CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1

Updated: 5/5/2021

Authority: CIS

Plugin: Unix

Revision: 1.15

Estimated Item Count: 327

Audit Changelog


Revision 1.15 May 5, 2021 Miscellaneous Audit deprecated. Metadata updated.
Revision 1.14 Feb 11, 2021 Functional Update 3.5.4.1.1 Ensure default deny firewall policy - 'Chain FORWARD' 3.5.4.1.1 Ensure default deny firewall policy - 'Chain INPUT' 3.5.4.1.1 Ensure default deny firewall policy - 'Chain OUTPUT' 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain FORWARD' 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain INPUT' 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain OUTPUT' 5.2.13 Ensure only strong Ciphers are used - approved ciphers 5.2.13 Ensure only strong Ciphers are used - weak ciphers 5.2.14 Ensure only strong MAC algorithms are used - approved MACs 5.2.14 Ensure only strong MAC algorithms are used - weak MACs 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms Miscellaneous Metadata updated. Platform check updated. References updated. Added 1.8.1.1 Ensure message of the day is configured properly - banner 1.8.1.1 Ensure message of the day is configured properly - platform flags 1.8.1.2 Ensure local login warning banner is configured properly - banner 1.8.1.2 Ensure local login warning banner is configured properly - platform flags 1.8.1.3 Ensure remote login warning banner is configured properly - banner 1.8.1.3 Ensure remote login warning banner is configured properly - platform flags Removed 1.8.1.1 Ensure message of the day is configured properly 1.8.1.2 Ensure local login warning banner is configured properly 1.8.1.3 Ensure remote login warning banner is configured properly
Revision 1.13 Oct 14, 2020 Functional Update 4.2.3 Ensure permissions on all logfiles are configured
Revision 1.12 Oct 5, 2020 Functional Update 1.1.10 Ensure noexec option set on /var/tmp partition 1.1.14 Ensure nodev option set on /home partition 1.1.15 Ensure nodev option set on /dev/shm partition 1.1.16 Ensure nosuid option set on /dev/shm partition 1.1.17 Ensure noexec option set on /dev/shm partition 1.1.18 Ensure nodev option set on removable media partitions 1.1.19 Ensure nosuid option set on removable media partitions 1.1.20 Ensure noexec option set on removable media partitions 1.1.3 Ensure nodev option set on /tmp partition 1.1.4 Ensure nosuid option set on /tmp partition 1.1.5 Ensure noexec option set on /tmp partition 1.1.8 Ensure nodev option set on /var/tmp partition 1.1.9 Ensure nosuid option set on /var/tmp partition 1.4.2 Ensure filesystem integrity is regularly checked 1.6.1 Ensure XD/NX support is enabled 1.6.4 Ensure core dumps are restricted - processsizemax 1.6.4 Ensure core dumps are restricted - storage 1.8.2 Ensure GDM login banner is configured - banner-message-enable 1.8.2 Ensure GDM login banner is configured - banner-message-text 2.2.1.1 Ensure time synchronization is in use 2.2.1.2 Ensure systemd-timesyncd is configured - FallbackNTP 2.2.1.2 Ensure systemd-timesyncd is configured - NTP 2.2.1.2 Ensure systemd-timesyncd is configured - RootDistanceMaxSec 2.2.1.3 Ensure chrony is configured - server 2.2.1.3 Ensure chrony is configured - uid 2.2.1.4 Ensure ntp is configured - restrict -4 2.2.1.4 Ensure ntp is configured - restrict -6 2.2.1.4 Ensure ntp is configured - server 2.2.1.4 Ensure ntp is configured - user 3.5.1.1 Ensure a Firewall package is installed 3.5.2.1 Ensure ufw service is enabled - systemctl 3.5.2.1 Ensure ufw service is enabled - ufw 3.5.2.2 Ensure default deny firewall policy 3.5.2.3 Ensure loopback traffic is configured - v4 3.5.2.3 Ensure loopback traffic is configured - v6 3.5.2.4 Ensure outbound connections are configured 3.5.2.5 Ensure firewall rules exist for all open ports 3.5.3.1 Ensure iptables are flushed - v4 3.5.3.1 Ensure iptables are flushed - v6 3.5.3.2 Ensure a table exists 3.5.3.3 Ensure base chains exist - forward 3.5.3.3 Ensure base chains exist - input 3.5.3.3 Ensure base chains exist - output 3.5.3.4 Ensure loopback traffic is configured - lo 3.5.3.4 Ensure loopback traffic is configured - v4 3.5.3.4 Ensure loopback traffic is configured - v6 3.5.3.5 Ensure outbound and established connections are configured 3.5.3.6 Ensure default deny firewall policy - forward 3.5.3.6 Ensure default deny firewall policy - input 3.5.3.6 Ensure default deny firewall policy - output 3.5.3.7 Ensure nftables service is enabled 3.5.3.8 Ensure nftables rules are permanent 3.5.4.1.1 Ensure default deny firewall policy - 'Chain FORWARD' 3.5.4.1.1 Ensure default deny firewall policy - 'Chain INPUT' 3.5.4.1.1 Ensure default deny firewall policy - 'Chain OUTPUT' 3.5.4.1.2 Ensure loopback traffic is configured 3.5.4.1.3 Ensure outbound and established connections are configured 3.5.4.1.4 Ensure firewall rules exist for all open ports 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain FORWARD' 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain INPUT' 3.5.4.2.1 Ensure IPv6 default deny firewall policy - 'Chain OUTPUT' 3.5.4.2.2 Ensure IPv6 loopback traffic is configured 3.5.4.2.3 Ensure IPv6 outbound and established connections are configured 3.5.4.2.4 Ensure IPv6 firewall rules exist for all open ports 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog Service is enabled 4.2.1.3 Ensure logging is configured - '.;mail.none;news.none -/var/log/messages' 4.2.1.3 Ensure logging is configured - '.=warning;.=err -/var/log/warn' 4.2.1.3 Ensure logging is configured - '.crit /var/log/warn' 4.2.1.3 Ensure logging is configured - '.emerg :omusrmsg:' 4.2.1.3 Ensure logging is configured - 'auth,authpriv. /var/log/auth.log' 4.2.1.3 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local2,local3.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local6,local7.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'mail.* -/var/log/mail' 4.2.1.3 Ensure logging is configured - 'mail.err /var/log/mail.err' 4.2.1.3 Ensure logging is configured - 'mail.info -/var/log/mail.info' 4.2.1.3 Ensure logging is configured - 'mail.warning -/var/log/mail.warn' 4.2.1.3 Ensure logging is configured - 'news.crit -/var/log/news/news.crit' 4.2.1.3 Ensure logging is configured - 'news.err -/var/log/news/news.err' 4.2.1.3 Ensure logging is configured - 'news.notice -/var/log/news/news.notice' 4.2.1.3 ensure logging is configured - '.;mail.none;news.none -/var/log/messages' 4.2.1.3 ensure logging is configured - '.=warning;.=err -/var/log/warn' 4.2.1.3 ensure logging is configured - '.crit /var/log/warn' 4.2.1.3 ensure logging is configured - '.emerg :omusrmsg:' 4.2.1.3 ensure logging is configured - 'local0,local1. -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local2,local3.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local4,local5.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local6,local7.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'mail.* -/var/log/mail' 4.2.1.3 ensure logging is configured - 'mail.err /var/log/mail.err' 4.2.1.3 ensure logging is configured - 'mail.info -/var/log/mail.info' 4.2.1.3 ensure logging is configured - 'mail.warning -/var/log/mail.warn' 4.2.1.3 ensure logging is configured - 'news.crit -/var/log/news/news.crit' 4.2.1.3 ensure logging is configured - 'news.err -/var/log/news/news.err' 4.2.1.3 ensure logging is configured - 'news.notice -/var/log/news/news.notice' 4.2.1.4 Ensure rsyslog default file permissions configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad 5.3.1 Ensure password creation requirements are configured - 'dcredit' 5.3.1 Ensure password creation requirements are configured - 'lcredit' 5.3.1 Ensure password creation requirements are configured - 'ocredit' 5.3.1 Ensure password creation requirements are configured - 'ucredit' Miscellaneous Platform check updated.
Revision 1.11 Sep 30, 2020 Functional Update 6.2.10 Ensure users' dot files are not group or world writable
Revision 1.10 Sep 29, 2020 Miscellaneous References updated.
Revision 1.9 Aug 25, 2020 Functional Update 5.4.1.1 Ensure password expiration is 365 days or less - users
Revision 1.8 Aug 10, 2020 Functional Update 1.8.1.1 Ensure message of the day is configured properly 1.8.1.2 Ensure local login warning banner is configured properly 1.8.1.3 Ensure remote login warning banner is configured properly 2.2.1.1 Ensure time synchronization is in use 2.2.1.2 Ensure systemd-timesyncd is configured - FallbackNTP 2.2.1.2 Ensure systemd-timesyncd is configured - NTP 2.2.1.2 Ensure systemd-timesyncd is configured - RootDistanceMaxSec 2.2.1.3 Ensure chrony is configured - server 2.2.1.3 Ensure chrony is configured - uid 2.2.1.4 Ensure ntp is configured - restrict -4 2.2.1.4 Ensure ntp is configured - restrict -6 2.2.1.4 Ensure ntp is configured - server 2.2.1.4 Ensure ntp is configured - user 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog Service is enabled 4.2.1.3 Ensure logging is configured - '.;mail.none;news.none -/var/log/messages' 4.2.1.3 Ensure logging is configured - '.=warning;.=err -/var/log/warn' 4.2.1.3 Ensure logging is configured - '.crit /var/log/warn' 4.2.1.3 Ensure logging is configured - '.emerg :omusrmsg:' 4.2.1.3 Ensure logging is configured - 'auth,authpriv. /var/log/auth.log' 4.2.1.3 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local2,local3.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local6,local7.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'mail.* -/var/log/mail' 4.2.1.3 Ensure logging is configured - 'mail.err /var/log/mail.err' 4.2.1.3 Ensure logging is configured - 'mail.info -/var/log/mail.info' 4.2.1.3 Ensure logging is configured - 'mail.warning -/var/log/mail.warn' 4.2.1.3 Ensure logging is configured - 'news.crit -/var/log/news/news.crit' 4.2.1.3 Ensure logging is configured - 'news.err -/var/log/news/news.err' 4.2.1.3 Ensure logging is configured - 'news.notice -/var/log/news/news.notice' 4.2.1.4 Ensure rsyslog default file permissions configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad 5.2.10 Ensure SSH root login is disabled 5.2.11 Ensure SSH PermitEmptyPasswords is disabled 5.2.12 Ensure SSH PermitUserEnvironment is disabled 5.2.14 Ensure only strong MAC algorithms are used - approved MACs 5.2.14 Ensure only strong MAC algorithms are used - weak MACs 5.2.15 Ensure only strong Key Exchange algorithms are used - approved algorithms 5.2.15 Ensure only strong Key Exchange algorithms are used - weak algorithms 5.2.16 Ensure SSH Idle Timeout Interval is configured - 'ClientAliveCountMax' 5.2.16 Ensure SSH Idle Timeout Interval is configured - 'ClientAliveInterval' 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less 5.2.18 Ensure SSH access is limited 5.2.19 Ensure SSH warning banner is configured 5.2.20 Ensure SSH PAM is enabled 5.2.22 Ensure SSH MaxStartups is configured 5.2.23 Ensure SSH MaxSessions is set to 4 or less 5.2.4 Ensure SSH Protocol is not set to 1 5.2.5 Ensure SSH LogLevel is appropriate 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less 5.2.8 Ensure SSH IgnoreRhosts is enabled 5.2.9 Ensure SSH HostbasedAuthentication is disabled Informational Update 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog Service is enabled 4.2.1.3 Ensure logging is configured - '.;mail.none;news.none -/var/log/messages' 4.2.1.3 Ensure logging is configured - '.=warning;.=err -/var/log/warn' 4.2.1.3 Ensure logging is configured - '.crit /var/log/warn' 4.2.1.3 Ensure logging is configured - '.emerg :omusrmsg:' 4.2.1.3 Ensure logging is configured - 'auth,authpriv. /var/log/auth.log' 4.2.1.3 Ensure logging is configured - 'local0,local1.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local2,local3.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local4,local5.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'local6,local7.* -/var/log/localmessages' 4.2.1.3 Ensure logging is configured - 'mail.* -/var/log/mail' 4.2.1.3 Ensure logging is configured - 'mail.err /var/log/mail.err' 4.2.1.3 Ensure logging is configured - 'mail.info -/var/log/mail.info' 4.2.1.3 Ensure logging is configured - 'mail.warning -/var/log/mail.warn' 4.2.1.3 Ensure logging is configured - 'news.crit -/var/log/news/news.crit' 4.2.1.3 Ensure logging is configured - 'news.err -/var/log/news/news.err' 4.2.1.3 Ensure logging is configured - 'news.notice -/var/log/news/news.notice' 4.2.1.4 Ensure rsyslog default file permissions configured 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad 5.3.2 Ensure lockout for failed password attempts is configured - account pam_deny.so 5.3.2 Ensure lockout for failed password attempts is configured - auth pam_tally2.so Miscellaneous Platform check updated. References updated. Variables updated. Added 4.2.1.3 ensure logging is configured - '.;mail.none;news.none -/var/log/messages' 4.2.1.3 ensure logging is configured - '.=warning;.=err -/var/log/warn' 4.2.1.3 ensure logging is configured - '.crit /var/log/warn' 4.2.1.3 ensure logging is configured - '.emerg :omusrmsg:' 4.2.1.3 ensure logging is configured - 'local0,local1. -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local2,local3.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local4,local5.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'local6,local7.* -/var/log/localmessages' 4.2.1.3 ensure logging is configured - 'mail.* -/var/log/mail' 4.2.1.3 ensure logging is configured - 'mail.err /var/log/mail.err' 4.2.1.3 ensure logging is configured - 'mail.info -/var/log/mail.info' 4.2.1.3 ensure logging is configured - 'mail.warning -/var/log/mail.warn' 4.2.1.3 ensure logging is configured - 'news.crit -/var/log/news/news.crit' 4.2.1.3 ensure logging is configured - 'news.err -/var/log/news/news.err' 4.2.1.3 ensure logging is configured - 'news.notice -/var/log/news/news.notice' 5.3.2 Ensure lockout for failed password attempts is configured - account pam_tally2.so Removed 5.3.2 Ensure lockout for failed password attempts is configured - account pam_tally.so
Revision 1.7 Aug 4, 2020 Functional Update 4.2.3 Ensure permissions on all logfiles are configured
Revision 1.6 Jul 28, 2020 Functional Update 6.1.11 Ensure no unowned files or directories exist 6.1.12 Ensure no ungrouped files or directories exist