Detections
Analytics

CIS Oracle Linux 8 v4.0.0 L1 Server

Audit Details

Name: CIS Oracle Linux 8 v4.0.0 L1 Server

Updated: 2/11/2026

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 258

File Details

Filename: CIS_Oracle_Linux_8_v4.0.0_L1_Server.audit

Size: 1.24 MB

MD5: 6970ea107cc99e78322a5c7c4c14110f
SHA256: 9794dc7b654b187f2bbb337b5237bedc1a48f0a73c5d4efdc829a5fee0083500

Audit Changelog

 
Revision 1.2

Feb 11, 2026

Functional Update
  • 5.1.8 Ensure sshd Ciphers are configured
  • 5.4.2.4 Ensure root account access is controlled
Informational Update
  • 1.1.1.1 Ensure cramfs kernel module is not available
  • 1.1.1.10 Ensure usb-storage kernel module is not available
  • 1.1.1.11 Ensure unused filesystems kernel modules are not available
  • 1.1.1.2 Ensure freevxfs kernel module is not available
  • 1.1.1.3 Ensure hfs kernel module is not available
  • 1.1.1.4 Ensure hfsplus kernel module is not available
  • 1.1.1.5 Ensure jffs2 kernel module is not available
  • 1.1.1.9 Ensure firewire-core kernel module is not available
  • 1.1.2.1.1 Ensure /tmp is tmpfs or a separate partition
  • 1.1.2.1.2 Ensure nodev option set on /tmp partition
  • 1.1.2.1.3 Ensure nosuid option set on /tmp partition
  • 1.1.2.1.4 Ensure noexec option set on /tmp partition
  • 1.1.2.2.1 Ensure /dev/shm is tmpfs
  • 1.1.2.2.2 Ensure nodev option set on /dev/shm partition
  • 1.1.2.2.3 Ensure nosuid option set on /dev/shm partition
  • 1.1.2.2.4 Ensure noexec option set on /dev/shm partition
  • 1.1.2.3.2 Ensure nodev option set on /home partition
  • 1.1.2.3.3 Ensure nosuid option set on /home partition
  • 1.1.2.4.2 Ensure nodev option set on /var partition
  • 1.1.2.4.3 Ensure nosuid option set on /var partition
  • 1.1.2.5.2 Ensure nodev option set on /var/tmp partition
  • 1.1.2.5.3 Ensure nosuid option set on /var/tmp partition
  • 1.1.2.5.4 Ensure noexec option set on /var/tmp partition
  • 1.1.2.6.2 Ensure nodev option set on /var/log partition
  • 1.1.2.6.3 Ensure nosuid option set on /var/log partition
  • 1.1.2.6.4 Ensure noexec option set on /var/log partition
  • 1.1.2.7.2 Ensure nodev option set on /var/log/audit partition
  • 1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition
  • 1.1.2.7.4 Ensure noexec option set on /var/log/audit partition
  • 1.2.1.2 Ensure gpgcheck is configured
  • 1.3.1.4 Ensure the SELinux mode is not disabled
  • 1.4.2 Ensure access to bootloader config is configured
  • 1.5.1 Ensure core file size is configured
  • 1.5.10 Ensure systemd-coredump Storage is configured
  • 1.5.2 Ensure fs.protected_hardlinks is configured
  • 1.5.4 Ensure fs.suid_dumpable is configured
  • 1.5.5 Ensure kernel.dmesg_restrict is configured
  • 1.5.6 Ensure kernel.kptr_restrict is configured
  • 1.5.7 Ensure kernel.yama.ptrace_scope is configured
  • 1.5.8 Ensure kernel.randomize_va_space is configured
  • 1.5.9 Ensure systemd-coredump ProcessSizeMax is configured
  • 1.6.1 Ensure system wide crypto policy is not set to legacy
  • 1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support
  • 1.6.3 Ensure system wide crypto policy macs are configured
  • 1.6.4 Ensure system wide crypto policy disables cbc for ssh
  • 1.6.5 Ensure system wide crypto policy disables chacha20-poly1305 for ssh
  • 1.6.6 Ensure system wide crypto policy disables EtM for ssh
  • 1.7.1 Ensure /etc/motd is configured
  • 1.7.2 Ensure /etc/issue is configured
  • 1.7.3 Ensure /etc/issue.net is configured
  • 1.8.1 Ensure GDM login banner is configured
  • 1.8.2 Ensure GDM disable-user-list is configured
  • 1.8.3 Ensure GDM screen lock is configured
  • 1.8.4 Ensure GDM automount is configured
  • 1.8.5 Ensure GDM autorun-never is configured
  • 2.1.11 Ensure print server services are not in use
  • 2.1.12 Ensure rpcbind services are not in use
  • 2.1.13 Ensure rsync services are not in use
  • 2.1.15 Ensure snmp services are not in use
  • 2.1.17 Ensure tftp server services are not in use
  • 2.1.2 Ensure avahi daemon services are not in use
  • 2.1.20 Ensure xinetd services are not in use
  • 2.1.4 Ensure dhcp server services are not in use
  • 2.1.8 Ensure message access server services are not in use
  • 2.3.2 Ensure chrony is configured
  • 2.4.1.8 Ensure access to /etc/cron.d is configured
  • 2.4.1.9 Ensure access to crontab is configured
  • 2.4.2.1 Ensure access to at is configured
  • 3.1.3 Ensure bluetooth services are not in use
  • 3.2.1 Ensure atm kernel module is not available
  • 3.2.2 Ensure can kernel module is not available
  • 3.2.3 Ensure dccp kernel module is not available
  • 3.2.4 Ensure rds kernel module is not available
  • 3.2.5 Ensure sctp kernel module is not available
  • 3.2.6 Ensure tipc kernel module is not available
  • 3.3.1.10 Ensure net.ipv4.conf.all.secure_redirects is configured
  • 3.3.1.11 Ensure net.ipv4.conf.default.secure_redirects is configured
  • 3.3.1.12 Ensure net.ipv4.conf.all.rp_filter is configured
  • 3.3.1.13 Ensure net.ipv4.conf.default.rp_filter is configured
  • 3.3.1.14 Ensure net.ipv4.conf.all.accept_source_route is configured
  • 3.3.1.15 Ensure net.ipv4.conf.default.accept_source_route is configured
  • 3.3.1.16 Ensure net.ipv4.conf.all.log_martians is configured
  • 3.3.1.17 Ensure net.ipv4.conf.default.log_martians is configured
  • 3.3.1.18 Ensure net.ipv4.tcp_syncookies is configured
  • 3.3.1.2 Ensure net.ipv4.conf.all.forwarding is configured
  • 3.3.1.3 Ensure net.ipv4.conf.default.forwarding is configured
  • 3.3.1.4 Ensure net.ipv4.conf.all.send_redirects is configured
  • 3.3.1.5 Ensure net.ipv4.conf.default.send_redirects is configured
  • 3.3.1.6 Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured
  • 3.3.1.7 Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured
  • 3.3.1.8 Ensure net.ipv4.conf.all.accept_redirects is configured
  • 3.3.1.9 Ensure net.ipv4.conf.default.accept_redirects is configured
  • 3.3.2.1 Ensure net.ipv6.conf.all.forwarding is configured
  • 3.3.2.2 Ensure net.ipv6.conf.default.forwarding is configured
  • 3.3.2.3 Ensure net.ipv6.conf.all.accept_redirects is configured
  • 3.3.2.4 Ensure net.ipv6.conf.default.accept_redirects is configured
  • 3.3.2.5 Ensure net.ipv6.conf.all.accept_source_route is configured
  • 3.3.2.6 Ensure net.ipv6.conf.default.accept_source_route is configured
  • 3.3.2.7 Ensure net.ipv6.conf.all.accept_ra is configured
  • 3.3.2.8 Ensure net.ipv6.conf.default.accept_ra is configured
  • 4.1.4 Ensure firewalld active zone target is configured
  • 4.1.5 Ensure firewalld loopback traffic is configured
  • 4.1.7 Ensure firewalld services and ports are configured
  • 5.1.12 Ensure sshd HostbasedAuthentication is disabled
  • 5.1.13 Ensure sshd IgnoreRhosts is enabled
  • 5.1.14 Ensure sshd KexAlgorithms is configured
  • 5.1.17 Ensure sshd MACs are configured
  • 5.1.2 Ensure access to /etc/ssh/sshd_config is configured
  • 5.1.22 Ensure sshd PermitRootLogin is disabled
  • 5.1.24 Ensure sshd UsePAM is enabled
  • 5.1.6 Ensure sshd access is configured
  • 5.1.7 Ensure sshd Banner is configured
  • 5.1.8 Ensure sshd Ciphers are configured
  • 5.1.9 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
  • 5.2.1 Ensure sudo is installed
  • 5.2.2 Ensure sudo commands use pty
  • 5.2.3 Ensure sudo log file exists
  • 5.2.6 Ensure sudo timestamp_timeout is configured
  • 5.2.7 Ensure access to the su command is restricted
  • 5.3.2.1 Ensure active authselect profile includes pam modules
  • 5.3.2.2 Ensure pam_faillock module is enabled
  • 5.3.2.3 Ensure pam_pwquality module is enabled
  • 5.3.2.4 Ensure pam_pwhistory module is enabled
  • 5.3.3.1.1 Ensure password failed attempts lockout is configured
  • 5.3.3.2.1 Ensure password number of changed characters is configured
  • 5.3.3.2.2 Ensure password length is configured
  • 5.3.3.2.3 Ensure password complexity is configured
  • 5.3.3.2.4 Ensure password same consecutive characters is configured
  • 5.3.3.2.5 Ensure password maximum sequential characters is configured
  • 5.3.3.2.6 Ensure password dictionary check is enabled
  • 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok
  • 5.3.3.4.1 Ensure pam_unix does not include nullok
  • 5.3.3.4.2 Ensure pam_unix does not include remember
  • 5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm
  • 5.3.3.4.4 Ensure pam_unix includes use_authtok
  • 5.4.1.4 Ensure strong password hashing algorithm is configured
  • 5.4.2.5 Ensure root path integrity
  • 5.4.2.6 Ensure root user umask is configured
  • 5.4.3.2 Ensure default user shell timeout is configured
  • 5.4.3.3 Ensure default user umask is configured
  • 6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools
  • 6.2.1.1.3 Ensure journald log file rotation is configured
  • 6.2.1.1.4 Ensure journald ForwardToSyslog is disabled
  • 6.2.1.1.5 Ensure journald Storage is configured
  • 6.2.1.1.6 Ensure journald Compress is configured
  • 6.2.1.2.2 Ensure systemd-journal-remote authentication is configured
  • 6.2.1.2.4 Ensure systemd-journal-remote service is not in use
  • 6.2.2.3 Ensure journald is configured to send logs to rsyslog
  • 6.2.2.4 Ensure rsyslog log file creation mode is configured
  • 6.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 6.2.2.8 Ensure logrotate is configured
  • 6.2.3.1 Ensure access to all logfiles has been configured
  • 7.2.1 Ensure accounts in /etc/passwd use shadowed passwords
  • 7.2.3 Ensure all groups in /etc/passwd exist in /etc/group
  • 7.2.6 Ensure no duplicate user names exist
  • 7.2.7 Ensure no duplicate group names exist
  • 7.2.9 Ensure local interactive user dot files access is configured
Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • References updated.
Added
  • CIS_Oracle_Linux_8_v4.0.0_L1_Server.audit from CIS Oracle Linux 8 v4.0.0
Removed
  • CIS_Oracle_Linux_8_v4.0.0_L1_Server.audit from CIS Oracle Linux 8 Benchmark v4.0.0
Revision 1.1

Oct 24, 2025

Functional Update
  • 1.5.10 Ensure systemd-coredump Storage is configured
  • 1.5.2 Ensure fs.protected_hardlinks is configured
  • 1.5.4 Ensure fs.suid_dumpable is configured
  • 1.5.5 Ensure kernel.dmesg_restrict is configured
  • 1.5.6 Ensure kernel.kptr_restrict is configured
  • 1.5.7 Ensure kernel.yama.ptrace_scope is configured
  • 1.5.8 Ensure kernel.randomize_va_space is configured
  • 1.5.9 Ensure systemd-coredump ProcessSizeMax is configured
  • 3.3.1.10 Ensure net.ipv4.conf.all.secure_redirects is configured
  • 3.3.1.11 Ensure net.ipv4.conf.default.secure_redirects is configured
  • 3.3.1.12 Ensure net.ipv4.conf.all.rp_filter is configured
  • 3.3.1.13 Ensure net.ipv4.conf.default.rp_filter is configured
  • 3.3.1.14 Ensure net.ipv4.conf.all.accept_source_route is configured
  • 3.3.1.15 Ensure net.ipv4.conf.default.accept_source_route is configured
  • 3.3.1.16 Ensure net.ipv4.conf.all.log_martians is configured
  • 3.3.1.17 Ensure net.ipv4.conf.default.log_martians is configured
  • 3.3.1.18 Ensure net.ipv4.tcp_syncookies is configured
  • 3.3.1.2 Ensure net.ipv4.conf.all.forwarding is configured
  • 3.3.1.3 Ensure net.ipv4.conf.default.forwarding is configured
  • 3.3.1.4 Ensure net.ipv4.conf.all.send_redirects is configured
  • 3.3.1.5 Ensure net.ipv4.conf.default.send_redirects is configured
  • 3.3.1.6 Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured
  • 3.3.1.7 Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured
  • 3.3.1.8 Ensure net.ipv4.conf.all.accept_redirects is configured
  • 3.3.1.9 Ensure net.ipv4.conf.default.accept_redirects is configured
  • 3.3.2.1 Ensure net.ipv6.conf.all.forwarding is configured
  • 3.3.2.2 Ensure net.ipv6.conf.default.forwarding is configured
  • 3.3.2.3 Ensure net.ipv6.conf.all.accept_redirects is configured
  • 3.3.2.4 Ensure net.ipv6.conf.default.accept_redirects is configured
  • 3.3.2.5 Ensure net.ipv6.conf.all.accept_source_route is configured
  • 3.3.2.6 Ensure net.ipv6.conf.default.accept_source_route is configured
  • 3.3.2.7 Ensure net.ipv6.conf.all.accept_ra is configured
  • 3.3.2.8 Ensure net.ipv6.conf.default.accept_ra is configured
Informational Update
  • 1.5.10 Ensure systemd-coredump Storage is configured
  • 1.5.9 Ensure systemd-coredump ProcessSizeMax is configured
Miscellaneous
  • Metadata updated.
  • References updated.