CIS Red Hat EL7 Workstation L2 v3.0.1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Red Hat EL7 Workstation L2 v3.0.1

Updated: 11/17/2021

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 138

Audit Changelog

Ā 
Revision 1.4

Nov 17, 2021

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.3

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

May 10, 2021

Functional Update
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)
  • 4.1.12 Ensure successful file system mounts are collected
  • 4.1.12 Ensure successful file system mounts are collected - 64-bit
  • 4.1.12 Ensure successful file system mounts are collected - auditctl
  • 4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)
  • 4.1.13 Ensure file deletion events by users are collected
  • 4.1.13 Ensure file deletion events by users are collected - 64-bit
  • 4.1.13 Ensure file deletion events by users are collected - auditctl
  • 4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)
Miscellaneous
  • References updated.
Revision 1.1

Jan 27, 2021

Functional Update
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod fat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod msdos
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod vfat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe fat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe msdos
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe vfat
  • 1.2.5 Disable the rhnsd Daemon
  • 4.1.11 Ensure use of privileged commands is collected - auditctl
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - rmmod
  • 4.1.17 Ensure the audit configuration is immutable
  • 4.1.2.4 Ensure audit_backlog_limit is sufficient
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux/
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux/
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux/
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux/
  • 4.1.7 Ensure login and logout events are collected - /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - /var/log/tallylog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
Informational Update
  • 1.1.1.2 Ensure mounting of squashfs filesystems is disabled - lsmod
  • 1.1.1.2 Ensure mounting of squashfs filesystems is disabled - modprobe
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod fat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod msdos
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - lsmod vfat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe fat
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe msdos
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - modprobe vfat
  • 1.1.10 Ensure separate partition exists for /var
  • 1.1.11 Ensure separate partition exists for /var/tmp
  • 1.1.15 Ensure separate partition exists for /var/log
  • 1.1.16 Ensure separate partition exists for /var/log/audit
  • 1.1.17 Ensure separate partition exists for /home
  • 1.1.23 Disable Automounting
  • 4.1.7 Ensure login and logout events are collected - /var/log/tallylog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - /etc/fstab
  • 1.7.1.5 Ensure the SELinux mode is enforcing - /etc/selinux/config
  • 3.4.1 Ensure DCCP is disabled - lsmod
  • 3.4.2 Ensure SCTP is disabled - lsmod
  • 3.4.2 Ensure SCTP is disabled - modprobe
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)
  • 4.1.11 Ensure use of privileged commands is collected
  • 4.1.12 Ensure successful file system mounts are collected
  • 4.1.12 Ensure successful file system mounts are collected - 64-bit
  • 4.1.12 Ensure successful file system mounts are collected - auditctl
  • 4.1.12 Ensure successful file system mounts are collected - auditctl (64-bit)
  • 4.1.13 Ensure file deletion events by users are collected
  • 4.1.13 Ensure file deletion events by users are collected - 64-bit
  • 4.1.13 Ensure file deletion events by users are collected - auditctl
  • 4.1.13 Ensure file deletion events by users are collected - auditctl (64-bit)
  • 4.1.15 Ensure system administrator actions (sudolog) are collected
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - init_module
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - adjtimex (32-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - adjtimex (64-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - clock_settime (32-bit)
  • 4.1.3 Ensure events that modify date and time information are collected - clock_settime (64-bit)
  • 4.1.4 Ensure events that modify user/group information are collected - '/etc/group'
  • 4.1.4 Ensure events that modify user/group information are collected - '/etc/gshadow'
  • 4.1.4 Ensure events that modify user/group information are collected - '/etc/passwd'
  • 4.1.4 Ensure events that modify user/group information are collected - '/etc/security/opasswd'
  • 4.1.4 Ensure events that modify user/group information are collected - '/etc/shadow'
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network-scripts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl network-scripts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)
  • 4.1.5 Ensure events that modify the system's network environment are collected - issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (32-bit)
  • 4.1.5 Ensure events that modify the system's network environment are collected - sethostname (64-bit)
  • 4.1.7 Ensure login and logout events are collected - /var/run/faillock/
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/run/faillock/
  • 4.1.8 Ensure session initiation information is collected - auditctl btmp
  • 4.1.8 Ensure session initiation information is collected - auditctl utmp
  • 4.1.8 Ensure session initiation information is collected - auditctl wtmp
  • 4.1.8 Ensure session initiation information is collected - btmp
  • 4.1.8 Ensure session initiation information is collected - utmp
  • 4.1.8 Ensure session initiation information is collected - wtmp
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)
  • 4.1.9 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - xattr (64-bit)
Removed
  • 1.1.1.4 Ensure mounting of FAT filesystems is limited - EFI
  • 1.7.1.5 Ensure the SELinux mode is enforcing - config
  • 3.4.1 Ensure DCCP is disabled
  • 3.4.2 Ensure SCTP is disabled
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EPERM
  • 4.1.11 Ensure use of privileged commands is collected - rules files
  • 4.1.12 Ensure successful file system mounts are collected - 32b mount
  • 4.1.12 Ensure successful file system mounts are collected - auditctl 32b mount
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b64 mount
  • 4.1.12 Ensure successful file system mounts are collected - b64 mount
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b64 delete
  • 4.1.13 Ensure file deletion events by users are collected - b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - b64 delete
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl sudo log
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - sudo log
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - init_module, delete_module
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b64 clock_settime
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b64 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b64 sethostname
  • 4.1.8 Ensure session initiation information is collected - /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - /var/run/utmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/run/utmp
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 xattr