5 Access, Authentication and Authorization
List of content
5.1 Configure cron
5.1.1 Ensure cron daemon is enabled (Scored)
5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
5.1.8 Ensure at/cron is restricted to authorized users (Scored)
5.2 SSH Server Configuration
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
5.2.2 Ensure SSH Protocol is set to 2 (Scored)
5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
5.2.8 Ensure SSH root login is disabled (Scored)
5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
5.2.11 Ensure only approved ciphers are used (Scored)
5.2.12 Ensure only approved MAC algorithms are used (Scored)
5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
5.2.14 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
5.2.15 Ensure SSH access is limited (Scored)
5.2.16 Ensure SSH warning banner is configured (Scored)
5.3 Configure PAM
5.3.1 Ensure password creation requirements are configured (Scored)
5.3.2 Ensure lockout for failed password attempts is configured (Not Scored)
5.3.3 Ensure password reuse is limited (Scored)
5.3.4 Ensure password hashing algorithm is SHA-512 (Scored)
5.4 User Accounts and Environment
5.4.1 Set Shadow Password Suite Parameters
5.4.1.1 Ensure password expiration is 90 days or less (Scored)
5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
5.4.2 Ensure system accounts are non-login (Scored)
5.4.3 Ensure default group for the root account is GID 0 (Scored)
5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
5.5 Ensure root login is restricted to system console (Not Scored)
5.6 Ensure access to the su command is restricted (Scored)