Detections
Analytics

CIS Rocky Linux 8 Workstation L1 v2.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Rocky Linux 8 Workstation L1 v2.0.0

Updated: 10/8/2025

Authority: CIS

Plugin: Unix

Revision: 1.18

Estimated Item Count: 220

File Details

Filename: CIS_Rocky_Linux_8_v2.0.0_L1_Workstation.audit

Size: 791 kB

MD5: c0ebff806ec3ab257494a6a5b1cd945d
SHA256: d401e08dca021f75bcbd8dd95c9a345b603eeff9d4212845d38db5b8255656b0

Audit Items

DescriptionCategories
1.1.1.1 Ensure cramfs kernel module is not available
1.1.1.2 Ensure freevxfs kernel module is not available
1.1.1.3 Ensure hfs kernel module is not available
1.1.1.4 Ensure hfsplus kernel module is not available
1.1.1.5 Ensure jffs2 kernel module is not available
1.1.2.1.1 Ensure /tmp is a separate partition
1.1.2.1.2 Ensure nodev option set on /tmp partition
1.1.2.1.3 Ensure nosuid option set on /tmp partition
1.1.2.1.4 Ensure noexec option set on /tmp partition
1.1.2.2.1 Ensure /dev/shm is a separate partition
1.1.2.2.2 Ensure nodev option set on /dev/shm partition
1.1.2.2.3 Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 Ensure noexec option set on /dev/shm partition
1.1.2.3.2 Ensure nodev option set on /home partition
1.1.2.3.3 Ensure nosuid option set on /home partition
1.1.2.4.2 Ensure nodev option set on /var partition
1.1.2.4.3 Ensure nosuid option set on /var partition
1.1.2.5.2 Ensure nodev option set on /var/tmp partition
1.1.2.5.3 Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 Ensure noexec option set on /var/tmp partition
1.1.2.6.2 Ensure nodev option set on /var/log partition
1.1.2.6.3 Ensure nosuid option set on /var/log partition
1.1.2.6.4 Ensure noexec option set on /var/log partition
1.1.2.7.2 Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 Ensure noexec option set on /var/log/audit partition
1.2.1 Ensure GPG keys are configured
1.2.2 Ensure gpgcheck is globally activated
1.2.4 Ensure package manager repositories are configured
1.2.5 Ensure updates, patches, and additional security software are installed
1.3.1 Ensure bootloader password is set
1.3.2 Ensure permissions on bootloader config are configured
1.4.1 Ensure address space layout randomization (ASLR) is enabled
1.4.2 Ensure ptrace_scope is restricted
1.4.3 Ensure core dump backtraces are disabled
1.4.4 Ensure core dump storage is disabled
1.5.1.1 Ensure SELinux is installed
1.5.1.2 Ensure SELinux is not disabled in bootloader configuration
1.5.1.3 Ensure SELinux policy is configured
1.5.1.4 Ensure the SELinux mode is not disabled
1.5.1.6 Ensure no unconfined services exist
1.5.1.7 Ensure the MCS Translation Service (mcstrans) is not installed
1.6.1 Ensure system wide crypto policy is not set to legacy
1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support
1.6.3 Ensure system wide crypto policy disables cbc for ssh
1.6.4 Ensure system wide crypto policy disables macs less than 128 bits
1.7.1 Ensure message of the day is configured properly
1.7.2 Ensure local login warning banner is configured properly
1.7.3 Ensure remote login warning banner is configured properly
1.7.4 Ensure access to /etc/motd is configured