CIS Rocky Linux 8 Workstation L2 v1.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Rocky Linux 8 Workstation L2 v1.0.0

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.13

Estimated Item Count: 46

Audit Changelog


Revision 1.13 Jun 17, 2024 Miscellaneous Metadata updated.
Revision 1.12 Feb 23, 2024 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.11 Dec 27, 2023 Functional Update 4.1.3.19 Ensure kernel module loading unloading and modification is collected
Revision 1.10 Nov 17, 2023 Functional Update 5.2.13 Ensure SSH AllowTcpForwarding is disabled
Revision 1.9 Oct 23, 2023 Functional Update 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded 4.1.3.20 Ensure the audit configuration is immutable 4.1.3.6 Ensure use of privileged commands are collected Informational Update 4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded 4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded 4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded 4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded 4.1.3.6 Ensure use of privileged commands are collected Miscellaneous Metadata updated. Added 1.1.1.2 Ensure mounting of squashfs filesystems is disabled 1.1.1.3 Ensure mounting of udf filesystems is disabled 1.1.10 Disable USB Storage 1.6.1.5 Ensure the SELinux mode is enforcing 2.2.3 Ensure Avahi Server is not installed 3.1.2 Ensure SCTP is disabled 3.1.3 Ensure DCCP is disabled 4.1.1.1 Ensure auditd is installed 4.1.2.3 Ensure system is disabled when audit logs are full 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected 4.1.3.10 Ensure successful file system mounts are collected 4.1.3.11 Ensure session initiation information is collected 4.1.3.12 Ensure login and logout events are collected 4.1.3.13 Ensure file deletion events by users are collected 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected 4.1.3.19 Ensure kernel module loading unloading and modification is collected 4.1.3.2 Ensure actions as another user are always logged 4.1.3.3 Ensure events that modify the sudo log file are collected 4.1.3.4 Ensure events that modify date and time information are collected 4.1.3.5 Ensure events that modify the system's network environment are collected 4.1.3.7 Ensure unsuccessful file access attempts are collected 4.1.3.8 Ensure events that modify user/group information are collected 4.1.3.9 Ensure discretionary access control permission modification events are collected 5.2.13 Ensure SSH AllowTcpForwarding is disabled Removed 1.1.1.2 Ensure mounting of squashfs filesystems is disabled - lsmod 1.1.1.2 Ensure mounting of squashfs filesystems is disabled - modprobe 1.1.1.3 Ensure mounting of udf filesystems is disabled - blacklist 1.1.1.3 Ensure mounting of udf filesystems is disabled - lsmod 1.1.1.3 Ensure mounting of udf filesystems is disabled - modprobe 1.1.10 Disable USB Storage - lsmod 1.1.10 Disable USB Storage - modprobe 1.6.1.5 Ensure the SELinux mode is enforcing - /etc/selinux/config 1.6.1.5 Ensure the SELinux mode is enforcing - getenforce 2.2.3 Ensure Avahi Server is not installed - avahi 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd 3.1.2 Ensure SCTP is disabled - lsmod 3.1.2 Ensure SCTP is disabled - modprobe 3.1.3 Ensure DCCP is disabled - lsmod 3.1.3 Ensure DCCP is disabled - modprobe 4.1.1.1 Ensure auditd is installed - audit 4.1.1.1 Ensure auditd is installed - audit-libs 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = email 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = halt 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = root 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - /etc/sudoers 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - /etc/sudoers.d 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d 4.1.3.10 Ensure successful file system mounts are collected - auditctl b32 4.1.3.10 Ensure successful file system mounts are collected - auditctl b64 4.1.3.10 Ensure successful file system mounts are collected - b32 4.1.3.10 Ensure successful file system mounts are collected - b64 4.1.3.11 Ensure session initiation information is collected - auditctl btmp 4.1.3.11 Ensure session initiation information is collected - auditctl utmp 4.1.3.11 Ensure session initiation information is collected - auditctl wtmp 4.1.3.11 Ensure session initiation information is collected - btmp 4.1.3.11 Ensure session initiation information is collected - utmp 4.1.3.11 Ensure session initiation information is collected - wtmp 4.1.3.12 Ensure login and logout events are collected - auditctl faillock 4.1.3.12 Ensure login and logout events are collected - auditctl lastlog 4.1.3.12 Ensure login and logout events are collected - faillock 4.1.3.12 Ensure login and logout events are collected - lastlog 4.1.3.13 Ensure file deletion events by users are collected - auditctl b32 unlink 4.1.3.13 Ensure file deletion events by users are collected - auditctl b64 unlink 4.1.3.13 Ensure file deletion events by users are collected - b32 unlink 4.1.3.13 Ensure file deletion events by users are collected - b64 unlink 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected - .rules /etc/selinux 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected - .rules /usr/share/selinux 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux 4.1.3.19 Ensure kernel module loading unloading and modification is collected - auditctl init_module 4.1.3.19 Ensure kernel module loading unloading and modification is collected - auditctl insmod 4.1.3.19 Ensure kernel module loading unloading and modification is collected - auditctl modprobe 4.1.3.19 Ensure kernel module loading unloading and modification is collected - auditctl rmmod 4.1.3.19 Ensure kernel module loading unloading and modification is collected - init_module 4.1.3.19 Ensure kernel module loading unloading and modification is collected - insmod 4.1.3.19 Ensure kernel module loading unloading and modification is collected - modprobe 4.1.3.19 Ensure kernel module loading unloading and modification is collected - rmmod 4.1.3.2 Ensure actions as another user are always logged - b32 4.1.3.2 Ensure actions as another user are always logged - b64 4.1.3.3 Ensure events that modify the sudo log file are collected - auditctl sudo log 4.1.3.3 Ensure events that modify the sudo log file are collected - sudo log 4.1.3.4 Ensure events that modify date and time information are collected - '/etc/localtime' 4.1.3.4 Ensure events that modify date and time information are collected - 'adjtimex' 4.1.3.4 Ensure events that modify date and time information are collected - 'auditctl /etc/localtime' 4.1.3.4 Ensure events that modify date and time information are collected - 'clock_settime' 4.1.3.4 Ensure events that modify date and time information are collected - adjtimex x64 4.1.3.4 Ensure events that modify date and time information are collected - auditctl adjtimex 4.1.3.4 Ensure events that modify date and time information are collected - auditctl adjtimex x64 4.1.3.4 Ensure events that modify date and time information are collected - auditctl clock_settime 4.1.3.4 Ensure events that modify date and time information are collected - auditctl clock_settime x64 4.1.3.4 Ensure events that modify date and time information are collected - clock_settime x64 4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/hosts 4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue 4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue.net 4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl /etc/hosts 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue.net 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl /etc/sysconfig/network 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname 4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b64 sethostname 4.1.3.5 Ensure events that modify the system's network environment are collected - b32 sethostname 4.1.3.5 Ensure events that modify the system's network environment are collected - b64 sethostname 4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EACCES 4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EPERM 4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b64 EACCES 4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b64 EPERM 4.1.3.7 Ensure unsuccessful file access attempts are collected - b32 EACCES 4.1.3.7 Ensure unsuccessful file access attempts are collected - b32 EPERM 4.1.3.7 Ensure unsuccessful file access attempts are collected - b64 EACCES 4.1.3.7 Ensure unsuccessful file access attempts are collected - b64 EPERM 4.1.3.8 Ensure events that modify user/group information are collected - /etc/group 4.1.3.8 Ensure events that modify user/group information are collected - /etc/gshadow 4.1.3.8 Ensure events that modify user/group information are collected - /etc/passwd 4.1.3.8 Ensure events that modify user/group information are collected - /etc/security/opasswd 4.1.3.8 Ensure events that modify user/group information are collected - /etc/shadow 4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/group 4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/gshadow 4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/passwd 4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd 4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/shadow 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chmod/fchmod/fchmodat 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chown/fchown/fchownat/lchown 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b32 setxattr/lsetxattr/fsetxattr/removexattr 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chmod/fchmod/fchmodat 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chown/fchown/fchownat/lchown 4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 setxattr/lsetxattr/fsetxattr/removexattr 4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chmod/fchmod/fchmodat 4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chown/fchown/fchownat/lchown 4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 setxattr/lsetxattr/fsetxattr/removexattr 4.1.3.9 Ensure discretionary access control permission modification events are collected - b64 chmod/fchmod/fchmodat 4.1.3.9 Ensure discretionary access control permission modification events are collected - b64 chown/fchown/fchownat/lchown 4.1.3.9 Ensure discretionary access control permission modification events are collected - b64 setxattr/lsetxattr/fsetxattr/removexattr 5.2.13 Ensure SSH AllowTcpForwarding is disabled - sshd output 5.2.13 Ensure SSH AllowTcpForwarding is disabled - sshd_config
Revision 1.8 Aug 28, 2023 Functional Update 4.1.3.10 Ensure successful file system mounts are collected - auditctl b32 4.1.3.10 Ensure successful file system mounts are collected - auditctl b64 4.1.3.10 Ensure successful file system mounts are collected - b32 4.1.3.10 Ensure successful file system mounts are collected - b64
Revision 1.7 Jul 5, 2023 Functional Update 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = email 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = halt 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action = root
Revision 1.6 Apr 26, 2023 Functional Update 1.1.1.2 Ensure mounting of squashfs filesystems is disabled - modprobe 1.1.10 Disable USB Storage - modprobe
Revision 1.5 Apr 12, 2023 Miscellaneous Metadata updated. Platform check updated.
Revision 1.4 Mar 7, 2023 Miscellaneous Metadata updated. References updated.