OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration.

Beta detection rules

Datadog’s Security Research team continually adds new OOTB security detection rules. While the aim is to deliver high quality detections with the release of integrations or other new features, the performance of the detection at scale often needs to be observed before making the rule generally available. This gives Datadog’s Security Research the time to either refine or deprecate detection opportunities that do not meet our standards.

Click the following buttons to filter the detection rules. Security detection rules are available for Application Security Management, Cloud SIEM (log detection and signal correlation), CSM Misconfigurations (cloud and infrastructure), CSM Threats, and CSM Identity Risks.

azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD Identity Protection risky user
azure Azure AD Login Without MFA
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD possible MFA fatigue attack
azure Azure AD possible MFA fatigue attack followed by successful login
azure Azure AD Privileged Identity Management member assigned
azure Azure AD sign in from AADinternals default user agent
azure Azure AD sign in from AzureHound default user agent
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Login Explicitly Denied MFA
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure Azure user invited an external user
azure Azure user ran command on container instance
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
azure.activity_log
Azure.activity Log
>
azure.activity_log 'Create or Update Network Security Group' activity log alert should be configured
azure.activity_log 'Create or Update Public Ip Address' activity log alert should be configured
azure.activity_log 'Create or Update Security Solutions' activity log alert should be configured
azure.activity_log 'Create or Update SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log 'Create Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Network Security Group' activity log alert should be configured
azure.activity_log 'Delete Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Public Ip Address Rule' activity log alert should be configured
azure.activity_log 'Delete Security Solution' activity log alert should be configured
azure.activity_log 'Delete SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log Account should have a activity log alert configured for 'Create or Update Network Security Group'
azure.activity_log Account should have a activity log alert configured for 'Delete Load Balancer'
azure.activity_log Account should have a activity log alert configured for 'Delete Storage Accounts'
azure.activity_log Account should have a activity log alert configured for creating or updating storage accounts
azure.activity_log Account should have a activity log alert configured for creating or updating virtual machines
azure.activity_log Account should have a activity log alert configured for deallocating virtual machines
azure.activity_log Account should have a configured activity log alert for 'Delete MySQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete PostgreSQL Database'
azure.activity_log Account should have a configured activity log alert for 'Rename Azure SQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Security Policy'
azure.activity_log Account should have a configured activity log alert for deleting Network Security Group
azure.activity_log Account should have a configured activity log alert for deleting policy assignments
azure.activity_log Account should have a configured activity log alert for deleting the SQL Server firewall rule
azure.activity_log Account should have a configured activity log alert for deleting VMs
azure.activity_log Account should have a configured activity log alert for load balancer updates
azure.activity_log Account should have a configured activity log alert for mysql database updates
azure.activity_log Account should have a configured activity log alert for PostgreSQL database updates
azure.activity_log Account should have a configured activity log alert for power off events
azure.activity_log Account should have a configured activity log alert for security solutions creation or updates
azure.activity_log Account should have a configured activity log alert for sql database updates
azure.activity_log The account should have a configured activity log alert for firewall rule creation or update
azure.activity_log The user should configure an activity log alert for SQL Database deletion
azure.activity_log User should have a 'Create Policy Assignment' activity log alert configured
azure.activity_log User should have a 'Delete Security Solution' activity log alert configured
Cloud Workload Security
>
cloud workload security AppArmor profile modified
cloud workload security Auditd configuration modified
cloud workload security Compiler executed in container
cloud workload security Compiler wrote suspicious file
cloud workload security Container accessed using kubectl in another container
cloud workload security Container management utility in container
cloud workload security Database process spawned shell
cloud workload security Dirty Pipe exploitation attempted
cloud workload security DNS lookup for cryptocurrency mining pool
cloud workload security DNS lookup for IP lookup service
cloud workload security DNS lookup for paste service
cloud workload security Executable bit added to newly created file
cloud workload security Exfiltration attempt via network utility
cloud workload security File created and executed inside container
cloud workload security Hash of known malware detected
cloud workload security Interactive shell spawned in container
cloud workload security Java process spawned shell
cloud workload security Kubernetes DNS enumeration
cloud workload security Kubernetes service account token created in container
cloud workload security Local account password modified
cloud workload security Memfd object created
cloud workload security Network scanning utility executed
cloud workload security Network utility accessed risky cloud metadata service
cloud workload security Network utility executed
cloud workload security Network utility executed in container
cloud workload security Network utility executed with suspicious URI
cloud workload security Offensive Kubernetes tool executed
cloud workload security Package installed in container
cloud workload security Process arguments match cryptocurrency miner
cloud workload security Process hidden using mount
cloud workload security Process injected into another process
cloud workload security PTRACE_TRACEME used to prevent process debugging
cloud workload security Pwnkit privilege escalation attempt
cloud workload security Python executed with suspicious arguments
cloud workload security RC scripts modified
cloud workload security Recently written or modified suid file has been executed
cloud workload security Redis sandbox escape (CVE-2022-0543)
cloud workload security Resource enumerated using kubectl in container
cloud workload security Resource provisioned using kubectl in container
cloud workload security Runc binary modified
cloud workload security Sensitive namespace modified using kubectl
cloud workload security Shell command history modified
cloud workload security Sudoers policy file modified
cloud workload security Suspected dynamic linker hijacking attempt
cloud workload security Unfamiliar command spawned from web server
cloud workload security Unfamiliar kernel module loaded
cloud workload security Unfamiliar kernel module loaded from memory
cloud workload security Unfamiliar process accessed AWS EKS service account token
cloud workload security Unfamiliar process accessed Kubernetes pod service account token
cloud workload security User created interactively
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Amazon EC2 AMI exfiltration attempt by IAM user
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail Amazon SNS enumeration attempt by previously unseen user
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous number of secrets retrieved from AWS Secrets Manager
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail Attempt to create Xlarge EC2 instances in multiple AWS regions
cloudtrail AWS access key creation by previously unseen identity
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudTrail trail should have global service events enabled
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS ECS CreateCluster API calls in multiple regions
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity by S3 browser utility
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy modified
cloudtrail AWS IAM Roles Anywhere trust anchor created
cloudtrail AWS IAM User created with AdministratorAccess policy attached
cloudtrail AWS Java_Ghost security group creation attempt
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS principal added to multiple EKS clusters
cloudtrail AWS principal assigned administrative privileges in an EKS cluster
cloudtrail AWS principal granted access to a EKS cluster then removed
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail log file validation should be enabled
cloudtrail CloudTrail logs S3 bucket should not be public accessible
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
cloudtrail Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging should be enabled for S3 bucket read events
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS login profile manipulation
cloudtrail Possible RDS Snapshot exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
cloudtrail S3 bucket write events should have object-level logging enabled
cloudtrail Security group open to the world
cloudtrail Temporary AWS security credentials generated for user
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
cloudtrail Tor client IP address identified within AWS environment
cloudtrail TruffleHog user agent observed in AWS
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
cloudtrail Unfamiliar IAM user retrieved SSM parameter
cloudtrail Unusual AWS enumeration event from EC2 instance
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log
crowdstrike
Crowdstrike
>
docker
Docker
>
docker /usr/bin/containerd should be audited if applicable
docker /var/lib/docker should be audited
docker Container images should include HEALTHCHECK instructions
docker Container runtime should include the --pids-limit flag for cgroup limit parameter
docker Containers on the default network bridge should restrict network traffic
docker Containers should have an enabled AppArmor profile
docker Containers should have memory usage limits configured on Docker hosts
docker Containers should not mount the Docker socket docker.sock inside them
docker Containers should not run in privileged mode
docker Containers should not share the host's user namespaces
docker Containers should run as a non-root user
docker Containers should use the cgroup configured in Docker
docker Docker daemon activities should be audited
docker Docker-related files should be audited in /etc/docker
docker Incoming system calls should be filtered using enabled Seccomp profiles
docker Kernel capabilities in Linux should only be granted when necessary
docker Private registry should use TLS encryption for a secure Docker environment
docker Privileged port mapping for containers should be restricted to increase security
docker Processes in containers should have isolated Process ID (PID) namespaces
docker SELinux security options should be properly configured for effective application security
docker Sensitive host system directories should not be mounted on containers
docker The /etc/default/docker file ownership should be set to root
docker The /etc/default/docker file permissions should be set to 644 or stricter
docker The /etc/docker directory permissions should be set to 755 or stricter
docker The /etc/docker directory should be owned by root account
docker The /etc/sysconfig/docker file permissions should be set to 644 or stricter
docker The /etc/sysconfig/docker file should be owned by the root account and group
docker The /usr/sbin/runc executable should be audited, if applicable
docker The container should have a restart policy limited to 5 attempts
docker The container should restrict acquiring additional privileges via suid or sgid bits
docker The container's health should be constantly monitored
docker The container's root filesystem should be set to read-only
docker The critical containers should be configured to remain responsive
docker The daemon.json file should have permissions set to 644 or stricter
docker The daemon.json file should have user and group ownership set to root
docker The default Docker configuration file should be audited on RHEL
docker The default Docker configuration file should be audited, if applicable
docker The Docker daemon configuration file should be audited if applicable
docker The Docker daemon log level should be set to 'info'
docker The Docker daemon should be allowed to configure the firewall rules
docker The Docker daemon should only be controlled by root and Docker group
docker The Docker instance should not use AUFS as its storage driver
docker The Docker local storage partition should be separate from other partitions
docker The Docker server certificate file should be owned by root
docker The Docker server certificate file should have read-only or more restrictive permissions
docker The Docker server certificate key file needs to have permissions of 400
docker The Docker server certificate key file should be owned by root
docker The Docker socket file should be owned by root and Docker group
docker The Docker socket file should have permissions of 660 or stricter
docker The docker.service file ownership and group should be set to root
docker The docker.service file permissions should be set to 644
docker The docker.service file should have auditing configured if applicable
docker The docker.socket file should be audited, if applicable
docker The docker.socket file should be owned by root
docker The file permissions on docker.socket should be set to 644 or stricter
docker The host's network namespace should be hidden from containers
docker The IPC namespace on the host should remain isolated from containers
docker The registry certificate files should be individually and group owned by root
docker The registry certificate files should have read-only or stricter permissions
docker The TLS CA certificate file should be owned by root account
docker The TLS CA certificate file should have read-only or more restrictive permissions
docker The UTS namespace should not be shared with the host
docker TLS authentication should be enabled for Docker daemon to restrict remote access
ec2
EC2
>
ec2 Amazon Machine Image (AMI) should only be available to trusted accounts
ec2 EC2 instance should not have a highly-privileged IAM role attached to it
ec2 EC2 instances should enforce IMDSv2
ec2 Inbound CIFS access should be restricted
ec2 Inbound DNS access should be restricted
ec2 Inbound FTP access should be restricted
ec2 Inbound HTTP access should be restricted
ec2 Inbound HTTPS access should be restricted
ec2 Inbound ICMP access to the host should be restricted
ec2 Inbound MongoDB access should be restricted
ec2 Inbound MSSQL access should be restricted
ec2 Inbound OpenSearch access should be restricted
ec2 Inbound Oracle access should be restricted
ec2 Inbound RPC access should be restricted
ec2 Inbound SMTP access should be restricted
ec2 Inbound TCP NetBIOS access should be restricted
ec2 Inbound Telnet access should be restricted
ec2 Inbound UDP NetBIOS access should be restricted
ec2 MySQL inbound access should be restricted
ec2 Outbound access on all ports should be restricted
ec2 PostgreSQL inbound access should be restricted
ec2 Publicly accessible EC2 instance connected to known attack domain
ec2 Publicly Accessible EC2 instance has a critical vulnerability
ec2 Publicly accessible EC2 instance performed cryptomining operations
ec2 Publicly accessible EC2 instance performing SSH scanning
ec2 Publicly accessible EC2 instance should not have open administrative ports
ec2 Publicly accessible EC2 instance uses IMDSv1
ec2 Publicly accessible EC2 instances should not have highly-privileged IAM roles
ec2 Security groups should restrict ingress traffic to specified IPv4 addresses
ec2 Security groups should restrict ingress traffic to specified IPv6 addresses
ec2 The default security group should restrict all traffic in a VPC
gcp
GCP
>
gcp Access denied for Google Cloud Service Account
gcp Anomalous number of Google Cloud Compute GPU virtual machines created
gcp Anomalous number of Google Cloud Storage Buckets Accessed
gcp Anomalous number of Google Cloud Storage Objects Accessed
gcp Anomalous number of Google Compute Engine instances created in multiple zones by user
gcp Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
gcp Google App Engine service account used outside of Google Cloud
gcp Google Cloud BigQuery - query results saved to cloud storage
gcp Google Cloud BigQuery - query results saved to new table
gcp Google Cloud BigQuery results saved to cloud storage by a previously unseen user
gcp Google Cloud Compute Engine GPU virtual machine instance created
gcp Google Cloud GCE instance startup script added or modified
gcp Google Cloud IAM policy modified
gcp Google Cloud IAM role created
gcp Google Cloud IAM Role updated
gcp Google Cloud Logging Bucket deleted
gcp Google Cloud logging sink modified
gcp Google Cloud Project external principal added as project owner
gcp Google Cloud Pub/Sub Subscriber modified
gcp Google Cloud Pub/Sub topic deleted
gcp Google Cloud Service Account accessing anomalous number of Google Cloud APIs
gcp Google Cloud Service Account created
gcp Google Cloud Service Account Impersonation activity using access token generation
gcp Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
gcp Google Cloud Service Account key created
gcp Google Cloud SQL database modified
gcp Google Cloud SQL instance data exported to cloud storage
gcp Google Cloud SQL instance data exported to cloud storage by a previously unseen user
gcp Google Cloud Storage Bucket contents downloaded without authentication
gcp Google Cloud Storage Bucket enumerated
gcp Google Cloud Storage Bucket modified
gcp Google Cloud Storage Bucket permissions modified
gcp Google Cloud unauthorized service account activity
gcp Google Cloud unauthorized user activity
gcp Google Compute Engine firewall egress rule opened to the world
gcp Google Compute Engine firewall rule modified
gcp Google Compute Engine image created
gcp Google Compute Engine instance metadata SSH key added or modified
gcp Google Compute Engine instances created in multiple zones by user
gcp Google Compute Engine network created
gcp Google Compute Engine network route created or modified
gcp Google Compute Engine project metadata SSH key added or modified
gcp Google Compute Engine service account used outside of Google Cloud
gcp Potential Google Cloud cryptomining attack from Tor IP
gcp Tor client IP address identified within Google Cloud environment
Google Cloud Asset Inventory
>
Google SQL Database Instance
>
google_sql_database_instance MySQL instance should have the 'skip_show_database' flag set to 'on'
google_sql_database_instance MySQL instances should have the 'local_infile' database flag set to 'off'
google_sql_database_instance PostgreSQL instance should have the 'log_disconnections' database flag enabled
google_sql_database_instance PostgreSQL instances should have the 'cloudsql.enable_pgaudit' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_connections' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_error_verbosity' flag set to 'DEFAULT' or stricter
google_sql_database_instance PostgreSQL instances should have the 'log_hostname' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_min_messages' database flag set to at least 'WARNING'
google_sql_database_instance PostgreSQL instances should have the 'log_statement' database flag set appropriately
google_sql_database_instance PostgreSQL instances should have the `log_min_duration_statement` flag set to '-1' (disabled)
google_sql_database_instance PostgreSQL instances should have the `log_min_error_statement` flag set to 'ERROR' or stricter
google_sql_database_instance SQL database instances should enforce SSL for all incoming connections
google_sql_database_instance SQL database instances should have automated backups enabled
google_sql_database_instance SQL Database instances should only allow ingress traffic from specific IP addresses
google_sql_database_instance SQL Server instances should have the 'contained database authentication' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'cross db ownership chaining' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'external scripts enabled' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'remote access' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'user connections' database flag set to a non-limiting value
google_sql_database_instance SQL Server instances should have the `3625 (trace flag)` database flag set to 'off'
google_sql_database_instance SQL Server instances should have the `user options` database flag disabled
google.security.command.center
Google.security.command.center
>
google.workspace.alert.center
Google.workspace.alert.center
>
Host Benchmarks
>
host-benchmarks A remote time server for Chrony is configured
host-benchmarks Add grpquota Option to /home
host-benchmarks Add nodev Option to /dev/shm
host-benchmarks Add nodev Option to /home
host-benchmarks Add nodev Option to /tmp
host-benchmarks Add nodev Option to /var
host-benchmarks Add nodev Option to /var/log
host-benchmarks Add nodev Option to /var/log/audit
host-benchmarks Add nodev Option to /var/tmp
host-benchmarks Add nodev Option to Removable Media Partitions
host-benchmarks Add noexec Option to /dev/shm
host-benchmarks Add noexec Option to /tmp
host-benchmarks Add noexec Option to /var
host-benchmarks Add noexec Option to /var/log
host-benchmarks Add noexec Option to /var/log/audit
host-benchmarks Add noexec Option to /var/tmp
host-benchmarks Add noexec Option to Removable Media Partitions
host-benchmarks Add nosuid Option to /dev/shm
host-benchmarks Add nosuid Option to /home
host-benchmarks Add nosuid Option to /tmp
host-benchmarks Add nosuid Option to /var
host-benchmarks Add nosuid Option to /var/log
host-benchmarks Add nosuid Option to /var/log/audit
host-benchmarks Add nosuid Option to /var/tmp
host-benchmarks Add nosuid Option to Removable Media Partitions
host-benchmarks Add usrquota Option to /home
host-benchmarks All AppArmor Profiles are in enforce or complain mode
host-benchmarks All GIDs referenced in /etc/passwd must be defined in /etc/group
host-benchmarks All Interactive User Home Directories Must Be Group-Owned By The Primary Group
host-benchmarks All Interactive User Home Directories Must Be Owned By The Primary User
host-benchmarks All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
host-benchmarks All Interactive Users Home Directories Must Exist
host-benchmarks Audit Configuration Files Must Be Owned By Group root
host-benchmarks Audit Configuration Files Must Be Owned By Root
host-benchmarks Build and Test AIDE Database
host-benchmarks Configure Accepting Router Advertisements on All IPv6 Interfaces
host-benchmarks Configure AIDE to Verify the Audit Tools
host-benchmarks Configure auditd admin_space_left Action on Low Disk Space
host-benchmarks Configure auditd mail_acct Action on Low Disk Space
host-benchmarks Configure auditd Max Log File Size
host-benchmarks Configure auditd max_log_file_action Upon Reaching Maximum Log Size
host-benchmarks Configure auditd Number of Logs Retained
host-benchmarks Configure auditd space_left Action on Low Disk Space
host-benchmarks Configure auditd to use audispd's syslog plugin
host-benchmarks Configure BIND to use System Crypto Policy
host-benchmarks Configure Firewalld to Restrict Loopback Traffic
host-benchmarks Configure Firewalld to Trust Loopback Traffic
host-benchmarks Configure Kerberos to use System Crypto Policy
host-benchmarks Configure Kernel Parameter for Accepting Secure Redirects By Default
host-benchmarks Configure Libreswan to use System Crypto Policy
host-benchmarks Configure ntpd To Run As ntp User
host-benchmarks Configure OpenSSL library to use System Crypto Policy
host-benchmarks Configure Periodic Execution of AIDE
host-benchmarks Configure SELinux Policy
host-benchmarks Configure server restrictions for ntpd
host-benchmarks Configure SSH to use System Crypto Policy
host-benchmarks Configure System Cryptography Policy
host-benchmarks Deactivate Wireless Network Interfaces
host-benchmarks Direct root Logins Not Allowed
host-benchmarks Disable Accepting ICMP Redirects for All IPv4 Interfaces
host-benchmarks Disable Accepting ICMP Redirects for All IPv6 Interfaces
host-benchmarks Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
host-benchmarks Disable Apache Qpid (qpidd)
host-benchmarks Disable Apport Service
host-benchmarks Disable At Service (atd)
host-benchmarks Disable Automatic Bug Reporting Tool (abrtd)
host-benchmarks Disable Avahi Server Software
host-benchmarks Disable core dump backtraces
host-benchmarks Disable Core Dumps for All Users
host-benchmarks Disable Core Dumps for SUID programs
host-benchmarks Disable GNOME3 Automount Opening
host-benchmarks Disable GNOME3 Automount running
host-benchmarks Disable GNOME3 Automounting
host-benchmarks Disable graphical user interface
host-benchmarks Disable Host-Based Authentication
host-benchmarks Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
host-benchmarks Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for IPv6 Forwarding
host-benchmarks Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
host-benchmarks Disable Kernel Support for USB via Bootloader Configuration
host-benchmarks Disable Modprobe Loading of USB Storage Driver
host-benchmarks Disable Mounting of cramfs
host-benchmarks Disable Mounting of freevxfs
host-benchmarks Disable Mounting of hfs
host-benchmarks Disable Mounting of hfsplus
host-benchmarks Disable Mounting of jffs2
host-benchmarks Disable Mounting of squashfs
host-benchmarks Disable Mounting of udf
host-benchmarks Disable Network File System (nfs)
host-benchmarks Disable Network Router Discovery Daemon (rdisc)
host-benchmarks Disable ntpdate Service (ntpdate)
host-benchmarks Disable Odd Job Daemon (oddjobd)
host-benchmarks Disable Postfix Network Listening
host-benchmarks Disable rpcbind Service
host-benchmarks Disable SSH Access via Empty Passwords
host-benchmarks Disable SSH Root Login
host-benchmarks Disable SSH Support for .rhosts Files
host-benchmarks Disable storing core dump
host-benchmarks Disable systemd-journal-remote Socket
host-benchmarks Disable the Automounter
host-benchmarks Disable the CUPS Service
host-benchmarks Disable the GNOME3 Login User List
host-benchmarks Disable XDMCP in GDM
host-benchmarks Do Not Allow SSH Environment Options
host-benchmarks Enable auditd Service
host-benchmarks Enable Auditing for Processes Which Start Prior to the Audit Daemon
host-benchmarks Enable authselect
host-benchmarks Enable cron Daemon
host-benchmarks Enable cron Service
host-benchmarks Enable GNOME3 Login Warning Banner
host-benchmarks Enable GNOME3 Screensaver Lock After Idle Period
host-benchmarks Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
host-benchmarks Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
host-benchmarks Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
host-benchmarks Enable NX or XD Support in the BIOS
host-benchmarks Enable PAM
host-benchmarks Enable Randomized Layout of Virtual Address Space
host-benchmarks Enable rsyslog Service
host-benchmarks Enable SSH Warning Banner
host-benchmarks Enable systemd_timesyncd Service
host-benchmarks Enable systemd-journald Service
host-benchmarks Enable the NTP Daemon
host-benchmarks Enable the NTP Daemon (al2023)
host-benchmarks Enable the NTP Service
host-benchmarks Enforce usage of pam_wheel for su authentication
host-benchmarks Enforce Usage of pam_wheel with Group Parameter for su Authentication
host-benchmarks Ensure /dev/shm is configured
host-benchmarks Ensure /tmp Located On Separate Partition
host-benchmarks Ensure /var/log Located On Separate Partition
host-benchmarks Ensure /var/log/audit Located On Separate Partition
host-benchmarks Ensure a Table Exists for Nftables
host-benchmarks Ensure All Accounts on the System Have Unique Names
host-benchmarks Ensure All Accounts on the System Have Unique User IDs
host-benchmarks Ensure All Files Are Owned by a Group
host-benchmarks Ensure All Files Are Owned by a User
host-benchmarks Ensure All Groups on the System Have Unique Group ID
host-benchmarks Ensure All Groups on the System Have Unique Group Names
host-benchmarks Ensure All SGID Executables Are Authorized
host-benchmarks Ensure All SUID Executables Are Authorized
host-benchmarks Ensure all users last password change date is in the past
host-benchmarks Ensure AppArmor is enabled in the bootloader configuration
host-benchmarks Ensure AppArmor is installed
host-benchmarks Ensure auditd Collects File Deletion Events by User
host-benchmarks Ensure auditd Collects Information on Exporting to Media (successful)
host-benchmarks Ensure auditd Collects Information on Kernel Module Loading and Unloading
host-benchmarks Ensure auditd Collects Information on the Use of Privileged Commands
host-benchmarks Ensure auditd Collects System Administrator Actions
host-benchmarks Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
host-benchmarks Ensure Authentication Required for Single User Mode
host-benchmarks Ensure Base Chains Exist for Nftables
host-benchmarks Ensure gpgcheck Enabled for All yum Package Repositories
host-benchmarks Ensure gpgcheck Enabled In Main yum Configuration
host-benchmarks Ensure ip6tables Firewall Rules Exist for All Open Ports
host-benchmarks Ensure iptables Firewall Rules Exist for All Open Ports
host-benchmarks Ensure journald is configured to compress large log files
host-benchmarks Ensure journald is configured to send logs to rsyslog
host-benchmarks Ensure journald is configured to write log files to persistent disk
host-benchmarks Ensure LDAP client is not installed
host-benchmarks Ensure Log Files Are Owned By Appropriate Group
host-benchmarks Ensure Log Files Are Owned By Appropriate User
host-benchmarks Ensure Logs Sent To Remote Host
host-benchmarks Ensure Mail Transfer Agent is not Listening on any non-loopback Address
host-benchmarks Ensure network interfaces are assigned to appropriate zone
host-benchmarks Ensure nftables Default Deny Firewall Policy
host-benchmarks Ensure nftables Rules are Permanent
host-benchmarks Ensure No Daemons are Unconfined by SELinux
host-benchmarks Ensure No World-Writable Files Exist
host-benchmarks Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
host-benchmarks Ensure PAM Displays Last Logon/Access Notification
host-benchmarks Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Different Categories
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Digit Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Length
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Special Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
host-benchmarks Ensure rsyslog Default File Permissions Configured
host-benchmarks Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
host-benchmarks Ensure rsyslog is Installed
host-benchmarks Ensure SELinux is Not Disabled
host-benchmarks Ensure SELinux Not Disabled in /etc/default/grub
host-benchmarks Ensure SELinux State is Enforcing
host-benchmarks Ensure shadow Group is Empty
host-benchmarks Ensure Software Patches Installed
host-benchmarks Ensure SSH LoginGraceTime is configured
host-benchmarks Ensure SSH MaxStartups is configured
host-benchmarks Ensure Sudo Logfile Exists - sudo logfile
host-benchmarks Ensure System Log Files Have Correct Permissions
host-benchmarks Ensure that /etc/at.deny does not exist
host-benchmarks Ensure that /etc/cron.deny does not exist
host-benchmarks Ensure that chronyd is running under chrony user account
host-benchmarks Ensure that Root's Path Does Not Include Relative Paths or Null Directories
host-benchmarks Ensure that Root's Path Does Not Include World or Group-Writable Directories
host-benchmarks Ensure that System Accounts Are Locked
host-benchmarks Ensure that System Accounts Do Not Run a Shell Upon Login
host-benchmarks Ensure the Default Bash Umask is Set Correctly
host-benchmarks Ensure the Default C Shell Umask is Set Correctly
host-benchmarks Ensure the Default Umask is Set Correctly For Interactive Users
host-benchmarks Ensure the Default Umask is Set Correctly in /etc/profile
host-benchmarks Ensure the Default Umask is Set Correctly in login.defs
host-benchmarks Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
host-benchmarks Ensure There Are No Accounts With Blank or Null Passwords
host-benchmarks Ensure ufw Default Deny Firewall Policy
host-benchmarks Ensure ufw Firewall Rules Exist for All Open Ports
host-benchmarks Ensure Users Cannot Change GNOME3 Screensaver Settings
host-benchmarks Ensure Users Cannot Change GNOME3 Session Idle Settings
host-benchmarks Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
host-benchmarks Ensure users' .netrc Files are not group or world accessible
host-benchmarks Install AIDE
host-benchmarks Install firewalld Package
host-benchmarks Install iptables Package
host-benchmarks Install iptables-persistent Package
host-benchmarks Install libselinux Package
host-benchmarks Install nftables Package
host-benchmarks Install PAE Kernel on Supported 32-bit x86 Systems
host-benchmarks Install pam_pwquality Package
host-benchmarks Install sudo Package
host-benchmarks Install systemd-journal-remote Package
host-benchmarks Install the systemd_timesyncd Service
host-benchmarks Install ufw Package
host-benchmarks Limit Password Reuse
host-benchmarks Limit Password Reuse (ubuntu2204)
host-benchmarks Limit Password Reuse: password-auth
host-benchmarks Limit Password Reuse: system-auth
host-benchmarks Limit Users' SSH Access
host-benchmarks Lock Accounts After Failed Password Attempts
host-benchmarks Make sure that the dconf databases are up-to-date with regards to respective keyfiles
host-benchmarks Make the auditd Configuration Immutable
host-benchmarks Modify the System Login Banner
host-benchmarks Modify the System Login Banner for Remote Connections
host-benchmarks Modify the System Message of the Day Banner
host-benchmarks Package "prelink" Must not be Installed
host-benchmarks Prevent Login to Accounts With Empty Password
host-benchmarks Record Attempts to Alter Logon and Logout Events
host-benchmarks Record Attempts to Alter Process and Session Initiation Information
host-benchmarks Record Attempts to Alter the localtime File
host-benchmarks Record attempts to alter time through adjtimex
host-benchmarks Record Attempts to Alter Time Through clock_settime
host-benchmarks Record attempts to alter time through settimeofday
host-benchmarks Record Attempts to Alter Time Through stime
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - chmod
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - chown
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fchmod
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fchmodat
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fchown
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fchownat
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fremovexattr
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - fsetxattr
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - lchown
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - lremovexattr
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - lsetxattr
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - removexattr
host-benchmarks Record Events that Modify the System's Discretionary Access Controls - setxattr
host-benchmarks Record Events that Modify the System's Mandatory Access Controls
host-benchmarks Record Events that Modify the System's Network Environment
host-benchmarks Record Events that Modify User/Group Information
host-benchmarks Remove ftp Package
host-benchmarks Remove iptables-persistent Package
host-benchmarks Remove iptables-services Package
host-benchmarks Remove NIS Client
host-benchmarks Remove Rsh Trust Files
host-benchmarks Remove telnet Clients
host-benchmarks Remove tftp Daemon
host-benchmarks Remove the GDM Package Group
host-benchmarks Remove the X Windows Package Group
host-benchmarks Remove ufw Package
host-benchmarks Require Authentication for Emergency Systemd Target
host-benchmarks Require Authentication for Single User Mode
host-benchmarks Require Re-Authentication When Using the sudo Command
host-benchmarks Restrict Serial Port Root Logins
host-benchmarks Restrict Virtual Console Root Logins
host-benchmarks Set Account Expiration Following Inactivity
host-benchmarks Set configuration for IPv6 loopback traffic
host-benchmarks Set configuration for loopback traffic
host-benchmarks Set Default firewalld Zone for Incoming Packets
host-benchmarks Set Default ip6tables Policy for Incoming Packets
host-benchmarks Set Default iptables Policy for Incoming Packets
host-benchmarks Set Deny For Failed Password Attempts
host-benchmarks Set existing passwords a period of inactivity before they been locked
host-benchmarks Set Existing Passwords Maximum Age
host-benchmarks Set Existing Passwords Minimum Age
host-benchmarks Set Existing Passwords Warning Age
host-benchmarks Set GNOME3 Screensaver Inactivity Timeout
host-benchmarks Set GNOME3 Screensaver Lock Delay After Activation Period
host-benchmarks Set Interactive Session Timeout
host-benchmarks Set Interval For Counting Failed Password Attempts
host-benchmarks Set Lockout Time for Failed Password Attempts
host-benchmarks Set LogLevel to INFO
host-benchmarks Set nftables Configuration for Loopback Traffic
host-benchmarks Set PAM''s Password Hashing Algorithm
host-benchmarks Set PAM''s Password Hashing Algorithm - password-auth
host-benchmarks Set Password Hashing Algorithm in /etc/login.defs
host-benchmarks Set Password Maximum Age
host-benchmarks Set Password Minimum Age
host-benchmarks Set Password Minimum Length in login.defs
host-benchmarks Set Password Warning Age
host-benchmarks Set SSH authentication attempt limit
host-benchmarks Set SSH Client Alive Count Max
host-benchmarks Set SSH Client Alive Interval
host-benchmarks Set SSH Daemon LogLevel to VERBOSE
host-benchmarks Set SSH MaxSessions limit
host-benchmarks Set the GNOME3 Login Warning Banner Text
host-benchmarks Set UFW Loopback Traffic
host-benchmarks Specify a Remote NTP Server
host-benchmarks Specify a Remote NTP Server (al2023)
host-benchmarks System Audit Logs Must Be Group Owned By Root
host-benchmarks System Audit Logs Must Be Owned By Root
host-benchmarks System Audit Logs Must Be Owned By Root (al2023)
host-benchmarks System Audit Logs Must Have Mode 0640 or Less Permissive
host-benchmarks System Audit Logs Must Have Mode 0750 or Less Permissive
host-benchmarks The Chrony package is installed
host-benchmarks The Chronyd service is enabled
host-benchmarks Uninstall avahi Server Package
host-benchmarks Uninstall avahi-autoipd Server Package
host-benchmarks Uninstall bind Package
host-benchmarks Uninstall CUPS Package
host-benchmarks Uninstall cyrus-imapd Package
host-benchmarks Uninstall DHCP Server Package
host-benchmarks Uninstall dnsmasq Package
host-benchmarks Uninstall dovecot Package
host-benchmarks Uninstall httpd Package
host-benchmarks Uninstall mcstrans Package
host-benchmarks Uninstall net-snmp Package
host-benchmarks Uninstall nfs-kernel-server Package
host-benchmarks Uninstall nfs-utils Package
host-benchmarks Uninstall nftables package
host-benchmarks Uninstall nginx Package
host-benchmarks Uninstall openldap-servers Package
host-benchmarks Uninstall rpcbind Package
host-benchmarks Uninstall rsh Package
host-benchmarks Uninstall rsync Package
host-benchmarks Uninstall Samba Package
host-benchmarks Uninstall setroubleshoot Package
host-benchmarks Uninstall squid Package
host-benchmarks Uninstall talk Package
host-benchmarks Uninstall telnet-server Package
host-benchmarks Uninstall tftp-server Package
host-benchmarks Uninstall the nis package
host-benchmarks Uninstall vsftpd Package
host-benchmarks Uninstall xinetd Package
host-benchmarks Uninstall ypserv Package
host-benchmarks Use Only FIPS 140-2 Validated Ciphers
host-benchmarks Use Only FIPS 140-2 Validated MACs
host-benchmarks Use Only Strong Ciphers
host-benchmarks Use Only Strong Key Exchange algorithms
host-benchmarks Use Only Strong MACs
host-benchmarks User Initialization Files Must Be Group-Owned By The Primary Group
host-benchmarks User Initialization Files Must Be Owned By the Primary User
host-benchmarks User Initialization Files Must Not Run World-Writable Programs
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg Permissions
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg User Ownership
host-benchmarks Verify /boot/grub/grub.cfg Permissions
host-benchmarks Verify /boot/grub/grub.cfg User Ownership
host-benchmarks Verify /boot/grub2/grub.cfg Group Ownership
host-benchmarks Verify /boot/grub2/user.cfg Group Ownership
host-benchmarks Verify /boot/grub2/user.cfg Permissions
host-benchmarks Verify /boot/grub2/user.cfg User Ownership
host-benchmarks Verify All Account Password Hashes are Shadowed
host-benchmarks Verify All Account Password Hashes are Shadowed with SHA512
host-benchmarks Verify and Correct File Permissions with RPM
host-benchmarks Verify File Hashes with RPM
host-benchmarks Verify firewalld Enabled
host-benchmarks Verify Group Ownership of Message of the Day Banner
host-benchmarks Verify Group Ownership of System Login Banner
host-benchmarks Verify Group Ownership of System Login Banner for Remote Connections
host-benchmarks Verify Group Ownership on SSH Server Private *_key Key Files
host-benchmarks Verify Group Ownership on SSH Server Public *.pub Key Files
host-benchmarks Verify Group Who Owns /etc/at.allow file
host-benchmarks Verify Group Who Owns /etc/cron.allow file
host-benchmarks Verify Group Who Owns Backup group File
host-benchmarks Verify Group Who Owns Backup gshadow File
host-benchmarks Verify Group Who Owns Backup passwd File
host-benchmarks Verify Group Who Owns Backup shadow File
host-benchmarks Verify Group Who Owns cron.d
host-benchmarks Verify Group Who Owns cron.daily
host-benchmarks Verify Group Who Owns cron.hourly
host-benchmarks Verify Group Who Owns cron.monthly
host-benchmarks Verify Group Who Owns cron.weekly
host-benchmarks Verify Group Who Owns Crontab
host-benchmarks Verify Group Who Owns group File
host-benchmarks Verify Group Who Owns gshadow File
host-benchmarks Verify Group Who Owns passwd File
host-benchmarks Verify Group Who Owns shadow File
host-benchmarks Verify Group Who Owns SSH Server config file
host-benchmarks Verify nftables Service is Disabled
host-benchmarks Verify nftables Service is Enabled
host-benchmarks Verify No .forward Files Exist
host-benchmarks Verify No netrc Files Exist
host-benchmarks Verify Only Root Has UID 0
host-benchmarks Verify Owner on cron.d
host-benchmarks Verify Owner on cron.daily
host-benchmarks Verify Owner on cron.hourly
host-benchmarks Verify Owner on cron.monthly
host-benchmarks Verify Owner on cron.weekly
host-benchmarks Verify Owner on crontab
host-benchmarks Verify Owner on SSH Server config file
host-benchmarks Verify ownership of Message of the Day Banner
host-benchmarks Verify ownership of System Login Banner
host-benchmarks Verify ownership of System Login Banner for Remote Connections
host-benchmarks Verify Ownership on SSH Server Private *_key Key Files
host-benchmarks Verify Ownership on SSH Server Public *.pub Key Files
host-benchmarks Verify permissions of log files
host-benchmarks Verify Permissions on /etc/at.allow file
host-benchmarks Verify Permissions on /etc/audit/auditd.conf
host-benchmarks Verify Permissions on /etc/audit/rules.d/*.rules
host-benchmarks Verify Permissions on /etc/cron.allow file
host-benchmarks Verify Permissions on Backup group File
host-benchmarks Verify Permissions on Backup gshadow File
host-benchmarks Verify Permissions on Backup passwd File
host-benchmarks Verify Permissions on Backup shadow File
host-benchmarks Verify Permissions on cron.d
host-benchmarks Verify Permissions on cron.daily
host-benchmarks Verify Permissions on cron.hourly
host-benchmarks Verify Permissions on cron.monthly
host-benchmarks Verify Permissions on cron.weekly
host-benchmarks Verify Permissions on crontab
host-benchmarks Verify Permissions on group File
host-benchmarks Verify Permissions on gshadow File
host-benchmarks Verify permissions on Message of the Day Banner
host-benchmarks Verify Permissions on passwd File
host-benchmarks Verify Permissions on shadow File
host-benchmarks Verify Permissions on SSH Server config file
host-benchmarks Verify Permissions on SSH Server Private *_key Key Files
host-benchmarks Verify Permissions on SSH Server Public *.pub Key Files
host-benchmarks Verify permissions on System Login Banner
host-benchmarks Verify permissions on System Login Banner for Remote Connections
host-benchmarks Verify Root Has A Primary GID 0
host-benchmarks Verify that All World-Writable Directories Have Sticky Bits Set
host-benchmarks Verify that audit tools are owned by group root
host-benchmarks Verify that audit tools are owned by root
host-benchmarks Verify that audit tools Have Mode 0755 or less
host-benchmarks Verify that Shared Library Files Have Restrictive Permissions
host-benchmarks Verify that Shared Library Files Have Root Ownership
host-benchmarks Verify that System Executables Have Restrictive Permissions
host-benchmarks Verify that System Executables Have Root Ownership
host-benchmarks Verify the UEFI Boot Loader grub.cfg Group Ownership
host-benchmarks Verify the UEFI Boot Loader grub.cfg Permissions
host-benchmarks Verify the UEFI Boot Loader grub.cfg User Ownership
host-benchmarks Verify ufw Enabled