CIS Ubuntu Linux 20.04 LTS v3.0.0 L1 Workstation

Audit Details

Name: CIS Ubuntu Linux 20.04 LTS v3.0.0 L1 Workstation

Updated: 12/29/2025

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 248

File Details

Filename: CIS_Ubuntu_Linux_20.04_LTS_v3.0.0_L1_Workstation.audit

Size: 1.27 MB

MD5: a1f61f842820894da0aca21c57517b30

SHA256: e862ec70d3ca82e736aeb58c75dd5a1361eeef5fc342ed0ea4f30063faea3a19

Audit Changelog


Revision 1.2 Dec 29, 2025 Functional Update 5.4.1.3 Ensure password expiration warning days is configured Miscellaneous Metadata updated. Platform check updated. References updated. Variables updated. Added CIS_Ubuntu_Linux_20.04_LTS_v3.0.0_L1_Workstation.audit from CIS Ubuntu Linux 20.04 LTS v3.0.0 Removed CIS_Ubuntu_Linux_20.04_LTS_v3.0.0_L1_Workstation.audit from CIS Ubuntu Linux 20.04 LTS Benchmark v3.0.0
Revision 1.1 Nov 3, 2025 Functional Update 2.1.10 Ensure nis server services are not in use 2.1.12 Ensure rpcbind services are not in use 2.1.19 Ensure xinetd services are not in use 2.1.5 Ensure dnsmasq services are not in use 2.2.6 Ensure ftp client is not installed 6.2.1.2 Ensure journald log file access is configured 6.2.3.2 Ensure rsyslog is installed Informational Update 1.1.1.1 Ensure cramfs kernel module is not available 1.1.1.10 Ensure unused filesystems kernel modules are not available 1.1.1.2 Ensure freevxfs kernel module is not available 1.1.1.3 Ensure hfs kernel module is not available 1.1.1.4 Ensure hfsplus kernel module is not available 1.1.1.5 Ensure jffs2 kernel module is not available 1.1.2.1.1 Ensure /tmp is a separate partition 1.1.2.1.2 Ensure nodev option set on /tmp partition 1.1.2.1.3 Ensure nosuid option set on /tmp partition 1.1.2.1.4 Ensure noexec option set on /tmp partition 1.1.2.2.1 Ensure /dev/shm is a separate partition 1.1.2.2.2 Ensure nodev option set on /dev/shm partition 1.1.2.2.3 Ensure nosuid option set on /dev/shm partition 1.1.2.2.4 Ensure noexec option set on /dev/shm partition 1.1.2.3.2 Ensure nodev option set on /home partition 1.1.2.3.3 Ensure nosuid option set on /home partition 1.1.2.4.2 Ensure nodev option set on /var partition 1.1.2.4.3 Ensure nosuid option set on /var partition 1.1.2.5.2 Ensure nodev option set on /var/tmp partition 1.1.2.5.3 Ensure nosuid option set on /var/tmp partition 1.1.2.5.4 Ensure noexec option set on /var/tmp partition 1.1.2.6.2 Ensure nodev option set on /var/log partition 1.1.2.6.3 Ensure nosuid option set on /var/log partition 1.1.2.6.4 Ensure noexec option set on /var/log partition 1.1.2.7.2 Ensure nodev option set on /var/log/audit partition 1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition 1.1.2.7.4 Ensure noexec option set on /var/log/audit partition 1.5.1 Ensure address space layout randomization is enabled 1.5.2 Ensure ptrace_scope is restricted 1.5.3 Ensure core dumps are restricted 1.6.1 Ensure /etc/motd is configured 1.6.2 Ensure /etc/issue is configured 1.6.3 Ensure /etc/issue.net is configured 1.7.2 Ensure GDM login banner is configured 1.7.3 Ensure GDM disable-user-list option is enabled 1.7.4 Ensure GDM screen locks when the user is idle 1.7.5 Ensure GDM screen locks cannot be overridden 1.7.8 Ensure GDM autorun-never is enabled 1.7.9 Ensure GDM autorun-never is not overridden 2.1.12 Ensure rpcbind services are not in use 2.1.13 Ensure rsync services are not in use 2.1.15 Ensure snmp services are not in use 2.1.16 Ensure tftp server services are not in use 2.1.18 Ensure web server services are not in use 2.1.19 Ensure xinetd services are not in use 2.1.3 Ensure dhcp server services are not in use 2.1.4 Ensure dns server services are not in use 2.1.8 Ensure message access server services are not in use 2.2.2 Ensure rsh client is not installed 2.3.1.1 Ensure a single time synchronization daemon is in use 2.3.2.1 Ensure systemd-timesyncd configured with authorized timeserver 2.3.3.1 Ensure chrony is configured with authorized timeserver 2.3.3.2 Ensure chrony is running as user _chrony 2.4.1.8 Ensure access to /etc/cron.d is configured 2.4.1.9 Ensure access to crontab is configured 2.4.2.1 Ensure access to at is configured 3.3.1 Ensure ip forwarding is disabled 3.3.10 Ensure tcp syn cookies is enabled 3.3.11 Ensure ipv6 router advertisements are not accepted 3.3.2 Ensure packet redirect sending is disabled 3.3.3 Ensure bogus icmp responses are ignored 3.3.4 Ensure broadcast icmp requests are ignored 3.3.5 Ensure icmp redirects are not accepted 3.3.6 Ensure secure icmp redirects are not accepted 3.3.7 Ensure reverse path filtering is enabled 3.3.8 Ensure source routed packets are not accepted 3.3.9 Ensure suspicious packets are logged 4.1.1 Ensure a single firewall configuration utility is in use 4.2.4 Ensure ufw service is enabled 4.3.8 Ensure nftables default deny firewall policy 5.1.1 Ensure access to /etc/ssh/sshd_config is configured 5.1.10 Ensure sshd HostbasedAuthentication is disabled 5.1.11 Ensure sshd IgnoreRhosts is enabled 5.1.15 Ensure sshd MACs are configured 5.1.20 Ensure sshd PermitRootLogin is disabled 5.1.22 Ensure sshd UsePAM is enabled 5.1.4 Ensure sshd access is configured 5.1.5 Ensure sshd Banner is configured 5.1.7 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured 5.2.1 Ensure sudo is installed 5.2.2 Ensure sudo commands use pty 5.2.3 Ensure sudo log file exists 5.2.7 Ensure access to the su command is restricted 5.3.1.1 Ensure latest version of pam is installed 5.3.1.2 Ensure latest version of libpam-modules is installed 5.3.1.3 Ensure latest version of libpam-pwquality is installed 5.3.2.1 Ensure pam_unix module is enabled 5.3.2.2 Ensure pam_faillock module is enabled 5.3.2.4 Ensure pam_pwhistory module is enabled 5.3.3.1.1 Ensure password failed attempts lockout is configured 5.3.3.2.1 Ensure password number of changed characters is configured 5.3.3.2.2 Ensure minimum password length is configured 5.3.3.2.3 Ensure password complexity is configured 5.3.3.2.4 Ensure password same consecutive characters is configured 5.3.3.2.5 Ensure password maximum sequential characters is configured 5.3.3.2.6 Ensure password dictionary check is enabled 5.3.3.2.7 Ensure password quality checking is enforced 5.3.3.4.2 Ensure pam_unix does not include remember 5.4.1.4 Ensure strong password hashing algorithm is configured 5.4.2.5 Ensure root path integrity 5.4.2.6 Ensure root user umask is configured 5.4.3.2 Ensure default user shell timeout is configured 5.4.3.3 Ensure default user umask is configured 6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools 6.2.1.3 Ensure journald log file rotation is configured 6.2.2.1.1 Ensure systemd-journal-remote is installed 6.2.2.1.2 Ensure systemd-journal-upload authentication is configured 6.2.2.1.3 Ensure systemd-journal-upload is enabled and active 6.2.2.1.4 Ensure systemd-journal-remote service is not in use 6.2.2.2 Ensure journald ForwardToSyslog is disabled 6.2.2.3 Ensure journald Compress is configured 6.2.2.4 Ensure journald Storage is configured 6.2.3.3 Ensure journald is configured to send logs to rsyslog 6.2.3.4 Ensure rsyslog log file creation mode is configured 6.2.3.7 Ensure rsyslog is not configured to receive logs from a remote client 6.2.3.8 Ensure logrotate is configured 6.2.4.1 Ensure access to all logfiles has been configured 7.2.1 Ensure accounts in /etc/passwd use shadowed passwords 7.2.10 Ensure local interactive user dot files access is configured 7.2.3 Ensure all groups in /etc/passwd exist in /etc/group 7.2.7 Ensure no duplicate user names exist 7.2.8 Ensure no duplicate group names exist Miscellaneous Metadata updated.

Detections

Analytics

CIS Ubuntu Linux 20.04 LTS v3.0.0 L1 Workstation

Audit Details

File Details

Audit Changelog

Revision 1.2

Functional Update

Miscellaneous

Added

Removed

Revision 1.1

Functional Update

Informational Update

Miscellaneous

Detections

Analytics

CIS Ubuntu Linux 20.04 LTS v3.0.0 L1 Workstation Download File

Audit Details

File Details

Audit Changelog

Revision 1.2

Functional Update

Miscellaneous

Added

Removed

Revision 1.1

Functional Update

Informational Update

Miscellaneous

CIS Ubuntu Linux 20.04 LTS v3.0.0 L1 Workstation