Detections
Analytics

Revision 1.12Dec 19, 2025

Functional Update
  • 1.5.2 Ensure core dumps are restricted
Informational Update
  • 1.1.10 Disable USB Storage
  • 1.1.2.1 Ensure /tmp is a separate partition
  • 1.1.2.2 Ensure nodev option set on /tmp partition
  • 1.1.2.3 Ensure noexec option set on /tmp partition
  • 1.1.2.4 Ensure nosuid option set on /tmp partition
  • 1.1.3.2 Ensure nodev option set on /var partition
  • 1.1.3.3 Ensure nosuid option set on /var partition
  • 1.1.4.2 Ensure nodev option set on /var/tmp partition
  • 1.1.4.3 Ensure noexec option set on /var/tmp partition
  • 1.1.4.4 Ensure nosuid option set on /var/tmp partition
  • 1.1.5.2 Ensure nodev option set on /var/log partition
  • 1.1.5.3 Ensure noexec option set on /var/log partition
  • 1.1.5.4 Ensure nosuid option set on /var/log partition
  • 1.1.6.2 Ensure nodev option set on /var/log/audit partition
  • 1.1.6.3 Ensure noexec option set on /var/log/audit partition
  • 1.1.6.4 Ensure nosuid option set on /var/log/audit partition
  • 1.1.7.2 Ensure nodev option set on /home partition
  • 1.1.7.3 Ensure nosuid option set on /home partition
  • 1.1.9 Ensure autofs is not installed or the autofs service is disabled
  • 1.5.1 Ensure ptrace_scope is restricted
  • 1.5.2 Ensure core dumps are restricted
  • 1.5.3 Ensure address space layout randomization (ASLR) is enabled
  • 1.7.1 Ensure message of the day is configured properly
  • 1.7.2 Ensure local login warning banner is configured properly
  • 1.7.3 Ensure remote login warning banner is configured properly
  • 2.1.1.1 Ensure a single time synchronization daemon is in use
  • 2.1.2.1 Ensure chrony is configured with authorized timeserver
  • 2.1.2.2 Ensure chrony is running as user _chrony
  • 2.1.4.1 Ensure ntp access control is configured
  • 2.1.4.2 Ensure ntp is configured with authorized timeserver
  • 2.1.4.3 Ensure ntp is running as user ntp
  • 2.2.13 Ensure SNMP Server is not installed
  • 2.3.2 Ensure rsh client is not installed
  • 3.1.3 Ensure bluetooth services are not in use
  • 3.3.1 Ensure ip forwarding is disabled
  • 3.3.10 Ensure tcp syn cookies is enabled
  • 3.3.11 Ensure ipv6 router advertisements are not accepted
  • 3.3.2 Ensure packet redirect sending is disabled
  • 3.3.3 Ensure bogus icmp responses are ignored
  • 3.3.4 Ensure broadcast icmp requests are ignored
  • 3.3.5 Ensure icmp redirects are not accepted
  • 3.3.6 Ensure secure icmp redirects are not accepted
  • 3.3.7 Ensure reverse path filtering is enabled
  • 3.3.8 Ensure source routed packets are not accepted
  • 3.3.9 Ensure suspicious packets are logged
  • 3.4.1.3 Ensure ufw service is enabled
  • 3.4.2.8 Ensure nftables default deny firewall policy
  • 4.1.1 Ensure cron daemon is enabled and active
  • 4.1.2 Ensure permissions on /etc/crontab are configured
  • 4.1.3 Ensure permissions on /etc/cron.hourly are configured
  • 4.1.4 Ensure permissions on /etc/cron.daily are configured
  • 4.1.5 Ensure permissions on /etc/cron.weekly are configured
  • 4.1.6 Ensure permissions on /etc/cron.monthly are configured
  • 4.1.7 Ensure permissions on /etc/cron.d are configured
  • 4.1.8 Ensure cron is restricted to authorized users
  • 4.1.9 Ensure at is restricted to authorized users
  • 4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured
  • 4.2.10 Ensure sshd IgnoreRhosts is enabled
  • 4.2.13 Ensure sshd LogLevel is configured
  • 4.2.14 Ensure sshd MACs are configured
  • 4.2.19 Ensure sshd PermitRootLogin is disabled
  • 4.2.21 Ensure sshd UsePAM is enabled
  • 4.2.6 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
  • 4.2.9 Ensure sshd HostbasedAuthentication is disabled
  • 4.3.1 Ensure sudo is installed
  • 4.3.2 Ensure sudo commands use pty
  • 4.3.3 Ensure sudo log file exists
  • 4.3.6 Ensure sudo authentication timeout is configured correctly
  • 4.3.7 Ensure access to the su command is restricted
  • 4.4.4 Ensure strong password hashing algorithm is configured
  • 4.5.1.2 Ensure password expiration is 365 days or less
  • 4.5.4 Ensure default user umask is 027 or more restrictive
  • 4.5.5 Ensure default user shell timeout is configured
  • 5.1.1.1.4 Ensure journald is not configured to receive logs from a remote client
  • 5.1.1.2 Ensure journald service is enabled
  • 5.1.1.4 Ensure journald is configured to write logfiles to persistent disk
  • 5.1.2.4 Ensure rsyslog default file permissions are configured
  • 5.1.2.7 Ensure rsyslog is not configured to receive logs from a remote client
  • 5.1.3 Ensure all logfiles have appropriate access configured
  • 5.2.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools
  • 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords
  • 6.2.10 Ensure local interactive user dot files access is configured
  • 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group
  • 6.2.7 Ensure no duplicate user names exist
  • 6.2.8 Ensure no duplicate group names exist
Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • References updated.
Added
  • CIS_Ubuntu_Linux_18.04_LTS_v2.2.0_L1_Server.audit from CIS Ubuntu Linux 18.04 LTS v2.2.0
Removed
  • CIS_Ubuntu_Linux_18.04_LTS_v2.2.0_L1_Server.audit from CIS Ubuntu Linux 18.04 LTS Benchmark v2.2.0