Detections
Analytics

CIS SUSE Linux Enterprise 12 v3.1.0 L2 Server

Audit Details

Name: CIS SUSE Linux Enterprise 12 v3.1.0 L2 Server

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.9

Estimated Item Count: 37

File Details

Filename: CIS_SUSE_Linux_Enterprise_Server_12_v3.1.0_L2.audit

Size: 210 kB

MD5: f3e3fae9f90f4382de9ae57757b18844
SHA256: 6e1e26e63cd915fb936501465ac56606aef79daba3af40bc1f0c40230b67f7aa

Audit Changelog

Ā 
Revision 1.9

Jun 17, 2024

Miscellaneous
  • Metadata updated.
Revision 1.8

Jun 14, 2024

Functional Update
  • 1.1.1.1 Ensure mounting of squashfs filesystems is disabled
  • 1.1.10 Ensure separate partition exists for /var
  • 1.1.11 Ensure separate partition exists for /var/tmp
  • 1.1.15 Ensure separate partition exists for /var/log
  • 1.1.16 Ensure separate partition exists for /var/log/audit
  • 1.1.17 Ensure separate partition exists for /home
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing
  • 4.1.1.1 Ensure auditd is installed
  • 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
  • 4.1.11 Ensure use of privileged commands is collected
  • 4.1.17 Ensure the audit configuration is immutable
  • 4.1.2.1 Ensure audit log storage size is configured
  • 4.1.2.2 Ensure audit logs are not automatically deleted
  • 4.1.2.4 Ensure audit_backlog_limit is sufficient
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
  • 5.2.6 Ensure SSH X11 forwarding is disabled
  • 6.1.1 Audit system file permissions
Informational Update
  • 1.1.1.1 Ensure mounting of squashfs filesystems is disabled
  • 1.1.10 Ensure separate partition exists for /var
  • 1.1.11 Ensure separate partition exists for /var/tmp
  • 1.1.15 Ensure separate partition exists for /var/log
  • 1.1.16 Ensure separate partition exists for /var/log/audit
  • 1.1.17 Ensure separate partition exists for /home
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing
  • 4.1.1.1 Ensure auditd is installed
  • 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
  • 4.1.11 Ensure use of privileged commands is collected
  • 4.1.17 Ensure the audit configuration is immutable
  • 4.1.2.1 Ensure audit log storage size is configured
  • 4.1.2.2 Ensure audit logs are not automatically deleted
  • 4.1.2.4 Ensure audit_backlog_limit is sufficient
  • 5.2.20 Ensure SSH AllowTcpForwarding is disabled
  • 5.2.6 Ensure SSH X11 forwarding is disabled
  • 6.1.1 Audit system file permissions
Miscellaneous
  • Metadata updated.
  • References updated.
  • See also link updated.
  • Variables updated.
Added
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited
  • 3.1.1 Disable IPv6
  • 3.4.1 Ensure DCCP is disabled
  • 3.4.2 Ensure SCTP is disabled
  • 4.1.1.2 Ensure auditd service is enabled and running
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected
  • 4.1.12 Ensure successful file system mounts are collected
  • 4.1.13 Ensure file deletion events by users are collected
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected
  • 4.1.15 Ensure system administrator actions (sudolog) are collected
  • 4.1.16 Ensure kernel module loading and unloading is collected
  • 4.1.2.3 Ensure system is disabled when audit logs are full
  • 4.1.3 Ensure events that modify date and time information are collected
  • 4.1.4 Ensure events that modify user/group information are collected
  • 4.1.5 Ensure events that modify the system's network environment are collected
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected
  • 4.1.7 Ensure login and logout events are collected
  • 4.1.8 Ensure session initiation information is collected
  • 4.1.9 Ensure discretionary access control permission modification events are collected
Removed
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - EFI
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod fat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod msdos
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - lsmod vfat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe fat
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe msdos
  • 1.1.1.3 Ensure mounting of FAT filesystems is limited - modprobe vfat
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing - profiles complain
  • 1.7.1.4 Ensure all AppArmor Profiles are enforcing - profiles loaded
  • 3.1.1 Disable IPv6 - grub.cfg
  • 3.1.1 Disable IPv6 - sysctl all disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl default disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl.conf all disable_ipv6
  • 3.1.1 Disable IPv6 - sysctl.conf default disable_ipv6
  • 3.4.1 Ensure DCCP is disabled - lsmod
  • 3.4.1 Ensure DCCP is disabled - modprobe
  • 3.4.2 Ensure SCTP is disabled - lsmod
  • 3.4.2 Ensure SCTP is disabled - modprobe
  • 4.1.1.2 Ensure auditd service is enabled and running - enabled
  • 4.1.1.2 Ensure auditd service is enabled and running - running
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EPERM
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b32 mount
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b64 mount
  • 4.1.12 Ensure successful file system mounts are collected - b32 mount
  • 4.1.12 Ensure successful file system mounts are collected - b64 mount
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b64 delete
  • 4.1.13 Ensure file deletion events by users are collected - b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - b64 delete
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl b32 actions
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - auditctl b64 actions
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - b32 actions
  • 4.1.15 Ensure system administrator actions (sudolog) are collected - b64 actions
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b64 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - b64 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - rmmod
  • 4.1.2.3 Ensure system is disabled when audit logs are full - action_mail_acct
  • 4.1.2.3 Ensure system is disabled when audit logs are full - admin_space_left_action
  • 4.1.2.3 Ensure system is disabled when audit logs are full - space_left_action
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b64 clock_settime
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/gshadow
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b64 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b64 sethostname
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux
  • 4.1.7 Ensure login and logout events are collected - /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - /var/log/tallylog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog
  • 4.1.8 Ensure session initiation information is collected - /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - /var/run/utmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/run/utmp
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 xattr
Revision 1.7

Mar 18, 2024

Functional Update
  • 4.1.11 Ensure use of privileged commands is collected
Miscellaneous
  • Metadata updated.
  • Variables updated.
Revision 1.6

Sep 19, 2023

Functional Update
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - auditctl b64 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b32 EPERM
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EACCES
  • 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected - b64 EPERM
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b64 mount
  • 4.1.12 Ensure successful file system mounts are collected - b64 mount
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - auditctl b64 delete
  • 4.1.13 Ensure file deletion events by users are collected - b32 delete
  • 4.1.13 Ensure file deletion events by users are collected - b64 delete
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers
  • 4.1.14 Ensure changes to system administration scope (sudoers) is collected - sudoers.d
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl rmmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - insmod
  • 4.1.16 Ensure kernel module loading and unloading is collected - modprobe
  • 4.1.16 Ensure kernel module loading and unloading is collected - rmmod
  • 4.1.2.1 Ensure audit log storage size is configured
  • 4.1.2.2 Ensure audit logs are not automatically deleted
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - auditctl b64 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 /etc/localtime
  • 4.1.3 Ensure events that modify date and time information are collected - b32 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b32 clock_settime
  • 4.1.3 Ensure events that modify date and time information are collected - b64 adjtimex
  • 4.1.3 Ensure events that modify date and time information are collected - b64 clock_settime
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - /etc/shadow
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/group
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/passwd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd
  • 4.1.4 Ensure events that modify user/group information are collected - auditctl /etc/shadow
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/hosts
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/issue.net
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl /etc/sysconfig/network
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - auditctl b64 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b32 sethostname
  • 4.1.5 Ensure events that modify the system's network environment are collected - b64 sethostname
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux
  • 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux
  • 4.1.7 Ensure login and logout events are collected - /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - /var/log/tallylog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/faillog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/lastlog
  • 4.1.7 Ensure login and logout events are collected - auditctl /var/log/tallylog
  • 4.1.8 Ensure session initiation information is collected - /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - /var/run/utmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/btmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/log/wtmp
  • 4.1.8 Ensure session initiation information is collected - auditctl /var/run/utmp
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - auditctl b64 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b32 xattr
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chmod
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 chown
  • 4.1.9 Ensure discretionary access control permission modification events are collected - b64 xattr
Miscellaneous
  • Metadata updated.
  • References updated.
Added
  • 4.1.12 Ensure successful file system mounts are collected - auditctl b32 mount
  • 4.1.12 Ensure successful file system mounts are collected - b32 mount
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl b64 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - b32 init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - b64 init_module, delete_module
Removed
  • 4.1.12 Ensure successful file system mounts are collected - 32b mount
  • 4.1.12 Ensure successful file system mounts are collected - auditctl 32b mount
  • 4.1.16 Ensure kernel module loading and unloading is collected - auditctl init_module, delete_module
  • 4.1.16 Ensure kernel module loading and unloading is collected - init_module, delete_module
Revision 1.5

Jul 5, 2023

Functional Update
  • 4.1.2.3 Ensure system is disabled when audit logs are full - action_mail_acct
  • 4.1.2.3 Ensure system is disabled when audit logs are full - admin_space_left_action
Revision 1.4

Apr 12, 2023

Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.3

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.2

Jan 4, 2023

Miscellaneous
  • Metadata updated.
  • Variables updated.
Revision 1.1

Dec 7, 2022

Miscellaneous
  • Metadata updated.