CIS Distribution Independent Linux Workstation L1 v2.0.0

Audit Details

Name: CIS Distribution Independent Linux Workstation L1 v2.0.0

Updated: 9/19/2022

Authority: CIS

Plugin: Unix

Revision: 1.16

Estimated Item Count: 276

File Details

Filename: CIS_Distribution_Independent_Linux_Workstation_L1_v2.0.0.audit

Size: 668 kB

MD5: 257d931c45872207c63fb3a4dbb506df
SHA256: a1474618e92892c706cfac2e6e71ff930551edb5af73947e83d529230428dd9a

Audit Changelog

 
Revision 1.16

Sep 19, 2022

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
  • 5.4.1.5 Ensure all users last password change date is in the past
Revision 1.15

Jul 27, 2022

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.1.1 Ensure IPv6 default deny firewall policy - Chain FORWARD
  • 3.5.1.1 Ensure IPv6 default deny firewall policy - Chain INPUT
  • 3.5.1.1 Ensure IPv6 default deny firewall policy - Chain OUTPUT
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.2.10 Ensure SSH root login is disabled
  • 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
  • 5.2.12 Ensure SSH PermitUserEnvironment is disabled
  • 5.2.13 Ensure only strong Ciphers are used - weak ciphers
  • 5.2.14 Ensure only strong MAC algorithms are used - weak MAC algorithms
  • 5.2.15 Ensure only strong Key Exchange algorithms are used - weak Key Exchange algorithms
  • 5.2.18 Ensure SSH access is limited
  • 5.2.4 Ensure SSH Protocol is set to 2
  • 5.2.5 Ensure SSH LogLevel is appropriate
  • 5.2.6 Ensure SSH X11 forwarding is disabled
  • 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
  • 5.2.8 Ensure SSH IgnoreRhosts is enabled
  • 5.2.9 Ensure SSH HostbasedAuthentication is disabled
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
  • 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/profile /etc/profile.d/*.sh
Revision 1.14

Apr 25, 2022

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • References updated.
Revision 1.13

Mar 29, 2022

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.12

Jun 17, 2021

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.11

Oct 14, 2020

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 4.2.3 Ensure permissions on all logfiles are configured
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • References updated.
Revision 1.10

Oct 5, 2020

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.1 Ensure core dumps are restricted - limits.conf
  • 1.5.4 Ensure prelink is disabled
  • 1.7.2 Ensure GDM login banner is configured - banner message enabled
  • 1.7.2 Ensure GDM login banner is configured - banner message text
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.1.1 Ensure chargen services are not enabled
  • 2.1.10 Ensure xinetd is not enabled
  • 2.1.2 Ensure daytime services are not enabled
  • 2.1.3 Ensure discard services are not enabled
  • 2.1.4 Ensure echo services are not enabled
  • 2.1.5 Ensure time services are not enabled
  • 2.1.6 Ensure rsh server is not enabled - rexec
  • 2.1.6 Ensure rsh server is not enabled - rlogin
  • 2.1.6 Ensure rsh server is not enabled - rsh
  • 2.1.7 Ensure talk server is not enabled - ntalk
  • 2.1.7 Ensure talk server is not enabled - talk
  • 2.1.8 Ensure telnet server is not enabled
  • 2.1.9 Ensure tftp server is not enabled
  • 2.2.1.1 Ensure time synchronization is in use
  • 2.2.1.2 Ensure ntp is configured - NTP Server
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.2.1.2 Ensure ntp is configured - restrict -4
  • 2.2.1.2 Ensure ntp is configured - restrict -6
  • 2.2.1.3 Ensure chrony is configured - NTP server
  • 2.2.1.3 Ensure chrony is configured - User
  • 2.2.10 Ensure HTTP server is not enabled
  • 2.2.11 Ensure IMAP and POP3 server is not enabled
  • 2.2.12 Ensure Samba is not enabled
  • 2.2.13 Ensure HTTP Proxy Server is not enabled
  • 2.2.14 Ensure SNMP Server is not enabled
  • 2.2.16 Ensure rsync service is not enabled
  • 2.2.17 Ensure NIS Server is not enabled
  • 2.2.3 Ensure Avahi Server is not enabled
  • 2.2.5 Ensure DHCP Server is not enabled
  • 2.2.6 Ensure LDAP Server is not enabled
  • 2.2.7 Ensure NFS and RPC are not enabled - NFS
  • 2.2.7 Ensure NFS and RPC are not enabled - RPC
  • 2.2.8 Ensure DNS Server is not enabled
  • 2.2.9 Ensure FTP Server is not enabled
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.1 Ensure rsyslog is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.3 Ensure logging is configured
  • 4.2.1.4 Ensure rsyslog default file permissions configured
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.1.1 Ensure cron daemon is enabled
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - retry=3
  • 5.3.1 Ensure password creation requirements are configured - try_first_pass
  • 5.3.1 Ensure password creation requirements are configured - ucredit
  • 6.1.3 Ensure permissions on /etc/shadow are configured
Miscellaneous
  • Platform check updated.
  • References updated.
Revision 1.9

Sep 29, 2020

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • References updated.
Revision 1.8

Aug 25, 2020

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
  • 5.4.1.1 Ensure password expiration is 365 days or less - users
Miscellaneous
  • References updated.
Revision 1.7

Aug 4, 2020

Functional Update
  • 1.2.1 Ensure package manager repositories are configured
  • 1.2.2 Ensure GPG keys are configured
  • 1.3.1 Ensure AIDE is installed
  • 1.4.1 Ensure permissions on bootloader config are configured
  • 1.4.2 Ensure bootloader password is set
  • 1.5.4 Ensure prelink is disabled
  • 1.7.1.1 Ensure message of the day is configured properly
  • 1.7.1.2 Ensure local login warning banner is configured properly
  • 1.7.1.3 Ensure remote login warning banner is configured properly
  • 1.8 Ensure updates, patches, and additional security software are installed
  • 2.2.1.2 Ensure ntp is configured - OPTIONS or ExecStart -u ntp:ntp
  • 2.3.1 Ensure NIS Client is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 2.3.3 Ensure talk client is not installed
  • 2.3.4 Ensure telnet client is not installed
  • 2.3.5 Ensure LDAP client is not installed
  • 3.3.1 Ensure TCP Wrappers is installed
  • 3.5.3 Ensure iptables is installed
  • 4.2.1.2 Ensure rsyslog Service is enabled
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
  • 4.2.3 Ensure permissions on all logfiles are configured
  • 5.3.1 Ensure password creation requirements are configured - dcredit
  • 5.3.1 Ensure password creation requirements are configured - lcredit
  • 5.3.1 Ensure password creation requirements are configured - minlen
  • 5.3.1 Ensure password creation requirements are configured - ocredit
  • 5.3.1 Ensure password creation requirements are configured - ucredit
Miscellaneous
  • References updated.