse will be limited through pam instead of authselect. The product will support authselect in a future release.
- oval:simp.cis.2.0.0.CentOS8.5.5.4_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.2.0.0.CentOS8.5.6.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.CentOS8.5.6.1.2_Ensure_minimum_days_between_password_changes_is_7_or_more:def:1
- The PASS_MIN_DAYS value in /etc/login.defs will be set to 7 as requested, however, the product has no mechanism to change this value on all existing users.
- oval:simp.cis.2.0.0.CentOS8.5.6.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.2.0.0.CentOS8.5.6.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.CentOS8.5.6.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.2.0.0.CentOS8.5.6.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.2.0.0.CentOS8.5.6.3_Ensure_default_user_shell_timeout_is_900_seconds_or_less:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.CentOS8.5.6.4_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.2.0.0.CentOS8.5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.2.0.0.CentOS8.6.1.2_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.3_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.5_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.6_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.7_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.8_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.1.10_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.1_Ensure_password_fields_are_not_empty:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.2_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.3_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.4_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.7_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.8_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.9_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.10_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.11_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.12_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.13Ensure_users.netrc_Files_are_not_group_or_world_accessible:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.14Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.15Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.2.0.0.CentOS8.6.2.16Ensure_no_users_have.rhosts_files:def:1
OracleLinux 7 (232/246 [94%])
- oval:simp.cis.3.1.1.OracleLinux7.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.2_Ensure_tmp_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.4_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.5_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.6_Ensure_devshm_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.7_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.8_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.9_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.12_Ensure_vartmp_partition_includes_the_noexec_option:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.13_Ensure_vartmp_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.14_Ensure_vartmp_partition_includes_the_nosuid_option:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.18_Ensure_home_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.19_Ensure_removable_media_partitions_include_noexec_option:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.20_Ensure_nodev_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.21_Ensure_nosuid_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.23_Disable_Automounting:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.1.24_Disable_USB_Storage:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.2.1_Ensure_GPG_keys_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.2.3_Ensure_gpgcheck_is_globally_activated:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.4.3_Ensure_authentication_required_for_single_user_mode:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.5.1_Ensure_core_dumps_are_restricted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.5.4_Ensure_prelink_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.4_Ensure_the_SELinux_mode_is_enforcing_or_permissive:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.8.4_Ensure_XDCMP_is_not_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.1.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.1.1.OracleLinux7.2.2.1.3_Ensure_ntp_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.2_Ensure_X11_Server_components_are_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.6_Ensure_LDAP_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.7_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.8_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.9_Ensure_HTTP_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.10_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.11_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.13_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.14_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.15_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.16_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.17_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.18_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.2.19_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.1.1_Disable_IPv6:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.4.1_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.4.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.1_Ensure_nftables_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.5_Ensure_an_nftables_table_exists:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.6_Ensure_nftables_base_chains_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.2.11_Ensure_nftables_rules_are_permanent:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.2.6_Ensure_iptables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.3.1.1.OracleLinux7.3.5.3.3.6_Ensure_ip6tables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.1.2_Ensure_auditd_service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.2.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.4_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.7_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.8_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.11_Ensure_use_of_privileged_commands_is_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.1.1.OracleLinux7.4.1.12_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.1.17_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.2_Ensure_rsyslog_Service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.3_Ensure_rsyslog_default_file_permissions_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.4_Ensure_logging_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts.:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.4.2.4_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.1_Ensure_cron_daemon_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.2.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.2.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.2.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.4_Ensure_SSH_access_is_limited:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.6_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.10_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.13_Ensure_only_strong_Ciphers_are_used:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.14_Ensure_only_strong_MAC_algorithms_are_used:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.18_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.19_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.21_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.3.22_Ensure_SSH_MaxSessions_is_limited:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.4.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.4.3_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.4.4_Ensure_password_reuse_is_limited:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.1.OracleLinux7.5.5.1.2_Ensure_minimum_days_between_password_changes_is_configured:def:1
- The product sets PASS_MIN_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.1.OracleLinux7.5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.3_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.5.4_Ensure_default_user_shell_timeout_is_configured:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.1.1.OracleLinux7.5.5.5_Ensure_default_user_umask_is_configured:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.3.1.1.OracleLinux7.5.6_Ensure_root_login_is_restricted_to_system_console:def:1
- oval:simp.cis.3.1.1.OracleLinux7.5.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.2_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.3_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.5_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.6_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.8_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.4_Ensure_shadow_group_is_empty:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.7_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.8_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.10_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.11_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.12_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.13_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.14_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.15Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.16Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.3.1.1.OracleLinux7.6.2.17Ensure_no_users_have.rhosts_files:def:1
OracleLinux 8 (247/271 [91%])
- oval:simp.cis.2.0.0.OracleLinux8.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.2.1_Ensure_tmp_is_a_separate_partition:def:1
- /tmp will be configured as a bindmount with the following options: bind,nodev,noexec,nosuid. The test for this rule, however, is looking for /tmp in /etc/fstab.
- oval:simp.cis.2.0.0.OracleLinux8.1.1.2.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.2.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.3.2_Ensure_nodev_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.3.3_Ensure_noexec_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.3.4_Ensure_nosuid_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.5.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.5.3_Ensure_noexec_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.7.2_Ensure_nodev_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.7.3_Ensure_nosuid_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.8.1_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.8.2_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.9_Disable_Automounting:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.1.10_Disable_USB_Storage:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.2.2_Ensure_gpgcheck_is_globally_activated:def:1
- Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.OracleLinux8.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.4.3_Ensure_authentication_is_required_when_booting_into_rescue_mode:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.5.1_Ensure_core_dump_storage_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.5.2_Ensure_core_dump_backtraces_are_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.8.4_Ensure_XDMCP_is_not_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.8.5_Ensure_automatic_mounting_of_removable_media_is_disabled:def:1
- This will remediate the rule as requested, however, the check will still fail because spacing is not aligned as expected in the rule.
- oval:simp.cis.2.0.0.OracleLinux8.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.1.10_Ensure_system-wide_crypto_policy_is_not_legacy:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.OracleLinux8.2.2.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.2_Ensure_xorg-x11-server-common_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.6_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.7_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.8_Ensure_VSFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.9_Ensure_TFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.10_Ensure_a_web_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.11_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.12_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.13_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.14_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.15_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.16_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.17_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.18_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.19_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.2.20_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.3.6_Ensure_TFTP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.1.1_Verify_if_IPv6_is_enabled_on_the_system:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.1.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.1.3_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.1.4_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.1_Ensure_nftables_is_installed:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.5_Ensure_an_nftables_table_exists:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.6_Ensure_nftables_base_chains_exist:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.2.11_Ensure_nftables_rules_are_permanent:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.2.6_Ensure_iptables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.OracleLinux8.3.4.3.3.6_Ensure_ip6tables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.1.2_Ensure_auditd_service_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.1.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.11_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.12_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.1.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.2_Ensure_rsyslog_service_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.5_Ensure_logging_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.1.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.1.4_Ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.2_Ensure_journald_service_is_enabled:def:1
- Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- oval:simp.cis.2.0.0.OracleLinux8.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- btmp, lastlog, and wtmp will not have any permissions stripped from them. Doing so could cause login issues for users.
- oval:simp.cis.2.0.0.OracleLinux8.4.3_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.1_Ensure_cron_daemon_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.6_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.7_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.12_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.13_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.14_Ensure_system-wide_crypto_policy_is_not_over-ridden:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.15_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.16_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.17_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.18_Ensure_SSH_MaxSessions_is_set_to_10_or_less:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.19_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.2.20_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.3.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.3.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.3.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.4.1_Ensure_custom_authselect_profile_is_used:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.4.2_Ensure_authselect_includes_with-faillock:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.5.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.5.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.5.3_Ensure_password_reuse_is_limited:def:1
- Password reuse will be limited through pam instead of authselect. The product will support authselect in a future release.
- oval:simp.cis.2.0.0.OracleLinux8.5.5.4_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.6.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.OracleLinux8.5.6.1.2_Ensure_minimum_days_between_password_changes_is_7_or_more:def:1
- The PASS_MIN_DAYS value in /etc/login.defs will be set to 7 as requested, however, the product has no mechanism to change this value on all existing users.
- oval:simp.cis.2.0.0.OracleLinux8.5.6.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.6.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.OracleLinux8.5.6.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.6.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.6.3_Ensure_default_user_shell_timeout_is_900_seconds_or_less:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.OracleLinux8.5.6.4_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.2.0.0.OracleLinux8.5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.2.0.0.OracleLinux8.6.1.2_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.3_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.5_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.6_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.7_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.8_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.1.10_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.1_Ensure_password_fields_are_not_empty:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.2_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.3_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.4_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.7_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.8_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.9_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.10_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.11_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.12_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.13Ensure_users.netrc_Files_are_not_group_or_world_accessible:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.14Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.15Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.2.0.0.OracleLinux8.6.2.16Ensure_no_users_have.rhosts_files:def:1
RedHat 7 (233/248 [93%])
- oval:simp.cis.3.1.1.RedHat7.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.2_Ensure_tmp_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.4_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.5_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.6_Ensure_devshm_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.7_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.8_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.9_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.12_Ensure_vartmp_partition_includes_the_noexec_option:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.13_Ensure_vartmp_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.14_Ensure_vartmp_partition_includes_the_nosuid_option:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.18_Ensure_home_partition_includes_the_nodev_option:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.19_Ensure_removable_media_partitions_include_noexec_option:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.20_Ensure_nodev_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.21_Ensure_nosuid_option_set_on_removable_media_partitions:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.23_Disable_Automounting:def:1
- oval:simp.cis.3.1.1.RedHat7.1.1.24_Disable_USB_Storage:def:1
- oval:simp.cis.3.1.1.RedHat7.1.2.1_Ensure_GPG_keys_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.2.3_Ensure_gpgcheck_is_globally_activated:def:1
- oval:simp.cis.3.1.1.RedHat7.1.2.5_Disable_the_rhnsd_Daemon:def:1
- rhnsd should only be disabled if it is not in use.
- oval:simp.cis.3.1.1.RedHat7.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.3.1.1.RedHat7.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.3.1.1.RedHat7.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.4.3_Ensure_authentication_required_for_single_user_mode:def:1
- oval:simp.cis.3.1.1.RedHat7.1.5.1_Ensure_core_dumps_are_restricted:def:1
- oval:simp.cis.3.1.1.RedHat7.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.5.4_Ensure_prelink_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.4_Ensure_the_SELinux_mode_is_enforcing_or_permissive:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.3.1.1.RedHat7.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.8.4_Ensure_XDCMP_is_not_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.1.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.3.1.1.RedHat7.2.2.1.3_Ensure_ntp_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.2_Ensure_X11_Server_components_are_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.6_Ensure_LDAP_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.7_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.8_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.9_Ensure_HTTP_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.10_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.11_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.13_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.14_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.15_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.16_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.17_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.18_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.3.1.1.RedHat7.2.2.19_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.3.1.1.RedHat7.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.3.1.1.RedHat7.3.1.1_Disable_IPv6:def:1
- oval:simp.cis.3.1.1.RedHat7.3.1.2_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.3.1.1.RedHat7.3.4.1_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.4.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.1_Ensure_nftables_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.5_Ensure_an_nftables_table_exists:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.6_Ensure_nftables_base_chains_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.2.11_Ensure_nftables_rules_are_permanent:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.2.6_Ensure_iptables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.3.1.1.RedHat7.3.5.3.3.6_Ensure_ip6tables_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.1.2_Ensure_auditd_service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.2.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.4_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.7_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.8_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.11_Ensure_use_of_privileged_commands_is_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.3.1.1.RedHat7.4.1.12_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected:def:1
- oval:simp.cis.3.1.1.RedHat7.4.1.17_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.2_Ensure_rsyslog_Service_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.3_Ensure_rsyslog_default_file_permissions_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.4_Ensure_logging_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts.:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.4.2.4_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.1_Ensure_cron_daemon_is_enabled_and_running:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.1.RedHat7.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.3.1.1.RedHat7.5.2.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.3.1.1.RedHat7.5.2.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.3.1.1.RedHat7.5.2.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.4_Ensure_SSH_access_is_limited:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.6_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.10_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.13_Ensure_only_strong_Ciphers_are_used:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.14_Ensure_only_strong_MAC_algorithms_are_used:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.18_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.19_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.21_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.3.22_Ensure_SSH_MaxSessions_is_limited:def:1
- oval:simp.cis.3.1.1.RedHat7.5.4.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.4.3_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.3.1.1.RedHat7.5.4.4_Ensure_password_reuse_is_limited:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.1.RedHat7.5.5.1.2_Ensure_minimum_days_between_password_changes_is_configured:def:1
- The product sets PASS_MIN_DAYS in /etc/login.defs, however, there is currently no mechanisme to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.3.1.1.RedHat7.5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.3_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.3.1.1.RedHat7.5.5.4_Ensure_default_user_shell_timeout_is_configured:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.3.1.1.RedHat7.5.5.5_Ensure_default_user_umask_is_configured:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.3.1.1.RedHat7.5.6_Ensure_root_login_is_restricted_to_system_console:def:1
- oval:simp.cis.3.1.1.RedHat7.5.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.2_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.3_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.5_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.6_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.7_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.8_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.2_Ensure_etcshadow_password_fields_are_not_empty:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.4_Ensure_shadow_group_is_empty:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.7_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.8_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.9_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.10_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.11_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.12_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.13_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.14_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.15Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.16Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.3.1.1.RedHat7.6.2.17Ensure_no_users_have.rhosts_files:def:1
RedHat 8 (247/272 [90%])
- oval:simp.cis.2.0.0.RedHat8.1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.2.1_Ensure_tmp_is_a_separate_partition:def:1
- /tmp will be configured as a bindmount with the following options: bind,nodev,noexec,nosuid. The test for this rule, however, is looking for /tmp in /etc/fstab.
- oval:simp.cis.2.0.0.RedHat8.1.1.2.2_Ensure_nodev_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.2.3_Ensure_noexec_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.3.2_Ensure_nodev_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.3.3_Ensure_noexec_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.3.4_Ensure_nosuid_option_set_on_var_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.5.2_Ensure_nodev_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.5.3_Ensure_noexec_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.7.2_Ensure_nodev_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.7.3_Ensure_nosuid_option_set_on_home_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.8.1_Ensure_nodev_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.8.2_Ensure_noexec_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.9_Disable_Automounting:def:1
- oval:simp.cis.2.0.0.RedHat8.1.1.10_Disable_USB_Storage:def:1
- oval:simp.cis.2.0.0.RedHat8.1.2.3_Ensure_gpgcheck_is_globally_activated:def:1
- Some organizations will need gpgcheck to be turned off for some of their internal repos, the best the product cant do in this scenario is to enable gpgcheck in /etc/yum.conf and rely on the customers to control the gpg settings of their individual repos.
- oval:simp.cis.2.0.0.RedHat8.1.3.1_Ensure_AIDE_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.3.2_Ensure_filesystem_integrity_is_regularly_checked:def:1
- oval:simp.cis.2.0.0.RedHat8.1.4.1_Ensure_bootloader_password_is_set:def:1
- oval:simp.cis.2.0.0.RedHat8.1.4.2_Ensure_permissions_on_bootloader_config_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.4.3_Ensure_authentication_is_required_when_booting_into_rescue_mode:def:1
- oval:simp.cis.2.0.0.RedHat8.1.5.1_Ensure_core_dump_storage_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.5.2_Ensure_core_dump_backtraces_are_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.5.3_Ensure_address_space_layout_randomization_ASLR_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.1_Ensure_SELinux_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.2_Ensure_SELinux_is_not_disabled_in_bootloader_configuration:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.3_Ensure_SELinux_policy_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.4_Ensure_the_SELinux_mode_is_not_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.5_Ensure_the_SELinux_mode_is_enforcing:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.7_Ensure_SETroubleshoot_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.6.1.8_Ensure_the_MCS_Translation_Service_mcstrans_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.1_Ensure_message_of_the_day_is_configured_properly:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.2_Ensure_local_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.3_Ensure_remote_login_warning_banner_is_configured_properly:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.4_Ensure_permissions_on_etcmotd_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.5_Ensure_permissions_on_etcissue_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.7.6_Ensure_permissions_on_etcissue.net_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.8.1_Ensure_GNOME_Display_Manager_is_removed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.8.2_Ensure_GDM_login_banner_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.1.8.3_Ensure_last_logged_in_user_display_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.8.4_Ensure_XDMCP_is_not_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.1.8.5_Ensure_automatic_mounting_of_removable_media_is_disabled:def:1
- This has been remediated as requested, however, the product puts a space between the key/value pair in the dconf file and the check for the rule expects no spaces between the key/value and the ‘=’.
- oval:simp.cis.2.0.0.RedHat8.1.9_Ensure_updates_patches_and_additional_security_software_are_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.1.10_Ensure_system-wide_crypto_policy_is_not_legacy:def:1
- oval:simp.cis.2.0.0.RedHat8.2.1.1_Ensure_time_synchronization_is_in_use:def:1
- oval:simp.cis.2.0.0.RedHat8.2.1.2_Ensure_chrony_is_configured:def:1
- We are configuring the system to use ntpd instead of chrony.
- oval:simp.cis.2.0.0.RedHat8.2.2.1_Ensure_xinetd_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.2_Ensure_xorg-x11-server-common_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.3_Ensure_Avahi_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.4_Ensure_CUPS_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.5_Ensure_DHCP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.6_Ensure_DNS_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.7_Ensure_FTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.8_Ensure_VSFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.9_Ensure_TFTP_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.10_Ensure_a_web_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.11_Ensure_IMAP_and_POP3_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.12_Ensure_Samba_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.13_Ensure_HTTP_Proxy_Server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.14_Ensure_net-snmp_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.15_Ensure_NIS_server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.16_Ensure_telnet-server_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.17_Ensure_mail_transfer_agent_is_configured_for_local-only_mode:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.18_Ensure_nfs-utils_is_not_installed_or_the__nfs-server_service_is_masked:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.19_Ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked:def:1
- oval:simp.cis.2.0.0.RedHat8.2.2.20_Ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.1_Ensure_NIS_Client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.2_Ensure_rsh_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.3_Ensure_talk_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.4_Ensure_telnet_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.5_Ensure_LDAP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.3.6_Ensure_TFTP_client_is_not_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.2.4_Ensure_nonessential_services_are_removed_or_masked:def:1
- oval:simp.cis.2.0.0.RedHat8.3.1.1_Verify_if_IPv6_is_enabled_on_the_system:def:1
- oval:simp.cis.2.0.0.RedHat8.3.1.2_Ensure_SCTP_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.1.3_Ensure_DCCP_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.1.4_Ensure_wireless_interfaces_are_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.2.1_Ensure_IP_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.2.2_Ensure_packet_redirect_sending_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.1_Ensure_source_routed_packets_are_not_accepted:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.2_Ensure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.4_Ensure_suspicious_packets_are_logged:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.5_Ensure_broadcast_ICMP_requests_are_ignored:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.6_Ensure_bogus_ICMP_responses_are_ignored:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.7_Ensure_Reverse_Path_Filtering_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.8_Ensure_TCP_SYN_Cookies_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.1_Ensure_firewalld_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.2_Ensure_iptables-services_not_installed_with_firewalld:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.1.3_Ensure_nftables_either_not_installed_or_masked_with_firewalld:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.4_Ensure_firewalld_service_enabled_and_running:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.5_Ensure_firewalld_default_zone_is_set:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.6_Ensure_network_interfaces_are_assigned_to_appropriate_zone:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.1.7_Ensure_firewalld_drops_unnecessary_services_and_ports:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.2.1_Ensure_nftables_is_installed:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.2_Ensure_firewalld_is_either_not_installed_or_masked_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.3_Ensure_iptables-services_not_installed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.4_Ensure_iptables_are_flushed_with_nftables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.5_Ensure_an_nftables_table_exists:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.6_Ensure_nftables_base_chains_exist:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.7_Ensure_nftables_loopback_traffic_is_configured:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.8_Ensure_nftables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.9_Ensure_nftables_default_deny_firewall_policy:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.2.10_Ensure_nftables_service_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.2.11_Ensure_nftables_rules_are_permanent:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.1.1_Ensure_iptables_packages_are_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.3.1.2_Ensure_nftables_is_not_installed_with_iptables:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.1.3_Ensure_firewalld_is_either_not_installed_or_masked_with_iptables:def:1
- Only applies when nftables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.1_Ensure_iptables_loopback_traffic_is_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.3_Ensure_iptables_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.4_Ensure_iptables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.5_Ensure_iptables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.3.2.6_Ensure_iptables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.3_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.4_Ensure_ip6tables_default_deny_firewall_policy:def:1
- Only applies when iptables is used for firewall provider
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.5_Ensure_ip6tables_rules_are_saved:def:1
- oval:simp.cis.2.0.0.RedHat8.3.4.3.3.6_Ensure_ip6tables_is_enabled_and_active:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.1.1_Ensure_auditd_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.1.2_Ensure_auditd_service_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.1.4_Ensure_audit_backlog_limit_is_sufficient:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.2.1_Ensure_audit_log_storage_size_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.2_Ensure_actions_as_another_user_are_always_logged:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.4_Ensure_events_that_modify_date_and_time_information_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.6_Ensure_use_of_privileged_commands_are_collected:def:1
- The available setuid/setgid commands on a given system could vary greatly. Several of the more common commands are audited, but there is currently no automated way to identify and audit all possible setuid/setgid commands available on any given system.
- oval:simp.cis.2.0.0.RedHat8.4.1.3.7_Ensure_unsuccessful_file_access_attempts_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.8_Ensure_events_that_modify_usergroup_information_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.10_Ensure_successful_file_system_mounts_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.11_Ensure_session_initiation_information_is_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.12_Ensure_login_and_logout_events_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.13_Ensure_file_deletion_events_by_users_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.20_Ensure_the_audit_configuration_is_immutable:def:1
- oval:simp.cis.2.0.0.RedHat8.4.1.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same:def:1
- Including the audit class will force the system to check the expected rule set against what is on the disk. If there are discrepencies, then the rules will be changed to the expected state and the service will be restarted, which will ensure the rules on disk are the same as the running rules.
- oval:simp.cis.2.0.0.RedHat8.4.2.1.1_Ensure_rsyslog_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.1.2_Ensure_rsyslog_service_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.1.4_Ensure_rsyslog_default_file_permissions_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.1.5_Ensure_logging_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.1.7_Ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client:def:1
- Including the product’s rsyslog class will purge any rsyslog configuration not specified by the user in hieradata or by other rules that require specific rsyslog configuration.
- oval:simp.cis.2.0.0.RedHat8.4.2.2.1.1_Ensure_systemd-journal-remote_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.2.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.2.2_Ensure_journald_service_is_enabled:def:1
- Simply including the journald class will include a default journald configuration and ensure the service is enabled.
- oval:simp.cis.2.0.0.RedHat8.4.2.2.3_Ensure_journald_is_configured_to_compress_large_log_files:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.2.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.2.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.2.6_Ensure_journald_log_rotation_is_configured_per_site_policy:def:1
- oval:simp.cis.2.0.0.RedHat8.4.2.3_Ensure_permissions_on_all_logfiles_are_configured:def:1
- btmp, lastlog, and wtmp will not have any permissions stripped from them. Doing so could cause login issues for users.
- oval:simp.cis.2.0.0.RedHat8.4.3_Ensure_logrotate_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.1_Ensure_cron_daemon_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.2_Ensure_permissions_on_etccrontab_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.3_Ensure_permissions_on_etccron.hourly_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.4_Ensure_permissions_on_etccron.daily_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.5_Ensure_permissions_on_etccron.weekly_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.6_Ensure_permissions_on_etccron.monthly_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.7_Ensure_permissions_on_etccron.d_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.8_Ensure_cron_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.RedHat8.5.1.9_Ensure_at_is_restricted_to_authorized_users:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.5_Ensure_SSH_LogLevel_is_appropriate:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.6_Ensure_SSH_PAM_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.7_Ensure_SSH_root_login_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.12_Ensure_SSH_X11_forwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.13_Ensure_SSH_AllowTcpForwarding_is_disabled:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.14_Ensure_system-wide_crypto_policy_is_not_over-ridden:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.15_Ensure_SSH_warning_banner_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.16_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.17_Ensure_SSH_MaxStartups_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.18_Ensure_SSH_MaxSessions_is_set_to_10_or_less:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.19_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less:def:1
- oval:simp.cis.2.0.0.RedHat8.5.2.20_Ensure_SSH_Idle_Timeout_Interval_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.3.1_Ensure_sudo_is_installed:def:1
- oval:simp.cis.2.0.0.RedHat8.5.3.2_Ensure_sudo_commands_use_pty:def:1
- oval:simp.cis.2.0.0.RedHat8.5.3.3_Ensure_sudo_log_file_exists:def:1
- oval:simp.cis.2.0.0.RedHat8.5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly:def:1
- oval:simp.cis.2.0.0.RedHat8.5.3.7_Ensure_access_to_the_su_command_is_restricted:def:1
- oval:simp.cis.2.0.0.RedHat8.5.4.1_Ensure_custom_authselect_profile_is_used:def:1
- oval:simp.cis.2.0.0.RedHat8.5.4.2_Ensure_authselect_includes_with-faillock:def:1
- oval:simp.cis.2.0.0.RedHat8.5.5.1_Ensure_password_creation_requirements_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.5.2_Ensure_lockout_for_failed_password_attempts_is_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.5.3_Ensure_password_reuse_is_limited:def:1
- Password reuse will be limited through pam instead of authselect. The product will support authselect in a future release.
- oval:simp.cis.2.0.0.RedHat8.5.5.4_Ensure_password_hashing_algorithm_is_SHA-512:def:1
- oval:simp.cis.2.0.0.RedHat8.5.6.1.1_Ensure_password_expiration_is_365_days_or_less:def:1
- The product sets PASS_MAX_DAYS in /etc/login.defs, however, there is currently no mechanism to enforce the setting for existing users in /etc/shadow.
- oval:simp.cis.2.0.0.RedHat8.5.6.1.2_Ensure_minimum_days_between_password_changes_is_7_or_more:def:1
- The PASS_MIN_DAYS value in /etc/login.defs will be set to 7 as requested, however, the product has no mechanism to change this value on all existing users.
- oval:simp.cis.2.0.0.RedHat8.5.6.1.3_Ensure_password_expiration_warning_days_is_7_or_more:def:1
- oval:simp.cis.2.0.0.RedHat8.5.6.1.4_Ensure_inactive_password_lock_is_30_days_or_less:def:1
- The system will be configured to make accounts inactive after 30 days of inactivity, however, the product has no mechanism to change this value on existing users.
- oval:simp.cis.2.0.0.RedHat8.5.6.1.5_Ensure_all_users_last_password_change_date_is_in_the_past:def:1
- oval:simp.cis.2.0.0.RedHat8.5.6.2_Ensure_system_accounts_are_secured:def:1
- oval:simp.cis.2.0.0.RedHat8.5.6.3_Ensure_default_user_shell_timeout_is_900_seconds_or_less:def:1
-
| *The scanner fails to pickup on the format the product uses for setting the timeout: [ $TMOUT ] |
|
export TMOUT=900. The setting is also set in a nonstandard location: /etc/profile.d/simp.sh.* |
- oval:simp.cis.2.0.0.RedHat8.5.6.4_Ensure_default_group_for_the_root_account_is_GID_0:def:1
- oval:simp.cis.2.0.0.RedHat8.5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive:def:1
- The umask will be set to 027 within /etc/profile.d/simp.sh, however, this check still fails the scan.
- oval:simp.cis.2.0.0.RedHat8.6.1.2_Ensure_sticky_bit_is_set_on_all_world-writable_directories:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.3_Ensure_permissions_on_etcpasswd_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.4_Ensure_permissions_on_etcshadow_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.5_Ensure_permissions_on_etcgroup_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.6_Ensure_permissions_on_etcgshadow_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.7_Ensure_permissions_on_etcpasswd-_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.8_Ensure_permissions_on_etcshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.9_Ensure_permissions_on_etcgroup-_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.1.10_Ensure_permissions_on_etcgshadow-_are_configured:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.1_Ensure_password_fields_are_not_empty:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.2_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.3_Ensure_no_duplicate_UIDs_exist:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.4_Ensure_no_duplicate_GIDs_exist:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.5_Ensure_no_duplicate_user_names_exist:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.6_Ensure_no_duplicate_group_names_exist:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.7_Ensure_root_PATH_Integrity:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.8_Ensure_root_is_the_only_UID_0_account:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.9_Ensure_all_users_home_directories_exist:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.10_Ensure_users_own_their_home_directories:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.11_Ensure_users_home_directories_permissions_are_750_or_more_restrictive:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.12_Ensure_users_dot_files_are_not_group_or_world_writable:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.13Ensure_users.netrc_Files_are_not_group_or_world_accessible:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.14Ensure_no_users_have.forward_files:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.15Ensure_no_users_have.netrc_files:def:1
- oval:simp.cis.2.0.0.RedHat8.6.2.16Ensure_no_users_have.rhosts_files:def:1
