CIS Red Hat EL7 Workstation L1 v3.0.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Red Hat EL7 Workstation L1 v3.0.1

Updated: 11/17/2021

Authority: CIS

Plugin: Unix

Revision: 1.7

Estimated Item Count: 319

Audit Items

DescriptionCategories
1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod

CONFIGURATION MANAGEMENT

1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe

CONFIGURATION MANAGEMENT

1.1.1.3 Ensure mounting of udf filesystems is disabled - lsmod

CONFIGURATION MANAGEMENT

1.1.1.3 Ensure mounting of udf filesystems is disabled - modprobe

CONFIGURATION MANAGEMENT

1.1.2 Ensure /tmp is configured

CONFIGURATION MANAGEMENT

1.1.3 Ensure noexec option set on /tmp partition

ACCESS CONTROL

1.1.4 Ensure nodev option set on /tmp partition

ACCESS CONTROL

1.1.5 Ensure nosuid option set on /tmp partition

ACCESS CONTROL

1.1.6 Ensure /dev/shm is configured - fstab

CONFIGURATION MANAGEMENT

1.1.6 Ensure /dev/shm is configured - mount

CONFIGURATION MANAGEMENT

1.1.7 Ensure noexec option set on /dev/shm partition

ACCESS CONTROL

1.1.8 Ensure nodev option set on /dev/shm partition

ACCESS CONTROL

1.1.9 Ensure nosuid option set on /dev/shm partition

ACCESS CONTROL

1.1.12 Ensure noexec option set on /var/tmp partition

ACCESS CONTROL

1.1.13 Ensure nodev option set on /var/tmp partition

ACCESS CONTROL

1.1.14 Ensure nosuid option set on /var/tmp partition

ACCESS CONTROL

1.1.18 Ensure nodev option set on /home partition

ACCESS CONTROL

1.1.19 Ensure noexec option set on removable media partitions

ACCESS CONTROL

1.1.20 Ensure nodev option set on removable media partitions

ACCESS CONTROL

1.1.21 Ensure nosuid option set on removable media partitions

ACCESS CONTROL

1.1.22 Ensure sticky bit is set on all world-writable directories

ACCESS CONTROL

1.2.1 Ensure GPG keys are configured

SYSTEM AND INFORMATION INTEGRITY

1.2.2 Ensure package manager repositories are configured

SYSTEM AND INFORMATION INTEGRITY

1.2.3 Ensure gpgcheck is globally activated

SYSTEM AND INFORMATION INTEGRITY

1.2.4 Ensure Red Hat Subscription Manager connection is configured

SYSTEM AND INFORMATION INTEGRITY

1.3.1 Ensure sudo is installed

CONFIGURATION MANAGEMENT

1.3.2 Ensure sudo commands use pty

ACCESS CONTROL

1.3.3 Ensure sudo log file exists

AUDIT AND ACCOUNTABILITY

1.4.1 Ensure AIDE is installed

CONFIGURATION MANAGEMENT

1.4.2 Ensure filesystem integrity is regularly checked
1.5.1 Ensure bootloader password is set

ACCESS CONTROL

1.5.2 Ensure permissions on bootloader config are configured - grub.cfg

SYSTEM AND INFORMATION INTEGRITY

1.5.2 Ensure permissions on bootloader config are configured - user.cfg

SYSTEM AND INFORMATION INTEGRITY

1.5.3 Ensure authentication required for single user mode - emergency.service

SYSTEM AND INFORMATION INTEGRITY

1.5.3 Ensure authentication required for single user mode - rescue.service

SYSTEM AND INFORMATION INTEGRITY

1.6.1 Ensure core dumps are restricted - limits.conf limits.d

ACCESS CONTROL

1.6.1 Ensure core dumps are restricted - sysctl

ACCESS CONTROL

1.6.1 Ensure core dumps are restricted - sysctl.conf sysctl.d

ACCESS CONTROL

1.6.1 Ensure core dumps are restricted - systemd-coredump ProcessSizeMax

ACCESS CONTROL

1.6.1 Ensure core dumps are restricted - systemd-coredump Storage

ACCESS CONTROL

1.6.2 Ensure XD/NX support is enabled

SYSTEM AND INFORMATION INTEGRITY

1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl
1.6.3 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d

SYSTEM AND INFORMATION INTEGRITY

1.6.4 Ensure prelink is disabled

CONFIGURATION MANAGEMENT

1.7.1.1 Ensure SELinux is installed

CONFIGURATION MANAGEMENT

1.7.1.2 Ensure SELinux is not disabled in bootloader configuration

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

1.7.1.3 Ensure SELinux policy is configured - /etc/selinux/config

ACCESS CONTROL

1.7.1.3 Ensure SELinux policy is configured - sestatus

ACCESS CONTROL

1.7.1.4 Ensure the SELinux mode is enforcing or permissive - /etc/selinux/config

ACCESS CONTROL

1.7.1.4 Ensure the SELinux mode is enforcing or permissive - getenforce

ACCESS CONTROL