CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0

Audit Details

Name: CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0

Updated: 11/14/2022

Authority: CIS

Plugin: Unix

Revision: 1.12

Estimated Item Count: 315

File Details

Filename: CIS_Ubuntu_18.04_LTS_Workstation_v2.1.0_L1.audit

Size: 751 kB

MD5: 8ee3e1c3204ad3c07df9a8de9bed944d
SHA256: 8145d34f60cd5f665d6e546c6a4b94000baffa9aa374ccbd57231743b50da7db

Audit Changelog

 
Revision 1.12

Nov 14, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
  • 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Informational Update
  • 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
  • 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
Miscellaneous
  • References updated.
Added
  • 3.5.1.1 Ensure ufw is installed
  • 3.5.1.2 Ensure iptables-persistent is not installed with ufw
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables-persistent
  • 3.5.3.1.2 Ensure nftables is not installed with iptables
Revision 1.11

Nov 4, 2022

Functional Update
  • 1.1.2 Ensure /tmp is configured
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
  • 6.1.6 Ensure permissions on /etc/shadow are configured
  • 6.1.7 Ensure permissions on /etc/shadow- are configured
  • 6.1.8 Ensure permissions on /etc/gshadow are configured
  • 6.1.9 Ensure permissions on /etc/gshadow- are configured
Miscellaneous
  • References updated.
Added
  • 1.1.12 Ensure /var/tmp partition includes the nodev option
  • 1.1.13 Ensure /var/tmp partition includes the nosuid option
  • 1.1.14 Ensure /var/tmp partition includes the noexec option
  • 1.1.3 Ensure nodev option set on /tmp partition
  • 1.1.4 Ensure nosuid option set on /tmp partition
  • 1.1.5 Ensure noexec option set on /tmp partition
  • 1.1.7 Ensure nodev option set on /dev/shm partition
  • 1.1.8 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Ensure noexec option set on /dev/shm partition
  • 1.7.1 Ensure message of the day is configured properly - banner
  • 1.7.1 Ensure message of the day is configured properly - platform flags
  • 1.7.4 Ensure permissions on /etc/motd are configured
Removed
  • 1.1.12 Ensure /var/tmp partition includes the nodev option
  • 1.1.13 Ensure /var/tmp partition includes the nosuid option
  • 1.1.14 Ensure /var/tmp partition includes the noexec option
  • 1.1.3 Ensure nodev option set on /tmp partition
  • 1.1.4 Ensure nosuid option set on /tmp partition
  • 1.1.5 Ensure noexec option set on /tmp partition
  • 1.1.7 Ensure nodev option set on /dev/shm partition
  • 1.1.8 Ensure nosuid option set on /dev/shm partition
  • 1.1.9 Ensure noexec option set on /dev/shm partition
  • 1.7.1 Ensure message of the day is configured properly - banner
  • 1.7.1 Ensure message of the day is configured properly - platform flags
  • 1.7.4 Ensure permissions on /etc/motd are configured
Revision 1.10

Sep 19, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
  • 5.3.16 Ensure SSH Idle Timeout Interval is configured - 'ClientAliveInterval'
  • 5.3.22 Ensure SSH MaxSessions is limited
  • 5.5.1.5 Ensure all users last password change date is in the past
Miscellaneous
  • References updated.
Revision 1.9

Sep 7, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 2.1.16 Ensure rsync service is not installed
  • 2.1.17 Ensure NIS Server is not installed
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Miscellaneous
  • References updated.
Revision 1.8

Jul 27, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
  • 5.3.6 Ensure SSH X11 forwarding is disabled
Miscellaneous
  • References updated.
Revision 1.7

Jul 21, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.3 Ensure chrony is configured - server
  • 2.1.1.4 Ensure ntp is configured - user
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.10 Ensure nftables rules are permanent
  • 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
  • 3.5.2.3 Ensure iptables are flushed with nftables - v4
  • 3.5.2.3 Ensure iptables are flushed with nftables - v6
  • 3.5.2.4 Ensure a nftables table exists
  • 3.5.2.5 Ensure nftables base chains exist - forward
  • 3.5.2.5 Ensure nftables base chains exist - input
  • 3.5.2.5 Ensure nftables base chains exist - output
  • 3.5.2.6 Ensure nftables loopback traffic is configured - lo
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v4
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v6
  • 3.5.2.7 Ensure nftables outbound and established connections are configured
  • 3.5.2.7 Ensure outbound and established connections are configured
  • 3.5.2.8 Ensure nftables default deny firewall policy - forward
  • 3.5.2.8 Ensure nftables default deny firewall policy - input
  • 3.5.2.8 Ensure nftables default deny firewall policy - output
  • 3.5.2.9 Ensure nftables service is enabled
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables-persistent
  • 3.5.3.1.2 Ensure nftables is not installed with iptables
  • 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.2.2 Ensure iptables loopback traffic is configured
  • 3.5.3.2.3 Ensure iptables outbound and established connections are configured
  • 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
  • 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
  • 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Miscellaneous
  • References updated.
Revision 1.6

Jul 12, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Informational Update
  • 1.4.1 Ensure permissions on bootloader config are not overridden - chmod
  • 1.4.1 Ensure permissions on bootloader config are not overridden - if line
Miscellaneous
  • References updated.
Revision 1.5

Apr 25, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Miscellaneous
  • References updated.
Revision 1.4

Mar 29, 2022

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.3

Nov 19, 2021

Functional Update
  • 1.3.2 Ensure filesystem integrity is regularly checked
  • 2.1.1.4 Ensure ntp is configured - user
  • 3.5.1.1 Ensure ufw is installed
  • 3.5.1.2 Ensure iptables-persistent is not installed with ufw
  • 3.5.1.3 Ensure ufw service is enabled - systemctl
  • 3.5.1.3 Ensure ufw service is enabled - ufw
  • 3.5.1.4 Ensure ufw loopback traffic is configured - v4
  • 3.5.1.4 Ensure ufw loopback traffic is configured - v6
  • 3.5.1.5 Ensure ufw outbound connections are configured
  • 3.5.1.6 Ensure ufw firewall rules exist for all open ports
  • 3.5.1.7 Ensure ufw default deny firewall policy
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.10 Ensure nftables rules are permanent
  • 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
  • 3.5.2.3 Ensure iptables are flushed with nftables - v4
  • 3.5.2.3 Ensure iptables are flushed with nftables - v6
  • 3.5.2.4 Ensure a nftables table exists
  • 3.5.2.5 Ensure nftables base chains exist - forward
  • 3.5.2.5 Ensure nftables base chains exist - input
  • 3.5.2.5 Ensure nftables base chains exist - output
  • 3.5.2.6 Ensure nftables loopback traffic is configured - lo
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v4
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v6
  • 3.5.2.7 Ensure nftables outbound and established connections are configured
  • 3.5.2.7 Ensure outbound and established connections are configured
  • 3.5.2.8 Ensure nftables default deny firewall policy - forward
  • 3.5.2.8 Ensure nftables default deny firewall policy - input
  • 3.5.2.8 Ensure nftables default deny firewall policy - output
  • 3.5.2.9 Ensure nftables service is enabled
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables-persistent
  • 3.5.3.1.2 Ensure nftables is not installed with iptables
  • 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.2.2 Ensure iptables loopback traffic is configured
  • 3.5.3.2.3 Ensure iptables outbound and established connections are configured
  • 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
  • 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
  • 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
  • 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun
  • 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - ModLoad
Informational Update
  • 3.5.1.1 Ensure ufw is installed
  • 3.5.1.2 Ensure iptables-persistent is not installed with ufw
  • 3.5.1.3 Ensure ufw service is enabled - systemctl
  • 3.5.1.3 Ensure ufw service is enabled - ufw
  • 3.5.1.4 Ensure ufw loopback traffic is configured - v4
  • 3.5.1.4 Ensure ufw loopback traffic is configured - v6
  • 3.5.1.5 Ensure ufw outbound connections are configured
  • 3.5.1.6 Ensure ufw firewall rules exist for all open ports
  • 3.5.1.7 Ensure ufw default deny firewall policy
  • 3.5.2.1 Ensure nftables is installed
  • 3.5.2.10 Ensure nftables rules are permanent
  • 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables
  • 3.5.2.3 Ensure iptables are flushed with nftables - v4
  • 3.5.2.3 Ensure iptables are flushed with nftables - v6
  • 3.5.2.4 Ensure a nftables table exists
  • 3.5.2.5 Ensure nftables base chains exist - forward
  • 3.5.2.5 Ensure nftables base chains exist - input
  • 3.5.2.5 Ensure nftables base chains exist - output
  • 3.5.2.6 Ensure nftables loopback traffic is configured - lo
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v4
  • 3.5.2.6 Ensure nftables loopback traffic is configured - v6
  • 3.5.2.7 Ensure nftables outbound and established connections are configured
  • 3.5.2.7 Ensure outbound and established connections are configured
  • 3.5.2.8 Ensure nftables default deny firewall policy - forward
  • 3.5.2.8 Ensure nftables default deny firewall policy - input
  • 3.5.2.8 Ensure nftables default deny firewall policy - output
  • 3.5.2.9 Ensure nftables service is enabled
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables
  • 3.5.3.1.1 Ensure iptables packages are installed - iptables-persistent
  • 3.5.3.1.2 Ensure nftables is not installed with iptables
  • 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.2.1 Ensure iptables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.2.2 Ensure iptables loopback traffic is configured
  • 3.5.3.2.3 Ensure iptables outbound and established connections are configured
  • 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain FORWARD'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain INPUT'
  • 3.5.3.3.1 Ensure ip6tables default deny firewall policy - 'Chain OUTPUT'
  • 3.5.3.3.2 Ensure ip6tables loopback traffic is configured
  • 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured
  • 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports
Miscellaneous
  • References updated.