CIS Oracle Linux 7 Workstation L1 v3.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Oracle Linux 7 Workstation L1 v3.0.0

Updated: 7/2/2021

Authority: CIS

Plugin: Unix

Revision: 1.6

Estimated Item Count: 310

Audit Changelog


Revision 1.6 Jul 2, 2021 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.5 Jun 17, 2021 Miscellaneous Metadata updated. References updated.
Revision 1.4 May 10, 2021 Functional Update 1.4.2 Ensure filesystem integrity is regularly checked 3.2.1 Ensure IP forwarding is disabled - ipv6 files 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctl 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.default.accept_source_route = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0' 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT 3.5.3.3.1 Ensure IPv6 default deny firewall policy 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports 3.5.3.3.5 Ensure ip6tables rules are saved 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled 3.5.3.3.6 Ensure ip6tables is enabled and running - running Miscellaneous Metadata updated. References updated.
Revision 1.3 Dec 2, 2020 Miscellaneous Metadata updated.
Revision 1.2 Oct 14, 2020 Functional Update 4.2.3 Ensure permissions on all logfiles are configured
Revision 1.1 Oct 5, 2020 Functional Update 1.1.12 Ensure noexec option set on /var/tmp partition 1.1.13 Ensure nodev option set on /var/tmp partition 1.1.14 Ensure nosuid option set on /var/tmp partition 1.1.18 Ensure nodev option set on /home partition 1.1.3 Ensure noexec option set on /tmp partition 1.1.4 Ensure nodev option set on /tmp partition 1.1.5 Ensure nosuid option set on /tmp partition 1.10 Ensure GDM is removed or login is configured - banner message enabled 1.10 Ensure GDM is removed or login is configured - banner message text 1.10 Ensure GDM is removed or login is configured - file-db 1.10 Ensure GDM is removed or login is configured - system-db 1.10 Ensure GDM is removed or login is configured - user-db 1.4.2 Ensure filesystem integrity is regularly checked 1.5.1 Ensure bootloader password is set 1.5.2 Ensure permissions on bootloader config are configured - grub.cfg 1.5.2 Ensure permissions on bootloader config are configured - user.cfg 1.6.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax 1.6.1 Ensure core dumps are restricted - systemd-coredump Storage 1.6.2 Ensure XD/NX support is enabled 2.2.1.1 Ensure time synchronization is in use 2.2.1.2 Ensure chrony is configured - NTP server 2.2.1.2 Ensure chrony is configured - OPTIONS 2.2.1.3 Ensure ntp is configured - -u ntp:ntp 2.2.1.3 Ensure ntp is configured - restrict -4 2.2.1.3 Ensure ntp is configured - restrict -6 2.2.1.3 Ensure ntp is configured - server 2.2.16 Ensure mail transfer agent is configured for local-only mode 2.2.17 Ensure rsync is not installed or the rsyncd service is masked 2.2.7 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind 2.2.8 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind.socket 3.2.1 Ensure IP forwarding is disabled - ipv6 files 3.2.1 Ensure IP forwarding is disabled - ipv6 sysctl 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - files 'net.ipv6.conf.default.accept_source_route = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0' 3.3.9 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0' 3.5.1.1 Ensure FirewallD is installed - firewalld 3.5.1.1 Ensure FirewallD is installed - iptables 3.5.1.2 Ensure iptables-services package is not installed 3.5.1.3 Ensure nftables is not installed or stopped and masked - masked 3.5.1.3 Ensure nftables is not installed or stopped and masked - stopped 3.5.1.4 Ensure firewalld service is enabled and running - enabled 3.5.1.4 Ensure firewalld service is enabled and running - running 3.5.1.5 Ensure default zone is set 3.5.1.6 Ensure network interfaces are assigned to appropriate zone 3.5.1.7 Ensure unnecessary services and ports are not accepted 3.5.2.1 Ensure nftables is installed 3.5.2.10 Ensure nftables service is enabled 3.5.2.11 Ensure nftables rules are permanent 3.5.2.2 Ensure firewalld is not installed or stopped and masked - masked 3.5.2.2 Ensure firewalld is not installed or stopped and masked - stopped 3.5.2.3 Ensure iptables-services package is not installed 3.5.2.4 Ensure iptables are flushed - v4 3.5.2.4 Ensure iptables are flushed - v6 3.5.2.5 Ensure a table exists 3.5.2.6 Ensure base chains exist - forward 3.5.2.6 Ensure base chains exist - input 3.5.2.6 Ensure base chains exist - output 3.5.2.7 Ensure loopback traffic is configured - iif lo 3.5.2.7 Ensure loopback traffic is configured - ip saddr 3.5.2.7 Ensure loopback traffic is configured - ip6 saddr 3.5.2.8 Ensure outbound and established connections are configured - input 3.5.2.8 Ensure outbound and established connections are configured - output 3.5.2.9 Ensure default deny firewall policy - forward 3.5.2.9 Ensure default deny firewall policy - input 3.5.2.9 Ensure default deny firewall policy - output 3.5.3.1.1 Ensure iptables packages are installed 3.5.3.1.2 Ensure nftables is not installed 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - masked 3.5.3.1.3 Ensure firewalld is not installed or stopped and masked - stopped 3.5.3.2.1 Ensure default deny firewall policy - Chain FORWARD 3.5.3.2.1 Ensure default deny firewall policy - Chain INPUT 3.5.3.2.1 Ensure default deny firewall policy - Chain OUTPUT 3.5.3.2.2 Ensure loopback traffic is configured - input 3.5.3.2.2 Ensure loopback traffic is configured - output 3.5.3.2.3 Ensure outbound and established connections are configured 3.5.3.2.4 Ensure firewall rules exist for all open ports 3.5.3.2.5 Ensure iptables rules are saved 3.5.3.2.6 Ensure iptables is enabled and running - enabled 3.5.3.2.6 Ensure iptables is enabled and running - running 3.5.3.3.1 Ensure IPv6 default deny firewall policy 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - input 3.5.3.3.2 Ensure IPv6 loopback traffic is configured - output 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports 3.5.3.3.5 Ensure ip6tables rules are saved 3.5.3.3.6 Ensure ip6tables is enabled and running - enabled 3.5.3.3.6 Ensure ip6tables is enabled and running - running 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - InputTCPServerRun 514 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts - imtcp.so 5.1.1 Ensure cron daemon is enabled and running - enabled 5.1.1 Ensure cron daemon is enabled and running - running 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.4 Ensure permissions on /etc/cron.daily are configured 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5.1.7 Ensure permissions on /etc/cron.d are configured 5.1.8 Ensure cron is restricted to authorized users - cron.allow 5.1.8 Ensure cron is restricted to authorized users - cron.deny 5.1.9 Ensure at is restricted to authorized users - at.allow 5.1.9 Ensure at is restricted to authorized users - at.deny 5.3.1 Ensure password creation requirements are configured - dcredit 5.3.1 Ensure password creation requirements are configured - lcredit 5.3.1 Ensure password creation requirements are configured - ocredit 5.3.1 Ensure password creation requirements are configured - ucredit Miscellaneous Platform check updated.