Display controls that are:
Display profiles that are:
Version: | 0.4.13 |
---|---|
Summary: | An InSpec Compliance profile for the CIS Distribution Independent Linux Benchmark |
cis-dil-benchmark-1.1.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of cramfs filesystems is disabled | ||||
Description: | The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "cramfs"
Status: | Failed |
---|---|
Duration: | 0.000147 seconds |
Kernel Module cramfs
Status: | Passed |
---|---|
Duration: | 0.000146 seconds |
Kernel Module cramfs
Status: | Failed |
---|---|
Duration: | 6.3e-05 seconds |
cis-dil-benchmark-1.1.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of freevxfs filesystems is disabled | ||||
Description: | The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "freevxfs"
Status: | Failed |
---|---|
Duration: | 5.4e-05 seconds |
Kernel Module freevxfs
Status: | Passed |
---|---|
Duration: | 9.0e-05 seconds |
Kernel Module freevxfs
Status: | Failed |
---|---|
Duration: | 5.5e-05 seconds |
cis-dil-benchmark-1.1.1.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of jffs2 filesystems is disabled | ||||
Description: | The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "jffs2"
Status: | Failed |
---|---|
Duration: | 4.6e-05 seconds |
Kernel Module jffs2
Status: | Passed |
---|---|
Duration: | 8.1e-05 seconds |
Kernel Module jffs2
Status: | Failed |
---|---|
Duration: | 4.5e-05 seconds |
cis-dil-benchmark-1.1.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of hfs filesystems is disabled | ||||
Description: | The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "hfs"
Status: | Failed |
---|---|
Duration: | 4.5e-05 seconds |
Kernel Module hfs
Status: | Passed |
---|---|
Duration: | 8.1e-05 seconds |
Kernel Module hfs
Status: | Failed |
---|---|
Duration: | 4.4e-05 seconds |
cis-dil-benchmark-1.1.1.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of hfsplus filesystems is disabled | ||||
Description: | The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "hfsplus"
Status: | Failed |
---|---|
Duration: | 6.6e-05 seconds |
Kernel Module hfsplus
Status: | Passed |
---|---|
Duration: | 8.3e-05 seconds |
Kernel Module hfsplus
Status: | Failed |
---|---|
Duration: | 4.7e-05 seconds |
cis-dil-benchmark-1.1.1.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of squashfs filesystems is disabled | ||||
Description: | The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "squashfs"
Status: | Failed |
---|---|
Duration: | 6.7e-05 seconds |
Kernel Module squashfs
Status: | Passed |
---|---|
Duration: | 8.6e-05 seconds |
Kernel Module squashfs
Status: | Failed |
---|---|
Duration: | 4.5e-05 seconds |
cis-dil-benchmark-1.1.1.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of udf filesystems is disabled | ||||
Description: | The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "udf"
Status: | Failed |
---|---|
Duration: | 6.8e-05 seconds |
Kernel Module udf
Status: | Passed |
---|---|
Duration: | 8.4e-05 seconds |
Kernel Module udf
Status: | Failed |
---|---|
Duration: | 4.9e-05 seconds |
cis-dil-benchmark-1.1.1.8
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure mounting of FAT filesystems is disabled | ||||
Description: | The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12, FAT16, and FAT32 all of which are supported by the vfat kernel module. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File System Table File (fstab) with file_system_type == "vfat"
Status: | Passed |
---|---|
Duration: | 7.2e-05 seconds |
cis-dil-benchmark-1.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /tmp | ||||
Description: | The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /tmp
Status: | Failed |
---|---|
Duration: | 0.04308 seconds |
cis-dil-benchmark-1.1.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure nodev option set on /tmp partition | ||||
Description: | The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /tmp
Status: | Failed |
---|---|
Duration: | 9.3e-05 seconds |
cis-dil-benchmark-1.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure nosuid option set on /tmp partition | ||||
Description: | The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /tmp
Status: | Failed |
---|---|
Duration: | 9.0e-05 seconds |
cis-dil-benchmark-1.1.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure noexec option set on /tmp partition | ||||
Description: | The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /tmp
Status: | Failed |
---|---|
Duration: | 8.6e-05 seconds |
cis-dil-benchmark-1.1.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /var | ||||
Description: | The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale: Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /var
Status: | Failed |
---|---|
Duration: | 0.036364 seconds |
cis-dil-benchmark-1.1.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /var/tmp | ||||
Description: | The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /var/tmp
Status: | Failed |
---|---|
Duration: | 0.000127 seconds |
cis-dil-benchmark-1.1.8
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure nodev option set on /var/tmp partition | ||||
Description: | The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 9.0e-06 seconds |
cis-dil-benchmark-1.1.9
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure nosuid option set on /var/tmp partition | ||||
Description: | The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-1.1.10
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure noexec option set on /var/tmp partition | ||||
Description: | The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-1.1.11
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /var/log | ||||
Description: | The /var/log directory is used by system services to store log data . Rationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /var/log
Status: | Failed |
---|---|
Duration: | 0.036685 seconds |
cis-dil-benchmark-1.1.12
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /var/log/audit | ||||
Description: | The auditing daemon, auditd, stores log data in the /var/log/audit directory. Rationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /var/log/audit
Status: | Failed |
---|---|
Duration: | 0.036651 seconds |
cis-dil-benchmark-1.1.13
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure separate partition exists for /home | ||||
Description: | The /home directory is used to support disk storage needs of local users. Rationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /home
Status: | Failed |
---|---|
Duration: | 0.000192 seconds |
cis-dil-benchmark-1.1.14
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure nodev option set on /home partition | ||||
Description: | The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 5.0e-06 seconds |
cis-dil-benchmark-1.1.15
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure nodev option set on /dev/shm partition | ||||
Description: | The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /dev/shm
Status: | Passed |
---|---|
Duration: | 0.000201 seconds |
cis-dil-benchmark-1.1.16
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure nosuid option set on /dev/shm partitionrun | ||||
Description: | The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /dev/shm
Status: | Passed |
---|---|
Duration: | 0.000177 seconds |
cis-dil-benchmark-1.1.17
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure noexec option set on /dev/shm partition | ||||
Description: | The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Mount /dev/shm
Status: | Failed |
---|---|
Duration: | 0.000202 seconds |
cis-dil-benchmark-1.1.18
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure nodev option set on removable media partitions | ||||
Description: | The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.1.18
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-1.1.19
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure nosuid option set on removable media partitions | ||||
Description: | The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.1.19
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-1.1.20
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure noexec option set on removable media partitions | ||||
Description: | The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.1.20
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-1.1.21
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure sticky bit is set on all world-writable directories | ||||
Description: | Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them. Rationale: This feature prevents the ability to delete or rename files in world writable directories (such as /tmp) that are owned by another user. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d ( -perm -0002 -a ! -perm -1000 )`
Status: | Passed |
---|---|
Duration: | 0.02359 seconds |
cis-dil-benchmark-1.1.22
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Disable Automounting | ||||
Description: | autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service autofs
Status: | Passed |
---|---|
Duration: | 0.000245 seconds |
Service autofs
Status: | Passed |
---|---|
Duration: | 0.000199 seconds |
Service autofs
Status: | Passed |
---|---|
Duration: | 0.00011 seconds |
Service autofs
Status: | Passed |
---|---|
Duration: | 0.00015 seconds |
cis-dil-benchmark-1.1.23
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Disable USB Storage | ||||
Description: | USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Module usb_storage
Status: | Passed |
---|---|
Duration: | 0.017624 seconds |
Kernel Module usb_storage
Status: | Failed |
---|---|
Duration: | 0.010488 seconds |
cis-dil-benchmark-1.2.1
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure package manager repositories are configured | ||||
Description: | Systems need to have package manager repositories configured to ensure they receive the latest patches and updates. Rationale: If a system's package repositories are misconfigured important patches may not be identified or a rogue repository could introduce compromised software. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.2.1
Status: | Skipped |
---|---|
Duration: | 5.0e-06 seconds |
cis-dil-benchmark-1.2.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure GPG keys are configured | ||||
Description: | Most packages managers implement GPG key signing to verify package integrity during installation. Rationale: It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.2.2
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-1.3.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure AIDE is installed | ||||
Description: | AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system. Rationale: By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package aide
Status: | Failed |
---|---|
Duration: | 0.000222 seconds |
Command: `aide`
Status: | Failed |
---|---|
Duration: | 0.000196 seconds |
cis-dil-benchmark-1.3.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure filesystem integrity is regularly checked | ||||
Description: | Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /var/spool/cron/crontabs/root
Status: | Failed |
---|---|
Duration: | 0.000136 seconds |
File /var/spool/cron/root
Status: | Failed |
---|---|
Duration: | 8.4e-05 seconds |
File /etc/crontab
Status: | Failed |
---|---|
Duration: | 0.000523 seconds |
File /etc/cron.d/chef-client
Status: | Failed |
---|---|
Duration: | 0.000129 seconds |
File /etc/cron.d/.placeholder
Status: | Failed |
---|---|
Duration: | 0.000215 seconds |
File /etc/cron.hourly/fake-hwclock
Status: | Failed |
---|---|
Duration: | 0.000245 seconds |
File /etc/cron.hourly/.placeholder
Status: | Failed |
---|---|
Duration: | 0.00015 seconds |
File /etc/cron.daily/logrotate
Status: | Failed |
---|---|
Duration: | 0.000262 seconds |
File /etc/cron.daily/samba
Status: | Failed |
---|---|
Duration: | 0.000301 seconds |
File /etc/cron.daily/apt-compat
Status: | Failed |
---|---|
Duration: | 0.000533 seconds |
File /etc/cron.daily/man-db
Status: | Failed |
---|---|
Duration: | 0.000428 seconds |
File /etc/cron.daily/bsdmainutils
Status: | Failed |
---|---|
Duration: | 0.000258 seconds |
File /etc/cron.daily/passwd
Status: | Failed |
---|---|
Duration: | 0.000242 seconds |
File /etc/cron.daily/.placeholder
Status: | Failed |
---|---|
Duration: | 0.000149 seconds |
File /etc/cron.daily/dpkg
Status: | Failed |
---|---|
Duration: | 0.000413 seconds |
File /etc/cron.weekly/man-db
Status: | Failed |
---|---|
Duration: | 0.000406 seconds |
File /etc/cron.weekly/.placeholder
Status: | Failed |
---|---|
Duration: | 0.000131 seconds |
File /etc/cron.monthly/.placeholder
Status: | Failed |
---|---|
Duration: | 0.000128 seconds |
cis-dil-benchmark-1.4.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on bootloader config are configured | ||||
Description: | The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub. Rationale: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 8.0e-05 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 8.3e-05 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 5.9e-05 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 5.7e-05 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 0.0001 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 5.4e-05 seconds |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 8.8e-05 seconds |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 0.0001 seconds |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 0.000123 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.9e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.8e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 5.1e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.3e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 4.8e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 8.9e-05 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 5.3e-05 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000122 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 7.5e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 6.7e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 6.0e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 6.0e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 5.2e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 9.6e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 4.7e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 9.1e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 8.6e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 0.000123 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 6.1e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 0.000104 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 5.2e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.6e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 4.8e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.1e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 4.8e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000125 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 7.7e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.7e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 6.0e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 5.6e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 4.7e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.2e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 5.0e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 9.1e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 7.6e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000112 seconds |
cis-dil-benchmark-1.4.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure bootloader password is set | ||||
Description: | Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters Rationale: Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time). | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 7.7e-05 seconds |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 6.5e-05 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.00011 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 6.2e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 5.5e-05 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 9.6e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.7e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.2e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.5e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 5.3e-05 seconds |
cis-dil-benchmark-1.4.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure authentication required for single user mode | ||||
Description: | Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Rationale: Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Failed |
---|---|
Duration: | 0.000112 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Failed |
---|---|
Duration: | 7.4e-05 seconds |
File /etc/inittab
Status: | Failed |
---|---|
Duration: | 9.8e-05 seconds |
File /etc/sysconfig/init
Status: | Failed |
---|---|
Duration: | 7.1e-05 seconds |
cis-dil-benchmark-1.4.4
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure interactive boot is not enabled | ||||
Description: | Interactive boot allows console users to interactively select which services start on boot. Not all distributions support this capability. The PROMPT_FOR_CONFIRM option provides console users the ability to interactively boot the system and select which services to start on boot . Rationale: Turn off the PROMPT_FOR_CONFIRM option on the console to prevent console users from potentially overriding established security settings. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.4.4
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-1.5.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure core dumps are restricted | ||||
Description: | A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user. Rationale: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/security/limits.conf
Status: | Failed |
---|---|
Duration: | 0.000562 seconds |
Kernel Parameter fs.suid_dumpable
Status: | Passed |
---|---|
Duration: | 0.046268 seconds |
cis-dil-benchmark-1.5.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure XD/NX support is enabled | ||||
Description: | Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. Rationale: Enabling any feature that can protect against buffer overflow attacks enhances the security of the system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.5.2
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-1.5.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure address space layout randomization (ASLR) is enabled | ||||
Description: | Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process. Rationale: Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter kernel.randomize_va_space
Status: | Passed |
---|---|
Duration: | 0.081609 seconds |
cis-dil-benchmark-1.5.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure prelink is disabled | ||||
Description: | prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Rationale: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package prelink
Status: | Passed |
---|---|
Duration: | 0.000708 seconds |
Command: `prelink`
Status: | Passed |
---|---|
Duration: | 0.000273 seconds |
cis-dil-benchmark-1.6.1.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SELinux or AppArmor are installed | ||||
Description: | SELinux and AppArmor provide Mandatory Access Controls. Rationale: Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package libselinux1
Status: | Passed |
---|---|
Duration: | 0.001684 seconds |
System Package apparmor
Status: | Passed |
---|---|
Duration: | 0.002921 seconds |
cis-dil-benchmark-1.6.2.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SELinux is not disabled in bootloader configuration | ||||
Description: | Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 0.000253 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 0.000101 seconds |
cis-dil-benchmark-1.6.2.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure the SELinux state is enforcing | ||||
Description: | Set SELinux to enable when the system is booted. Rationale: SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/selinux/config
Status: | Failed |
---|---|
Duration: | 0.063314 seconds |
Command: `sestatus`
Status: | Failed |
---|---|
Duration: | 0.070267 seconds |
Command: `sestatus`
Status: | Failed |
---|---|
Duration: | 0.000882 seconds |
Command: `sestatus`
Status: | Failed |
---|---|
Duration: | 0.001698 seconds |
cis-dil-benchmark-1.6.2.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SELinux policy is configured | ||||
Description: | Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only. Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/selinux/config
Status: | Failed |
---|---|
Duration: | 0.000822 seconds |
Command: `sestatus`
Status: | Failed |
---|---|
Duration: | 0.00143 seconds |
cis-dil-benchmark-1.6.2.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SETroubleshoot is not installed | ||||
Description: | The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors. Rationale: The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package setroubleshoot
Status: | Passed |
---|---|
Duration: | 0.140836 seconds |
Command: `setroubleshoot`
Status: | Passed |
---|---|
Duration: | 0.030621 seconds |
cis-dil-benchmark-1.6.2.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure the MCS Translation Service (mcstrans) is not installed | ||||
Description: | The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf Rationale: Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package mcstrans
Status: | Passed |
---|---|
Duration: | 0.188076 seconds |
Command: `mcstransd`
Status: | Passed |
---|---|
Duration: | 0.026118 seconds |
cis-dil-benchmark-1.6.2.6
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no unconfined daemons exist | ||||
Description: | Daemons that are not defined in SELinux policy will inherit the security context of their parent process. Rationale: Since daemons are launched and descend from the init process, they will inherit the security context label initrc_t. This could cause the unintended consequence of giving the process more permission than it requires. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `ps -eZ | grep -E "initrc" | grep -E -v -w "tr|ps|grep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'`
Status: | Passed |
---|---|
Duration: | 0.086326 seconds |
cis-dil-benchmark-1.6.3.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure AppArmor is not disabled in bootloader configuration | ||||
Description: | Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Rationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 0.000432 seconds |
File /boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 0.000356 seconds |
File /boot/boot/grub/grub.conf
Status: | Passed |
---|---|
Duration: | 9.0e-05 seconds |
File /boot/boot/grub/grub.cfg
Status: | Passed |
---|---|
Duration: | 7.2e-05 seconds |
File /boot/grub2/grub.cfg
Status: | Passed |
---|---|
Duration: | 7.5e-05 seconds |
cis-dil-benchmark-1.6.3.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure all AppArmor Profiles are enforcing | ||||
Description: | AppArmor profiles define what resources applications are able to access. Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `apparmor_status --profiled`
Status: | Failed |
---|---|
Duration: | 0.023732 seconds |
Command: `apparmor_status --complaining`
Status: | Failed |
---|---|
Duration: | 0.067892 seconds |
Command: `apparmor_status`
Status: | Failed |
---|---|
Duration: | 0.031518 seconds |
cis-dil-benchmark-1.7.1.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure message of the day is configured properly | ||||
Description: | The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture \r - operating system release \s - operating system name \v - operating system version Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/motd`
Status: | Passed |
---|---|
Duration: | 0.024456 seconds |
cis-dil-benchmark-1.7.1.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure local login warning banner is configured properly | ||||
Description: | The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(9) supports the following options, they display operating system information: \m - machine architecture ( uname -m ) \r - operating system release ( uname -r ) \s - operating system name \v - operating system version ( uname -v ) Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue`
Status: | Passed |
---|---|
Duration: | 0.023581 seconds |
cis-dil-benchmark-1.7.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure remote login warning banner is configured properly | ||||
Description: | The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture ( uname -m ) \r - operating system release ( uname -r ) \s - operating system name \v - operating system version ( uname -v ) Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the "uname -a" command once they have logged in. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue.net`
Status: | Passed |
---|---|
Duration: | 0.073443 seconds |
cis-dil-benchmark-1.7.1.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/motd are configured | ||||
Description: | The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/motd
Status: | Passed |
---|---|
Duration: | 0.035967 seconds |
File /etc/motd
Status: | Passed |
---|---|
Duration: | 0.001038 seconds |
File /etc/motd
Status: | Passed |
---|---|
Duration: | 0.000546 seconds |
cis-dil-benchmark-1.7.1.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/issue are configured | ||||
Description: | The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/issue
Status: | Passed |
---|---|
Duration: | 0.036055 seconds |
File /etc/issue
Status: | Passed |
---|---|
Duration: | 0.000616 seconds |
File /etc/issue
Status: | Passed |
---|---|
Duration: | 0.000466 seconds |
cis-dil-benchmark-1.7.1.6
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/issue.net are configured | ||||
Description: | The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Rationale: If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/issue.net
Status: | Passed |
---|---|
Duration: | 0.076844 seconds |
File /etc/issue.net
Status: | Passed |
---|---|
Duration: | 0.002687 seconds |
File /etc/issue.net
Status: | Passed |
---|---|
Duration: | 0.000617 seconds |
cis-dil-benchmark-1.7.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure GDM login banner is configured | ||||
Description: | GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 3.0e-05 seconds |
cis-dil-benchmark-1.8
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure updates, patches, and additional security software are installed | ||||
Description: | Periodically patches are released for included software either due to security flaws or to include additional functionality. Rationale: Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-1.8
Status: | Skipped |
---|---|
Duration: | 7.0e-06 seconds |
cis-dil-benchmark-2.1.1
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure chargen services are not enabled | ||||
Description: | chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled. Rationale: Disabling this service will reduce the remote attack surface of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure daytime services are not enabled | ||||
Description: | daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled. Rationale: Disabling this service will reduce the remote attack surface of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.3
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure discard services are not enabled | ||||
Description: | discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled. Rationale: Disabling this service will reduce the remote attack surface of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.1.4
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure echo services are not enabled | ||||
Description: | echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled. Rationale: Disabling this service will reduce the remote attack surface of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.5
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure time services are not enabled | ||||
Description: | time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled. Rationale: Disabling this service will reduce the remote attack surface of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.6
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure rsh server is not enabled | ||||
Description: | The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text. Rationale: These legacy services contain numerous security exposures and have been replaced with the more secure SSH package. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.7
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure talk server is not enabled | ||||
Description: | The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default. Rationale: The software presents a security risk as it uses unencrypted protocols for communication. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.8
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure telnet server is not enabled | ||||
Description: | The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.1.9
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure tftp server is not enabled | ||||
Description: | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server. Rationale: TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.1.10
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure xinetd is not enabled | ||||
Description: | The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no xinetd services required, it is recommended that the daemon be disabled. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service xinetd
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.1.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure time synchronization is in use | ||||
Description: | System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
System Package chrony
Status: | Passed |
---|---|
Duration: | 0.001293 seconds |
cis-dil-benchmark-2.2.1.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure ntp is configured | ||||
Description: | ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system. Rationale: If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 6.0e-06 seconds |
cis-dil-benchmark-2.2.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure chrony is configured | ||||
Description: | chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/chrony/chrony.conf
Status: | Passed |
---|---|
Duration: | 0.000265 seconds |
Processes chronyd
Status: | Passed |
---|---|
Duration: | 0.000466 seconds |
cis-dil-benchmark-2.2.1.4
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure systemd-timesyncd is configured | ||||
Description: | systemd-timesyncd is a daemon that has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon a new system user and group 'systemd- timesync' needs to be created on installation of systemd. This recommendation only applies if timesyncd is in use on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
No-op
Status: | Skipped |
---|---|
Duration: | 8.0e-06 seconds |
cis-dil-benchmark-2.2.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure X Window System is not installed | ||||
Description: | The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. Rationale: Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Packages /^xserver-xorg.*/
Status: | Passed |
---|---|
Duration: | 0.0191 seconds |
Packages /^xorg-x11-server.*/
Status: | Passed |
---|---|
Duration: | 0.004566 seconds |
cis-dil-benchmark-2.2.3
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure Avahi Server is not enabled | ||||
Description: | Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine. Rationale: Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service avahi-daemon
Status: | Skipped |
---|---|
Duration: | 8.0e-06 seconds |
cis-dil-benchmark-2.2.4
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure CUPS is not enabled | ||||
Description: | The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. Rationale: If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service cups
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.2.5
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure DHCP Server is not enabled | ||||
Description: | The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Rationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service isc-dhcp-server
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service isc-dhcp-server6
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service dhcpd
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.6
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure LDAP server is not enabled | ||||
Description: | The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service slapd
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.2.7
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure NFS and RPC are not enabled | ||||
Description: | The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network. Rationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service nfs-kernel-server
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service nfs
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service rpcbind
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-2.2.8
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure DNS Server is not enabled | ||||
Description: | The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Rationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service named
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service bind
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service bind9
Status: | Skipped |
---|---|
Duration: | 8.0e-06 seconds |
cis-dil-benchmark-2.2.9
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure FTP Server is not enabled | ||||
Description: | The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. Rationale: FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service vsftpd
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.10
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure HTTP server is not enabled | ||||
Description: | HTTP or web servers provide the ability to host web site content. Rationale: Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service apache
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service apache2
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service httpd
Status: | Skipped |
---|---|
Duration: | 5.0e-06 seconds |
Service lighttpd
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
Service nginx
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.11
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure IMAP and POP3 server is not enabled | ||||
Description: | dovecot is an open source IMAP and POP3 server for Linux based systems. Rationale: Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service dovecot
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service courier-imap
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service cyrus-imap
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-2.2.12
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure Samba is not enabled | ||||
Description: | The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems. Rationale: If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service samba
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service smb
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service smbd
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-2.2.13
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure HTTP Proxy Server is not enabled | ||||
Description: | Squid is a standard proxy server used in many distributions and environments. Rationale: If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service squid
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service squid3
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.14
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure SNMP Server is not enabled | ||||
Description: | The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. Rationale: The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service snmpd
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.15
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure mail transfer agent is configured for local-only mode | ||||
Description: | Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. Rationale: The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Port 25 with address !~ /^(127\.0\.0\.1|::1)$/
Status: | Passed |
---|---|
Duration: | 0.003777 seconds |
cis-dil-benchmark-2.2.16
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure rsync service is not enabled | ||||
Description: | The rsyncd service can be used to synchronize files between systems over network links. Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service rsync
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service rsyncd
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.2.17
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure NIS Server is not enabled | ||||
Description: | The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files. Rationale: The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service nis
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
Service ypserv
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-2.3.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure NIS Client is not installed | ||||
Description: | The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files. Rationale: The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package nis
Status: | Passed |
---|---|
Duration: | 0.144483 seconds |
System Package ypbind
Status: | Passed |
---|---|
Duration: | 0.13889 seconds |
cis-dil-benchmark-2.3.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure rsh client is not installed | ||||
Description: | The rsh package contains the client commands for the rsh services. Rationale: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh, rcp and rlogin. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package rsh-client
Status: | Passed |
---|---|
Duration: | 0.181414 seconds |
System Package rsh-redone-client
Status: | Passed |
---|---|
Duration: | 0.140745 seconds |
System Package rsh
Status: | Passed |
---|---|
Duration: | 0.138587 seconds |
cis-dil-benchmark-2.3.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure talk client is not installed | ||||
Description: | The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client, which allows initialization of talk sessions, is installed by default. Rationale: The software presents a security risk as it uses unencrypted protocols for communication. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package talk
Status: | Passed |
---|---|
Duration: | 0.188432 seconds |
cis-dil-benchmark-2.3.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure telnet client is not installed | ||||
Description: | The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package telnet
Status: | Passed |
---|---|
Duration: | 0.140739 seconds |
cis-dil-benchmark-2.3.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure LDAP client is not installed | ||||
Description: | The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package ldap-utils
Status: | Passed |
---|---|
Duration: | 0.140311 seconds |
System Package openldap-clients
Status: | Passed |
---|---|
Duration: | 0.187935 seconds |
System Package openldap2-client
Status: | Passed |
---|---|
Duration: | 0.142952 seconds |
cis-dil-benchmark-3.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure IP forwarding is disabled | ||||
Description: | The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not. Rationale: Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.ip_forward
Status: | Passed |
---|---|
Duration: | 0.033578 seconds |
Kernel Parameter net.ipv4.ip_forward
Status: | Failed |
---|---|
Duration: | 0.000806 seconds |
Kernel Parameter net.ipv6.conf.all.forwarding
Status: | Passed |
---|---|
Duration: | 0.030681 seconds |
Kernel Parameter net.ipv6.conf.all.forwarding
Status: | Passed |
---|---|
Duration: | 0.00072 seconds |
cis-dil-benchmark-3.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure packet redirect sending is disabled | ||||
Description: | ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects. Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.send_redirects
Status: | Passed |
---|---|
Duration: | 0.081125 seconds |
Kernel Parameter net.ipv4.conf.all.send_redirects
Status: | Passed |
---|---|
Duration: | 0.001028 seconds |
Kernel Parameter net.ipv4.conf.default.send_redirects
Status: | Passed |
---|---|
Duration: | 0.031932 seconds |
Kernel Parameter net.ipv4.conf.default.send_redirects
Status: | Failed |
---|---|
Duration: | 0.001479 seconds |
cis-dil-benchmark-3.2.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure source routed packets are not accepted | ||||
Description: | In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used. Rationale: Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.034368 seconds |
Kernel Parameter net.ipv4.conf.all.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.000856 seconds |
Kernel Parameter net.ipv4.conf.default.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.033273 seconds |
Kernel Parameter net.ipv4.conf.default.accept_source_route
Status: | Failed |
---|---|
Duration: | 0.000883 seconds |
Kernel Parameter net.ipv6.conf.all.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.031955 seconds |
Kernel Parameter net.ipv6.conf.all.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.001106 seconds |
Kernel Parameter net.ipv6.conf.default.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.077777 seconds |
Kernel Parameter net.ipv6.conf.default.accept_source_route
Status: | Passed |
---|---|
Duration: | 0.000919 seconds |
cis-dil-benchmark-3.2.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure ICMP redirects are not accepted | ||||
Description: | ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables. Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.030338 seconds |
Kernel Parameter net.ipv4.conf.all.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.00046 seconds |
Kernel Parameter net.ipv4.conf.default.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.031226 seconds |
Kernel Parameter net.ipv4.conf.default.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.000388 seconds |
Kernel Parameter net.ipv6.conf.all.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.031357 seconds |
Kernel Parameter net.ipv6.conf.all.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.000352 seconds |
Kernel Parameter net.ipv6.conf.default.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.031153 seconds |
Kernel Parameter net.ipv6.conf.default.accept_redirects
Status: | Passed |
---|---|
Duration: | 0.000491 seconds |
cis-dil-benchmark-3.2.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure secure ICMP redirects are not accepted | ||||
Description: | Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. Rationale: It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.secure_redirects
Status: | Passed |
---|---|
Duration: | 0.032219 seconds |
Kernel Parameter net.ipv4.conf.all.secure_redirects
Status: | Failed |
---|---|
Duration: | 0.00101 seconds |
Kernel Parameter net.ipv4.conf.default.secure_redirects
Status: | Passed |
---|---|
Duration: | 0.076117 seconds |
Kernel Parameter net.ipv4.conf.default.secure_redirects
Status: | Failed |
---|---|
Duration: | 0.000539 seconds |
cis-dil-benchmark-3.2.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure suspicious packets are logged | ||||
Description: | When enabled, this feature logs packets with un-routable source addresses to the kernel log. Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.log_martians
Status: | Passed |
---|---|
Duration: | 0.032738 seconds |
Kernel Parameter net.ipv4.conf.all.log_martians
Status: | Failed |
---|---|
Duration: | 0.001018 seconds |
Kernel Parameter net.ipv4.conf.default.log_martians
Status: | Passed |
---|---|
Duration: | 0.069797 seconds |
Kernel Parameter net.ipv4.conf.default.log_martians
Status: | Failed |
---|---|
Duration: | 0.000331 seconds |
cis-dil-benchmark-3.2.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure broadcast ICMP requests are ignored | ||||
Description: | Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts
Status: | Passed |
---|---|
Duration: | 0.029979 seconds |
Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts
Status: | Passed |
---|---|
Duration: | 0.00025 seconds |
cis-dil-benchmark-3.2.6
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure bogus ICMP responses are ignored | ||||
Description: | Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages. Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses
Status: | Passed |
---|---|
Duration: | 0.07162 seconds |
Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses
Status: | Passed |
---|---|
Duration: | 0.000665 seconds |
cis-dil-benchmark-3.2.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure Reverse Path Filtering is enabled | ||||
Description: | Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set). Rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.conf.all.rp_filter
Status: | Passed |
---|---|
Duration: | 0.032194 seconds |
Kernel Parameter net.ipv4.conf.all.rp_filter
Status: | Failed |
---|---|
Duration: | 0.000793 seconds |
Kernel Parameter net.ipv4.conf.default.rp_filter
Status: | Passed |
---|---|
Duration: | 0.032223 seconds |
Kernel Parameter net.ipv4.conf.default.rp_filter
Status: | Failed |
---|---|
Duration: | 0.000757 seconds |
cis-dil-benchmark-3.2.8
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure TCP SYN Cookies is enabled | ||||
Description: | When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue. Rationale: Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv4.tcp_syncookies
Status: | Passed |
---|---|
Duration: | 0.03259 seconds |
Kernel Parameter net.ipv4.tcp_syncookies
Status: | Passed |
---|---|
Duration: | 0.001371 seconds |
cis-dil-benchmark-3.2.9
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure IPv6 router advertisements are not accepted | ||||
Description: | This setting disables the system's ability to accept IPv6 router advertisements. Rationale: It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Parameter net.ipv6.conf.all.accept_ra
Status: | Passed |
---|---|
Duration: | 0.03615 seconds |
Kernel Parameter net.ipv6.conf.all.accept_ra
Status: | Failed |
---|---|
Duration: | 0.000803 seconds |
Kernel Parameter net.ipv6.conf.default.accept_ra
Status: | Passed |
---|---|
Duration: | 0.078251 seconds |
Kernel Parameter net.ipv6.conf.default.accept_ra
Status: | Failed |
---|---|
Duration: | 0.000873 seconds |
cis-dil-benchmark-3.3.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure TCP Wrappers is installed | ||||
Description: | Many Linux distributions provide value-added firewall solutions which provide easy, advanced management of network traffic into and out of the local system. When these solutions are available and appropriate for an environment they should be used. In cases where a value-added firewall is not provided by a distribution, TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. Services that are called from `inetd` and `xinetd` support the use of TCP wrappers. Any service that can support TCP wrappers will have the `libwrap.so` library attached to it. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
System Package tcpd
Status: | Failed |
---|---|
Duration: | 0.000738 seconds |
System Package tcp_wrappers
Status: | Failed |
---|---|
Duration: | 0.00024 seconds |
cis-dil-benchmark-3.3.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure /etc/hosts.allow is configured | ||||
Description: | The `/etc/hosts.allow` file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the `/etc/hosts.deny` file. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.024196 seconds |
cis-dil-benchmark-3.3.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure /etc/hosts.deny is configured | ||||
Description: | The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file. Rationale: The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/hosts.deny
Status: | Failed |
---|---|
Duration: | 0.033109 seconds |
cis-dil-benchmark-3.3.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/hosts.allow are configured | ||||
Description: | The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate. Rationale: It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.000349 seconds |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.056881 seconds |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.000485 seconds |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.000272 seconds |
File /etc/hosts.allow
Status: | Passed |
---|---|
Duration: | 0.000199 seconds |
cis-dil-benchmark-3.3.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/hosts.deny are configured | ||||
Description: | The `/etc/hosts.deny` file contains network information that is used by many system applications and therefore must be readable for these applications to operate. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/hosts.deny
Status: | Passed |
---|---|
Duration: | 0.07543 seconds |
File /etc/hosts.deny
Status: | Passed |
---|---|
Duration: | 0.042931 seconds |
File /etc/hosts.deny
Status: | Passed |
---|---|
Duration: | 0.000485 seconds |
File /etc/hosts.deny
Status: | Passed |
---|---|
Duration: | 0.000142 seconds |
File /etc/hosts.deny
Status: | Passed |
---|---|
Duration: | 0.00016 seconds |
cis-dil-benchmark-3.4.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure DCCP is disabled | ||||
Description: | The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. Rationale: If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Module dccp
Status: | Passed |
---|---|
Duration: | 0.005829 seconds |
Kernel Module dccp
Status: | Failed |
---|---|
Duration: | 0.004203 seconds |
cis-dil-benchmark-3.4.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SCTP is disabled | ||||
Description: | The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP. Rationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Module sctp
Status: | Passed |
---|---|
Duration: | 0.006897 seconds |
Kernel Module sctp
Status: | Failed |
---|---|
Duration: | 0.00741 seconds |
cis-dil-benchmark-3.4.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure RDS is disabled | ||||
Description: | The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation. Rationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Module rds
Status: | Passed |
---|---|
Duration: | 0.006084 seconds |
Kernel Module rds
Status: | Failed |
---|---|
Duration: | 0.00468 seconds |
cis-dil-benchmark-3.4.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure TIPC is disabled | ||||
Description: | The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes. Rationale: If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Kernel Module tipc
Status: | Passed |
---|---|
Duration: | 0.003899 seconds |
Kernel Module tipc
Status: | Failed |
---|---|
Duration: | 0.00402 seconds |
cis-dil-benchmark-3.5.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure IPv6 default deny firewall policy | ||||
Description: | A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Ip6tables
Status: | Failed |
---|---|
Duration: | 0.000282 seconds |
Ip6tables
Status: | Failed |
---|---|
Duration: | 0.000211 seconds |
Ip6tables
Status: | Failed |
---|---|
Duration: | 0.000198 seconds |
cis-dil-benchmark-3.5.1.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure IPv6 loopback traffic is configured | ||||
Description: | Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1). Rationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (::1) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.5.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure IPv6 outbound and established connections are configured | ||||
Description: | Configure the firewall rules for new outbound, and established IPv6 connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.5.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure IPv6 firewall rules exist for all open ports | ||||
Description: | Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
Firewall rule should exist for port 19419
Status: | Failed |
---|---|
Duration: | 0.002563 seconds |
Firewall rule should exist for port 57941
Status: | Failed |
---|---|
Duration: | 0.00022 seconds |
Firewall rule should exist for port 137
Status: | Failed |
---|---|
Duration: | 0.000185 seconds |
Firewall rule should exist for port 138
Status: | Failed |
---|---|
Duration: | 0.000191 seconds |
Firewall rule should exist for port 5353
Status: | Failed |
---|---|
Duration: | 0.000179 seconds |
Firewall rule should exist for port 40712
Status: | Failed |
---|---|
Duration: | 0.000207 seconds |
Firewall rule should exist for port 44907
Status: | Failed |
---|---|
Duration: | 0.000192 seconds |
Firewall rule should exist for port 42821
Status: | Failed |
---|---|
Duration: | 0.000194 seconds |
Firewall rule should exist for port 51042
Status: | Failed |
---|---|
Duration: | 0.000191 seconds |
Firewall rule should exist for port 40772
Status: | Failed |
---|---|
Duration: | 0.000313 seconds |
Firewall rule should exist for port 20772
Status: | Failed |
---|---|
Duration: | 0.000178 seconds |
Firewall rule should exist for port 36840
Status: | Failed |
---|---|
Duration: | 0.000169 seconds |
Firewall rule should exist for port 139
Status: | Failed |
---|---|
Duration: | 0.000184 seconds |
Firewall rule should exist for port 548
Status: | Failed |
---|---|
Duration: | 0.000332 seconds |
cis-dil-benchmark-3.5.2.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure default deny firewall policy | ||||
Description: | A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Iptables
Status: | Failed |
---|---|
Duration: | 0.000223 seconds |
Iptables
Status: | Failed |
---|---|
Duration: | 0.000174 seconds |
Iptables
Status: | Failed |
---|---|
Duration: | 0.000183 seconds |
cis-dil-benchmark-3.5.2.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure loopback traffic is configured | ||||
Description: | Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale: Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.5.2.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure outbound and established connections are configured | ||||
Description: | Configure the firewall rules for new outbound, and established connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.5.2.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure firewall rules exist for all open ports | ||||
Description: | Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Firewall rule should exist for port 19419
Status: | Failed |
---|---|
Duration: | 0.000206 seconds |
Firewall rule should exist for port 57941
Status: | Failed |
---|---|
Duration: | 0.000298 seconds |
Firewall rule should exist for port 137
Status: | Failed |
---|---|
Duration: | 0.000179 seconds |
Firewall rule should exist for port 138
Status: | Failed |
---|---|
Duration: | 0.000174 seconds |
Firewall rule should exist for port 5353
Status: | Failed |
---|---|
Duration: | 0.000159 seconds |
Firewall rule should exist for port 40712
Status: | Failed |
---|---|
Duration: | 0.00016 seconds |
Firewall rule should exist for port 44907
Status: | Failed |
---|---|
Duration: | 0.000179 seconds |
Firewall rule should exist for port 42821
Status: | Failed |
---|---|
Duration: | 0.000174 seconds |
Firewall rule should exist for port 51042
Status: | Failed |
---|---|
Duration: | 0.000169 seconds |
Firewall rule should exist for port 40772
Status: | Failed |
---|---|
Duration: | 0.000167 seconds |
Firewall rule should exist for port 20772
Status: | Failed |
---|---|
Duration: | 0.000234 seconds |
Firewall rule should exist for port 36840
Status: | Failed |
---|---|
Duration: | 0.000154 seconds |
Firewall rule should exist for port 139
Status: | Failed |
---|---|
Duration: | 0.000154 seconds |
Firewall rule should exist for port 548
Status: | Failed |
---|---|
Duration: | 0.000145 seconds |
cis-dil-benchmark-3.5.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure iptables is installed | ||||
Description: | iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. Rationale: iptables is required for firewall management and configuration. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package iptables
Status: | Passed |
---|---|
Duration: | 0.000347 seconds |
cis-dil-benchmark-3.6
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure wireless interfaces are disabled | ||||
Description: | Wireless networking is used when wired networks are unavailable. Debian contains a wireless tool kit to allow system administrators to configure and use wireless networks. Rationale: If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.6
Status: | Skipped |
---|---|
Duration: | 5.0e-06 seconds |
cis-dil-benchmark-3.7
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Disable IPv6 | ||||
Description: | Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented. Rationale: If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-3.7
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
cis-dil-benchmark-4.1.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure audit log storage size is configured | ||||
Description: | Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started. Rationale: It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/auditd.conf
Status: | Failed |
---|---|
Duration: | 0.103764 seconds |
cis-dil-benchmark-4.1.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure system is disabled when audit logs are full | ||||
Description: | The auditd daemon can be configured to halt the system when the audit logs are full. Rationale: In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/auditd.conf
Status: | Failed |
---|---|
Duration: | 0.000239 seconds |
File /etc/audit/auditd.conf
Status: | Failed |
---|---|
Duration: | 0.000144 seconds |
File /etc/audit/auditd.conf
Status: | Failed |
---|---|
Duration: | 0.000137 seconds |
cis-dil-benchmark-4.1.1.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure audit logs are not automatically deleted | ||||
Description: | The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. Rationale: In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/auditd.conf
Status: | Failed |
---|---|
Duration: | 0.000458 seconds |
cis-dil-benchmark-4.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure auditd is installed | ||||
Description: | auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package audit
Status: | Failed |
---|---|
Duration: | 0.000373 seconds |
System Package auditd
Status: | Failed |
---|---|
Duration: | 0.000211 seconds |
System Package audit-libs
Status: | Failed |
---|---|
Duration: | 0.000185 seconds |
System Package audispd-plugins
Status: | Failed |
---|---|
Duration: | 0.000365 seconds |
cis-dil-benchmark-4.1.3
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure auditd service is enabled | ||||
Description: | Turn on the auditd daemon to record system events. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service auditd
Status: | Skipped |
---|---|
Duration: | 8.0e-06 seconds |
cis-dil-benchmark-4.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure auditing for processes that start prior to auditd is enabled | ||||
Description: | Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup. Rationale: Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 0.00019 seconds |
File /boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000513 seconds |
File /boot/boot/grub/grub.conf
Status: | Failed |
---|---|
Duration: | 0.000128 seconds |
File /boot/boot/grub/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000114 seconds |
File /boot/grub2/grub.cfg
Status: | Failed |
---|---|
Duration: | 0.000111 seconds |
cis-dil-benchmark-4.1.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure events that modify date and time information are collected | ||||
Description: | Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier "time-change" Rationale: Unexpected changes in system date and/or time could be a sign of malicious activity on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000132 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000117 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000112 seconds |
cis-dil-benchmark-4.1.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure events that modify user/group information are collected | ||||
Description: | Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file. Rationale: Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000108 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.0001 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.9e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.2e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.0001 seconds |
cis-dil-benchmark-4.1.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure events that modify the system's network environment are collected | ||||
Description: | Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files. Rationale: Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale." | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000142 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000131 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000112 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000153 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000103 seconds |
cis-dil-benchmark-4.1.8
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure events that modify the system's Mandatory Access Controls are collected | ||||
Description: | Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories. Rationale: Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00012 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000107 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00013 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000134 seconds |
cis-dil-benchmark-4.1.9
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure login and logout events are collected | ||||
Description: | Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module Rationale: Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000225 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000442 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000126 seconds |
cis-dil-benchmark-4.1.10
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure session initiation information is collected | ||||
Description: | Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. All audit records will be tagged with the identifier "session." The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier "logins." Rationale: Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in). | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000112 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00015 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000115 seconds |
cis-dil-benchmark-4.1.11
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure discretionary access control permission modification events are collected | ||||
Description: | Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 500) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod." Rationale: Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000316 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000184 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000145 seconds |
cis-dil-benchmark-4.1.12
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure unsuccessful unauthorized file access attempts are collected | ||||
Description: | Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier "access." Rationale: Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000136 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000134 seconds |
cis-dil-benchmark-4.1.13
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure use of privileged commands is collected | ||||
Description: | Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. Rationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000142 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00013 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000131 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000126 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000145 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000134 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000185 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000253 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00018 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000137 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000133 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00014 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000304 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000131 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000124 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000122 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 8.7e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 8.6e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.5e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.3e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000103 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000126 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000126 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000132 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000121 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000279 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000123 seconds |
cis-dil-benchmark-4.1.14
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure successful file system mounts are collected | ||||
Description: | Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user Rationale: It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000118 seconds |
cis-dil-benchmark-4.1.15
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure file deletion events by users are collected | ||||
Description: | Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier "delete". Rationale: Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000127 seconds |
cis-dil-benchmark-4.1.16
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure changes to system administration scope (sudoers) is collected | ||||
Description: | Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope." Rationale: Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000105 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000103 seconds |
cis-dil-benchmark-4.1.17
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure system administrator actions (sudolog) are collected | ||||
Description: | Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log. Rationale: Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000101 seconds |
cis-dil-benchmark-4.1.18
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure kernel module loading and unloading is collected | ||||
Description: | Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules". Rationale: Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.00025 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 0.000104 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.9e-05 seconds |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.9e-05 seconds |
cis-dil-benchmark-4.1.19
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure the audit configuration is immutable | ||||
Description: | Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Rationale: In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/audit/audit.rules
Status: | Failed |
---|---|
Duration: | 9.9e-05 seconds |
cis-dil-benchmark-4.2.1.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure rsyslog Service is insalled | ||||
Description: | The `rsyslog` software is a recommended replacement to the original `syslogd` daemon which provide improvements over `syslogd`, such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
System Package rsyslog
Status: | Passed |
---|---|
Duration: | 0.13967 seconds |
cis-dil-benchmark-4.2.1.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure rsyslog Service is enabled | ||||
Description: | Once the rsyslog package is installed it needs to be activated. Rationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service rsyslog
Status: | Skipped |
---|---|
Duration: | 1.1e-05 seconds |
cis-dil-benchmark-4.2.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure logging is configured | ||||
Description: | The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages. Rationale: A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.). | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/rsyslog.conf
Status: | Passed |
---|---|
Duration: | 0.022771 seconds |
cis-dil-benchmark-4.2.1.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure rsyslog default file permissions configured | ||||
Description: | rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/rsyslog.conf
Status: | Passed |
---|---|
Duration: | 0.075507 seconds |
cis-dil-benchmark-4.2.1.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure rsyslog is configured to send logs to a remote log host | ||||
Description: | The `rsyslog` utility supports the ability to send logs it gathers to a remote log host running `syslogd(8)` or to receive messages from remote hosts, reducing administrative overhead. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/rsyslog.conf
Status: | Failed |
---|---|
Duration: | 0.00224 seconds |
cis-dil-benchmark-4.2.1.6
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure remote rsyslog messages are only accepted on designated log hosts. | ||||
Description: | By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. Rationale: The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-4.2.1.6
Status: | Skipped |
---|---|
Duration: | 1.5e-05 seconds |
cis-dil-benchmark-4.2.2.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure journald is configured to send logs to rsyslog | ||||
Description: | Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Parse Config File /etc/systemd/journald.conf
Status: | Failed |
---|---|
Duration: | 0.001225 seconds |
cis-dil-benchmark-4.2.2.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure journald is configured to compress large log files | ||||
Description: | The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Parse Config File /etc/systemd/journald.conf
Status: | Failed |
---|---|
Duration: | 0.000507 seconds |
cis-dil-benchmark-4.2.2.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure journald is configured to write logfiles to persistent disk | ||||
Description: | Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Parse Config File /etc/systemd/journald.conf
Status: | Failed |
---|---|
Duration: | 0.000471 seconds |
cis-dil-benchmark-4.2.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on all logfiles are configured | ||||
Description: | Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /var/log/dpkg.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.057614 seconds |
File /var/log/dpkg.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000489 seconds |
File /var/log/dpkg.log.6.gz
Status: | Failed |
---|---|
Duration: | 0.000705 seconds |
File /var/log/dpkg.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000175 seconds |
File /var/log/dpkg.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000196 seconds |
File /var/log/ufw.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.107071 seconds |
File /var/log/ufw.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000713 seconds |
File /var/log/ufw.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000169 seconds |
File /var/log/ufw.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000105 seconds |
File /var/log/ufw.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /var/log/user.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.056028 seconds |
File /var/log/user.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000545 seconds |
File /var/log/user.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000158 seconds |
File /var/log/user.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000475 seconds |
File /var/log/user.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00016 seconds |
File /var/log/mail.warn
Status: | Passed |
---|---|
Duration: | 0.103645 seconds |
File /var/log/mail.warn
Status: | Passed |
---|---|
Duration: | 0.000459 seconds |
File /var/log/mail.warn
Status: | Passed |
---|---|
Duration: | 0.000186 seconds |
File /var/log/mail.warn
Status: | Passed |
---|---|
Duration: | 0.000177 seconds |
File /var/log/mail.warn
Status: | Passed |
---|---|
Duration: | 0.000124 seconds |
File /var/log/alternatives.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.056856 seconds |
File /var/log/alternatives.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000542 seconds |
File /var/log/alternatives.log.6.gz
Status: | Failed |
---|---|
Duration: | 0.000373 seconds |
File /var/log/alternatives.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000464 seconds |
File /var/log/alternatives.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000174 seconds |
File /var/log/mail.warn.2.gz
Status: | Passed |
---|---|
Duration: | 0.057826 seconds |
File /var/log/mail.warn.2.gz
Status: | Passed |
---|---|
Duration: | 0.000455 seconds |
File /var/log/mail.warn.2.gz
Status: | Passed |
---|---|
Duration: | 0.000165 seconds |
File /var/log/mail.warn.2.gz
Status: | Passed |
---|---|
Duration: | 0.000181 seconds |
File /var/log/mail.warn.2.gz
Status: | Passed |
---|---|
Duration: | 0.000231 seconds |
File /var/log/auth.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.105587 seconds |
File /var/log/auth.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000565 seconds |
File /var/log/auth.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000304 seconds |
File /var/log/auth.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000277 seconds |
File /var/log/auth.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000352 seconds |
File /var/log/cron.log.1
Status: | Passed |
---|---|
Duration: | 0.059204 seconds |
File /var/log/cron.log.1
Status: | Passed |
---|---|
Duration: | 0.000549 seconds |
File /var/log/cron.log.1
Status: | Passed |
---|---|
Duration: | 0.000188 seconds |
File /var/log/cron.log.1
Status: | Passed |
---|---|
Duration: | 0.000143 seconds |
File /var/log/cron.log.1
Status: | Passed |
---|---|
Duration: | 0.000119 seconds |
File /var/log/alternatives.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.056534 seconds |
File /var/log/alternatives.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00047 seconds |
File /var/log/alternatives.log.4.gz
Status: | Failed |
---|---|
Duration: | 0.000315 seconds |
File /var/log/alternatives.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000195 seconds |
File /var/log/alternatives.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000134 seconds |
File /var/log/alternatives.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.104591 seconds |
File /var/log/alternatives.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000453 seconds |
File /var/log/alternatives.log.11.gz
Status: | Failed |
---|---|
Duration: | 0.000422 seconds |
File /var/log/alternatives.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000165 seconds |
File /var/log/alternatives.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000179 seconds |
File /var/log/cron.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.060406 seconds |
File /var/log/cron.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000575 seconds |
File /var/log/cron.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000293 seconds |
File /var/log/cron.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00073 seconds |
File /var/log/cron.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000177 seconds |
File /var/log/messages.3.gz
Status: | Passed |
---|---|
Duration: | 0.1019 seconds |
File /var/log/messages.3.gz
Status: | Passed |
---|---|
Duration: | 0.000657 seconds |
File /var/log/messages.3.gz
Status: | Passed |
---|---|
Duration: | 0.000271 seconds |
File /var/log/messages.3.gz
Status: | Passed |
---|---|
Duration: | 0.000248 seconds |
File /var/log/messages.3.gz
Status: | Passed |
---|---|
Duration: | 0.000238 seconds |
File /var/log/dpkg.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.057963 seconds |
File /var/log/dpkg.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000528 seconds |
File /var/log/dpkg.log.9.gz
Status: | Failed |
---|---|
Duration: | 0.000442 seconds |
File /var/log/dpkg.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000221 seconds |
File /var/log/dpkg.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000395 seconds |
File /var/log/syslog.6.gz
Status: | Passed |
---|---|
Duration: | 0.110538 seconds |
File /var/log/syslog.6.gz
Status: | Passed |
---|---|
Duration: | 0.000533 seconds |
File /var/log/syslog.6.gz
Status: | Passed |
---|---|
Duration: | 0.000213 seconds |
File /var/log/syslog.6.gz
Status: | Passed |
---|---|
Duration: | 0.000219 seconds |
File /var/log/syslog.6.gz
Status: | Passed |
---|---|
Duration: | 0.000173 seconds |
File /var/log/ufw.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.061663 seconds |
File /var/log/ufw.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000449 seconds |
File /var/log/ufw.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000199 seconds |
File /var/log/ufw.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00037 seconds |
File /var/log/ufw.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000159 seconds |
File /var/log/mail.info.4.gz
Status: | Passed |
---|---|
Duration: | 0.112199 seconds |
File /var/log/mail.info.4.gz
Status: | Passed |
---|---|
Duration: | 0.00047 seconds |
File /var/log/mail.info.4.gz
Status: | Passed |
---|---|
Duration: | 0.000275 seconds |
File /var/log/mail.info.4.gz
Status: | Passed |
---|---|
Duration: | 0.000366 seconds |
File /var/log/mail.info.4.gz
Status: | Passed |
---|---|
Duration: | 0.00175 seconds |
File /var/log/mail.info.1
Status: | Passed |
---|---|
Duration: | 0.060009 seconds |
File /var/log/mail.info.1
Status: | Passed |
---|---|
Duration: | 0.000466 seconds |
File /var/log/mail.info.1
Status: | Passed |
---|---|
Duration: | 0.000272 seconds |
File /var/log/mail.info.1
Status: | Passed |
---|---|
Duration: | 0.000192 seconds |
File /var/log/mail.info.1
Status: | Passed |
---|---|
Duration: | 0.000156 seconds |
File /var/log/dpkg.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.103877 seconds |
File /var/log/dpkg.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000599 seconds |
File /var/log/dpkg.log.11.gz
Status: | Failed |
---|---|
Duration: | 0.000357 seconds |
File /var/log/dpkg.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000248 seconds |
File /var/log/dpkg.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000169 seconds |
File /var/log/auth.log
Status: | Passed |
---|---|
Duration: | 0.056324 seconds |
File /var/log/auth.log
Status: | Passed |
---|---|
Duration: | 0.000585 seconds |
File /var/log/auth.log
Status: | Passed |
---|---|
Duration: | 0.000259 seconds |
File /var/log/auth.log
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
File /var/log/auth.log
Status: | Passed |
---|---|
Duration: | 0.000171 seconds |
File /var/log/ufw.log
Status: | Passed |
---|---|
Duration: | 0.058687 seconds |
File /var/log/ufw.log
Status: | Passed |
---|---|
Duration: | 0.000752 seconds |
File /var/log/ufw.log
Status: | Passed |
---|---|
Duration: | 0.000211 seconds |
File /var/log/ufw.log
Status: | Passed |
---|---|
Duration: | 0.00016 seconds |
File /var/log/ufw.log
Status: | Passed |
---|---|
Duration: | 0.000136 seconds |
File /var/log/daemon.log
Status: | Passed |
---|---|
Duration: | 0.103981 seconds |
File /var/log/daemon.log
Status: | Passed |
---|---|
Duration: | 0.00036 seconds |
File /var/log/daemon.log
Status: | Passed |
---|---|
Duration: | 0.000333 seconds |
File /var/log/daemon.log
Status: | Passed |
---|---|
Duration: | 0.000136 seconds |
File /var/log/daemon.log
Status: | Passed |
---|---|
Duration: | 0.000151 seconds |
File /var/log/ufw.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.059064 seconds |
File /var/log/ufw.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000405 seconds |
File /var/log/ufw.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.0002 seconds |
File /var/log/ufw.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.00013 seconds |
File /var/log/ufw.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000134 seconds |
File /var/log/cron.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.103903 seconds |
File /var/log/cron.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000745 seconds |
File /var/log/cron.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000604 seconds |
File /var/log/cron.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000374 seconds |
File /var/log/cron.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000425 seconds |
File /var/log/btmp.1
Status: | Failed |
---|---|
Duration: | 0.057316 seconds |
File /var/log/btmp.1
Status: | Passed |
---|---|
Duration: | 0.000602 seconds |
File /var/log/btmp.1
Status: | Passed |
---|---|
Duration: | 0.000825 seconds |
File /var/log/btmp.1
Status: | Passed |
---|---|
Duration: | 0.00039 seconds |
File /var/log/btmp.1
Status: | Passed |
---|---|
Duration: | 0.000207 seconds |
File /var/log/user.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.103846 seconds |
File /var/log/user.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.001494 seconds |
File /var/log/user.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000451 seconds |
File /var/log/user.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000274 seconds |
File /var/log/user.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00028 seconds |
File /var/log/ufw.log.1
Status: | Passed |
---|---|
Duration: | 0.057208 seconds |
File /var/log/ufw.log.1
Status: | Passed |
---|---|
Duration: | 0.000661 seconds |
File /var/log/ufw.log.1
Status: | Passed |
---|---|
Duration: | 0.000295 seconds |
File /var/log/ufw.log.1
Status: | Passed |
---|---|
Duration: | 0.000198 seconds |
File /var/log/ufw.log.1
Status: | Passed |
---|---|
Duration: | 0.000127 seconds |
File /var/log/alternatives.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.057336 seconds |
File /var/log/alternatives.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.00055 seconds |
File /var/log/alternatives.log.5.gz
Status: | Failed |
---|---|
Duration: | 0.000859 seconds |
File /var/log/alternatives.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.00015 seconds |
File /var/log/alternatives.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000114 seconds |
File /var/log/dpkg.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.103035 seconds |
File /var/log/dpkg.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000581 seconds |
File /var/log/dpkg.log.3.gz
Status: | Failed |
---|---|
Duration: | 0.000455 seconds |
File /var/log/dpkg.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000279 seconds |
File /var/log/dpkg.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000254 seconds |
File /var/log/alternatives.log
Status: | Passed |
---|---|
Duration: | 0.057577 seconds |
File /var/log/alternatives.log
Status: | Passed |
---|---|
Duration: | 0.000539 seconds |
File /var/log/alternatives.log
Status: | Failed |
---|---|
Duration: | 0.000291 seconds |
File /var/log/alternatives.log
Status: | Passed |
---|---|
Duration: | 0.000129 seconds |
File /var/log/alternatives.log
Status: | Passed |
---|---|
Duration: | 0.000583 seconds |
File /var/log/debug.4.gz
Status: | Passed |
---|---|
Duration: | 0.10451 seconds |
File /var/log/debug.4.gz
Status: | Passed |
---|---|
Duration: | 0.000631 seconds |
File /var/log/debug.4.gz
Status: | Passed |
---|---|
Duration: | 0.000273 seconds |
File /var/log/debug.4.gz
Status: | Passed |
---|---|
Duration: | 0.000387 seconds |
File /var/log/debug.4.gz
Status: | Passed |
---|---|
Duration: | 0.000312 seconds |
File /var/log/lastlog
Status: | Passed |
---|---|
Duration: | 0.060386 seconds |
File /var/log/lastlog
Status: | Passed |
---|---|
Duration: | 0.000311 seconds |
File /var/log/lastlog
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /var/log/mail.info.3.gz
Status: | Passed |
---|---|
Duration: | 0.103326 seconds |
File /var/log/mail.info.3.gz
Status: | Passed |
---|---|
Duration: | 0.000474 seconds |
File /var/log/mail.info.3.gz
Status: | Passed |
---|---|
Duration: | 0.000193 seconds |
File /var/log/mail.info.3.gz
Status: | Passed |
---|---|
Duration: | 0.000147 seconds |
File /var/log/mail.info.3.gz
Status: | Passed |
---|---|
Duration: | 0.000135 seconds |
File /var/log/debug.2.gz
Status: | Passed |
---|---|
Duration: | 0.056916 seconds |
File /var/log/debug.2.gz
Status: | Passed |
---|---|
Duration: | 0.000441 seconds |
File /var/log/debug.2.gz
Status: | Passed |
---|---|
Duration: | 0.000237 seconds |
File /var/log/debug.2.gz
Status: | Passed |
---|---|
Duration: | 0.000188 seconds |
File /var/log/debug.2.gz
Status: | Passed |
---|---|
Duration: | 0.000156 seconds |
File /var/log/mail.warn.4.gz
Status: | Passed |
---|---|
Duration: | 0.056882 seconds |
File /var/log/mail.warn.4.gz
Status: | Passed |
---|---|
Duration: | 0.000331 seconds |
File /var/log/mail.warn.4.gz
Status: | Passed |
---|---|
Duration: | 0.000142 seconds |
File /var/log/mail.warn.4.gz
Status: | Passed |
---|---|
Duration: | 0.000117 seconds |
File /var/log/mail.warn.4.gz
Status: | Passed |
---|---|
Duration: | 0.000146 seconds |
File /var/log/daemon.log.1
Status: | Passed |
---|---|
Duration: | 0.105719 seconds |
File /var/log/daemon.log.1
Status: | Passed |
---|---|
Duration: | 0.000515 seconds |
File /var/log/daemon.log.1
Status: | Passed |
---|---|
Duration: | 0.000206 seconds |
File /var/log/daemon.log.1
Status: | Passed |
---|---|
Duration: | 0.000377 seconds |
File /var/log/daemon.log.1
Status: | Passed |
---|---|
Duration: | 0.000133 seconds |
File /var/log/syslog.1
Status: | Passed |
---|---|
Duration: | 0.05573 seconds |
File /var/log/syslog.1
Status: | Passed |
---|---|
Duration: | 0.000566 seconds |
File /var/log/syslog.1
Status: | Passed |
---|---|
Duration: | 0.000176 seconds |
File /var/log/syslog.1
Status: | Passed |
---|---|
Duration: | 0.000113 seconds |
File /var/log/syslog.1
Status: | Passed |
---|---|
Duration: | 9.5e-05 seconds |
File /var/log/dpkg.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.055605 seconds |
File /var/log/dpkg.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000468 seconds |
File /var/log/dpkg.log.5.gz
Status: | Failed |
---|---|
Duration: | 0.000356 seconds |
File /var/log/dpkg.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000147 seconds |
File /var/log/dpkg.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000343 seconds |
File /var/log/user.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.112509 seconds |
File /var/log/user.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000391 seconds |
File /var/log/user.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000399 seconds |
File /var/log/user.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.00038 seconds |
File /var/log/user.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000654 seconds |
File /var/log/debug
Status: | Passed |
---|---|
Duration: | 0.057439 seconds |
File /var/log/debug
Status: | Passed |
---|---|
Duration: | 0.000671 seconds |
File /var/log/debug
Status: | Passed |
---|---|
Duration: | 0.000615 seconds |
File /var/log/debug
Status: | Passed |
---|---|
Duration: | 0.000623 seconds |
File /var/log/debug
Status: | Passed |
---|---|
Duration: | 0.000552 seconds |
File /var/log/wtmp
Status: | Passed |
---|---|
Duration: | 0.097838 seconds |
File /var/log/wtmp
Status: | Passed |
---|---|
Duration: | 0.000348 seconds |
File /var/log/wtmp
Status: | Passed |
---|---|
Duration: | 0.000195 seconds |
File /var/log/mail.log
Status: | Passed |
---|---|
Duration: | 0.056172 seconds |
File /var/log/mail.log
Status: | Passed |
---|---|
Duration: | 0.00036 seconds |
File /var/log/mail.log
Status: | Passed |
---|---|
Duration: | 0.000174 seconds |
File /var/log/mail.log
Status: | Passed |
---|---|
Duration: | 0.000239 seconds |
File /var/log/mail.log
Status: | Passed |
---|---|
Duration: | 0.000266 seconds |
File /var/log/dpkg.log.1
Status: | Passed |
---|---|
Duration: | 0.056546 seconds |
File /var/log/dpkg.log.1
Status: | Passed |
---|---|
Duration: | 0.000602 seconds |
File /var/log/dpkg.log.1
Status: | Failed |
---|---|
Duration: | 0.000273 seconds |
File /var/log/dpkg.log.1
Status: | Passed |
---|---|
Duration: | 0.000111 seconds |
File /var/log/dpkg.log.1
Status: | Passed |
---|---|
Duration: | 0.000104 seconds |
File /var/log/auth.log.1
Status: | Passed |
---|---|
Duration: | 0.103562 seconds |
File /var/log/auth.log.1
Status: | Passed |
---|---|
Duration: | 0.000775 seconds |
File /var/log/auth.log.1
Status: | Passed |
---|---|
Duration: | 0.000405 seconds |
File /var/log/auth.log.1
Status: | Passed |
---|---|
Duration: | 0.000378 seconds |
File /var/log/auth.log.1
Status: | Passed |
---|---|
Duration: | 0.000321 seconds |
File /var/log/wtmp.1
Status: | Failed |
---|---|
Duration: | 0.06085 seconds |
File /var/log/wtmp.1
Status: | Passed |
---|---|
Duration: | 0.00034 seconds |
File /var/log/wtmp.1
Status: | Failed |
---|---|
Duration: | 0.000185 seconds |
File /var/log/wtmp.1
Status: | Passed |
---|---|
Duration: | 0.000101 seconds |
File /var/log/wtmp.1
Status: | Passed |
---|---|
Duration: | 9.3e-05 seconds |
File /var/log/faillog
Status: | Passed |
---|---|
Duration: | 0.10312 seconds |
File /var/log/faillog
Status: | Passed |
---|---|
Duration: | 0.000625 seconds |
File /var/log/faillog
Status: | Failed |
---|---|
Duration: | 0.00048 seconds |
File /var/log/faillog
Status: | Passed |
---|---|
Duration: | 0.000291 seconds |
File /var/log/faillog
Status: | Passed |
---|---|
Duration: | 0.000151 seconds |
File /var/log/debug.1
Status: | Passed |
---|---|
Duration: | 0.058082 seconds |
File /var/log/debug.1
Status: | Passed |
---|---|
Duration: | 0.000396 seconds |
File /var/log/debug.1
Status: | Passed |
---|---|
Duration: | 0.000272 seconds |
File /var/log/debug.1
Status: | Passed |
---|---|
Duration: | 0.000204 seconds |
File /var/log/debug.1
Status: | Passed |
---|---|
Duration: | 0.000117 seconds |
File /var/log/alternatives.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.056817 seconds |
File /var/log/alternatives.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.00035 seconds |
File /var/log/alternatives.log.10.gz
Status: | Failed |
---|---|
Duration: | 0.000572 seconds |
File /var/log/alternatives.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000144 seconds |
File /var/log/alternatives.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000124 seconds |
File /var/log/kern.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.103362 seconds |
File /var/log/kern.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000362 seconds |
File /var/log/kern.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000206 seconds |
File /var/log/kern.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000145 seconds |
File /var/log/kern.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000141 seconds |
File /var/log/syslog.2.gz
Status: | Passed |
---|---|
Duration: | 0.06122 seconds |
File /var/log/syslog.2.gz
Status: | Passed |
---|---|
Duration: | 0.000681 seconds |
File /var/log/syslog.2.gz
Status: | Passed |
---|---|
Duration: | 0.00045 seconds |
File /var/log/syslog.2.gz
Status: | Passed |
---|---|
Duration: | 0.000148 seconds |
File /var/log/syslog.2.gz
Status: | Passed |
---|---|
Duration: | 0.000136 seconds |
File /var/log/syslog.3.gz
Status: | Passed |
---|---|
Duration: | 0.110154 seconds |
File /var/log/syslog.3.gz
Status: | Passed |
---|---|
Duration: | 0.000505 seconds |
File /var/log/syslog.3.gz
Status: | Passed |
---|---|
Duration: | 0.000212 seconds |
File /var/log/syslog.3.gz
Status: | Passed |
---|---|
Duration: | 0.000161 seconds |
File /var/log/syslog.3.gz
Status: | Passed |
---|---|
Duration: | 0.000131 seconds |
File /var/log/kern.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.058524 seconds |
File /var/log/kern.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000543 seconds |
File /var/log/kern.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000252 seconds |
File /var/log/kern.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000187 seconds |
File /var/log/kern.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000253 seconds |
File /var/log/dpkg.log
Status: | Passed |
---|---|
Duration: | 0.109206 seconds |
File /var/log/dpkg.log
Status: | Passed |
---|---|
Duration: | 0.00046 seconds |
File /var/log/dpkg.log
Status: | Failed |
---|---|
Duration: | 0.000359 seconds |
File /var/log/dpkg.log
Status: | Passed |
---|---|
Duration: | 0.000134 seconds |
File /var/log/dpkg.log
Status: | Passed |
---|---|
Duration: | 0.00012 seconds |
File /var/log/messages.2.gz
Status: | Passed |
---|---|
Duration: | 0.057343 seconds |
File /var/log/messages.2.gz
Status: | Passed |
---|---|
Duration: | 0.000615 seconds |
File /var/log/messages.2.gz
Status: | Passed |
---|---|
Duration: | 0.000304 seconds |
File /var/log/messages.2.gz
Status: | Passed |
---|---|
Duration: | 0.000245 seconds |
File /var/log/messages.2.gz
Status: | Passed |
---|---|
Duration: | 0.000274 seconds |
File /var/log/dpkg.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.057411 seconds |
File /var/log/dpkg.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00037 seconds |
File /var/log/dpkg.log.2.gz
Status: | Failed |
---|---|
Duration: | 0.00026 seconds |
File /var/log/dpkg.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000275 seconds |
File /var/log/dpkg.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000103 seconds |
File /var/log/dpkg.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.103266 seconds |
File /var/log/dpkg.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000324 seconds |
File /var/log/dpkg.log.8.gz
Status: | Failed |
---|---|
Duration: | 0.000229 seconds |
File /var/log/dpkg.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000117 seconds |
File /var/log/dpkg.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000113 seconds |
File /var/log/bootstrap.log
Status: | Passed |
---|---|
Duration: | 0.059392 seconds |
File /var/log/bootstrap.log
Status: | Passed |
---|---|
Duration: | 0.000375 seconds |
File /var/log/bootstrap.log
Status: | Failed |
---|---|
Duration: | 0.00024 seconds |
File /var/log/bootstrap.log
Status: | Passed |
---|---|
Duration: | 0.000113 seconds |
File /var/log/bootstrap.log
Status: | Passed |
---|---|
Duration: | 9.9e-05 seconds |
File /var/log/dpkg.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.105138 seconds |
File /var/log/dpkg.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000483 seconds |
File /var/log/dpkg.log.7.gz
Status: | Failed |
---|---|
Duration: | 0.000477 seconds |
File /var/log/dpkg.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000157 seconds |
File /var/log/dpkg.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000109 seconds |
File /var/log/mail.err
Status: | Passed |
---|---|
Duration: | 0.056155 seconds |
File /var/log/mail.err
Status: | Passed |
---|---|
Duration: | 0.000756 seconds |
File /var/log/mail.err
Status: | Passed |
---|---|
Duration: | 0.000197 seconds |
File /var/log/mail.err
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
File /var/log/mail.err
Status: | Passed |
---|---|
Duration: | 0.000104 seconds |
File /var/log/daemon.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.057399 seconds |
File /var/log/daemon.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000496 seconds |
File /var/log/daemon.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000291 seconds |
File /var/log/daemon.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000201 seconds |
File /var/log/daemon.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000179 seconds |
File /var/log/mail.info
Status: | Passed |
---|---|
Duration: | 0.105446 seconds |
File /var/log/mail.info
Status: | Passed |
---|---|
Duration: | 0.000509 seconds |
File /var/log/mail.info
Status: | Passed |
---|---|
Duration: | 0.000224 seconds |
File /var/log/mail.info
Status: | Passed |
---|---|
Duration: | 0.000243 seconds |
File /var/log/mail.info
Status: | Passed |
---|---|
Duration: | 0.000251 seconds |
File /var/log/apt/history.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.058006 seconds |
File /var/log/apt/history.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000453 seconds |
File /var/log/apt/history.log.11.gz
Status: | Failed |
---|---|
Duration: | 0.000727 seconds |
File /var/log/apt/history.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000154 seconds |
File /var/log/apt/history.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /var/log/apt/history.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.101771 seconds |
File /var/log/apt/history.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000435 seconds |
File /var/log/apt/history.log.10.gz
Status: | Failed |
---|---|
Duration: | 0.000313 seconds |
File /var/log/apt/history.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000275 seconds |
File /var/log/apt/history.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000318 seconds |
File /var/log/apt/history.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.057886 seconds |
File /var/log/apt/history.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000448 seconds |
File /var/log/apt/history.log.8.gz
Status: | Failed |
---|---|
Duration: | 0.000318 seconds |
File /var/log/apt/history.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000243 seconds |
File /var/log/apt/history.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000253 seconds |
File /var/log/apt/term.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.127631 seconds |
File /var/log/apt/term.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.000521 seconds |
File /var/log/apt/term.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.001202 seconds |
File /var/log/apt/term.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.00043 seconds |
File /var/log/apt/term.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.002225 seconds |
File /var/log/apt/term.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.060653 seconds |
File /var/log/apt/term.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000461 seconds |
File /var/log/apt/term.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000175 seconds |
File /var/log/apt/term.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000144 seconds |
File /var/log/apt/term.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000134 seconds |
File /var/log/apt/history.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.103769 seconds |
File /var/log/apt/history.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.000969 seconds |
File /var/log/apt/history.log.1.gz
Status: | Failed |
---|---|
Duration: | 0.000436 seconds |
File /var/log/apt/history.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.000253 seconds |
File /var/log/apt/history.log.1.gz
Status: | Passed |
---|---|
Duration: | 0.000373 seconds |
File /var/log/apt/term.log
Status: | Passed |
---|---|
Duration: | 0.05788 seconds |
File /var/log/apt/term.log
Status: | Passed |
---|---|
Duration: | 0.000523 seconds |
File /var/log/apt/term.log
Status: | Passed |
---|---|
Duration: | 0.000312 seconds |
File /var/log/apt/term.log
Status: | Passed |
---|---|
Duration: | 0.000146 seconds |
File /var/log/apt/term.log
Status: | Passed |
---|---|
Duration: | 0.000138 seconds |
File /var/log/apt/term.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.102836 seconds |
File /var/log/apt/term.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000311 seconds |
File /var/log/apt/term.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000153 seconds |
File /var/log/apt/term.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000112 seconds |
File /var/log/apt/term.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.00011 seconds |
File /var/log/apt/history.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.067571 seconds |
File /var/log/apt/history.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000455 seconds |
File /var/log/apt/history.log.2.gz
Status: | Failed |
---|---|
Duration: | 0.000382 seconds |
File /var/log/apt/history.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000194 seconds |
File /var/log/apt/history.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000783 seconds |
File /var/log/apt/term.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.105561 seconds |
File /var/log/apt/term.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000642 seconds |
File /var/log/apt/term.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000458 seconds |
File /var/log/apt/term.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000182 seconds |
File /var/log/apt/term.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000131 seconds |
File /var/log/apt/term.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.06216 seconds |
File /var/log/apt/term.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000501 seconds |
File /var/log/apt/term.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000247 seconds |
File /var/log/apt/term.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000364 seconds |
File /var/log/apt/term.log.11.gz
Status: | Passed |
---|---|
Duration: | 0.000105 seconds |
File /var/log/apt/history.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.059696 seconds |
File /var/log/apt/history.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000431 seconds |
File /var/log/apt/history.log.4.gz
Status: | Failed |
---|---|
Duration: | 0.00043 seconds |
File /var/log/apt/history.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000273 seconds |
File /var/log/apt/history.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000247 seconds |
File /var/log/apt/eipp.log.xz
Status: | Passed |
---|---|
Duration: | 0.102707 seconds |
File /var/log/apt/eipp.log.xz
Status: | Passed |
---|---|
Duration: | 0.001516 seconds |
File /var/log/apt/eipp.log.xz
Status: | Failed |
---|---|
Duration: | 0.000601 seconds |
File /var/log/apt/eipp.log.xz
Status: | Passed |
---|---|
Duration: | 0.000183 seconds |
File /var/log/apt/eipp.log.xz
Status: | Passed |
---|---|
Duration: | 0.00019 seconds |
File /var/log/apt/term.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.058213 seconds |
File /var/log/apt/term.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000698 seconds |
File /var/log/apt/term.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000322 seconds |
File /var/log/apt/term.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000302 seconds |
File /var/log/apt/term.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000288 seconds |
File /var/log/apt/history.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.100865 seconds |
File /var/log/apt/history.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000717 seconds |
File /var/log/apt/history.log.3.gz
Status: | Failed |
---|---|
Duration: | 0.000503 seconds |
File /var/log/apt/history.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.00058 seconds |
File /var/log/apt/history.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000528 seconds |
File /var/log/apt/term.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.060586 seconds |
File /var/log/apt/term.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000301 seconds |
File /var/log/apt/term.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000105 seconds |
File /var/log/apt/term.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000278 seconds |
File /var/log/apt/term.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000105 seconds |
File /var/log/apt/term.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.104702 seconds |
File /var/log/apt/term.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000593 seconds |
File /var/log/apt/term.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000476 seconds |
File /var/log/apt/term.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000812 seconds |
File /var/log/apt/term.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000382 seconds |
File /var/log/apt/term.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.064585 seconds |
File /var/log/apt/term.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000857 seconds |
File /var/log/apt/term.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00141 seconds |
File /var/log/apt/term.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000501 seconds |
File /var/log/apt/term.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000142 seconds |
File /var/log/apt/term.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.101294 seconds |
File /var/log/apt/term.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000423 seconds |
File /var/log/apt/term.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000146 seconds |
File /var/log/apt/term.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000121 seconds |
File /var/log/apt/term.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000234 seconds |
File /var/log/apt/history.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.058867 seconds |
File /var/log/apt/history.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000643 seconds |
File /var/log/apt/history.log.5.gz
Status: | Failed |
---|---|
Duration: | 0.000289 seconds |
File /var/log/apt/history.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000135 seconds |
File /var/log/apt/history.log.5.gz
Status: | Passed |
---|---|
Duration: | 0.000254 seconds |
File /var/log/apt/history.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.101845 seconds |
File /var/log/apt/history.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.00041 seconds |
File /var/log/apt/history.log.6.gz
Status: | Failed |
---|---|
Duration: | 0.000389 seconds |
File /var/log/apt/history.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000446 seconds |
File /var/log/apt/history.log.6.gz
Status: | Passed |
---|---|
Duration: | 0.000468 seconds |
File /var/log/apt/term.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.062903 seconds |
File /var/log/apt/term.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.00057 seconds |
File /var/log/apt/term.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000229 seconds |
File /var/log/apt/term.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000165 seconds |
File /var/log/apt/term.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000165 seconds |
File /var/log/apt/history.log
Status: | Passed |
---|---|
Duration: | 0.103681 seconds |
File /var/log/apt/history.log
Status: | Passed |
---|---|
Duration: | 0.000637 seconds |
File /var/log/apt/history.log
Status: | Failed |
---|---|
Duration: | 0.000974 seconds |
File /var/log/apt/history.log
Status: | Passed |
---|---|
Duration: | 0.000494 seconds |
File /var/log/apt/history.log
Status: | Passed |
---|---|
Duration: | 0.000995 seconds |
File /var/log/apt/history.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.060242 seconds |
File /var/log/apt/history.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000491 seconds |
File /var/log/apt/history.log.7.gz
Status: | Failed |
---|---|
Duration: | 0.00037 seconds |
File /var/log/apt/history.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000179 seconds |
File /var/log/apt/history.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000143 seconds |
File /var/log/apt/history.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.103424 seconds |
File /var/log/apt/history.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000662 seconds |
File /var/log/apt/history.log.9.gz
Status: | Failed |
---|---|
Duration: | 0.001126 seconds |
File /var/log/apt/history.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.001066 seconds |
File /var/log/apt/history.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000344 seconds |
File /var/log/apt/history.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.059236 seconds |
File /var/log/apt/history.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000594 seconds |
File /var/log/apt/history.log.12.gz
Status: | Failed |
---|---|
Duration: | 0.000318 seconds |
File /var/log/apt/history.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000149 seconds |
File /var/log/apt/history.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000135 seconds |
File /var/log/apt/term.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.1055 seconds |
File /var/log/apt/term.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000878 seconds |
File /var/log/apt/term.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000926 seconds |
File /var/log/apt/term.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000549 seconds |
File /var/log/apt/term.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000313 seconds |
File /var/log/mail.log.1
Status: | Passed |
---|---|
Duration: | 0.057401 seconds |
File /var/log/mail.log.1
Status: | Passed |
---|---|
Duration: | 0.001099 seconds |
File /var/log/mail.log.1
Status: | Passed |
---|---|
Duration: | 0.000431 seconds |
File /var/log/mail.log.1
Status: | Passed |
---|---|
Duration: | 0.000223 seconds |
File /var/log/mail.log.1
Status: | Passed |
---|---|
Duration: | 0.000245 seconds |
File /var/log/mail.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.105181 seconds |
File /var/log/mail.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.001313 seconds |
File /var/log/mail.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.005002 seconds |
File /var/log/mail.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000372 seconds |
File /var/log/mail.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000303 seconds |
File /var/log/daemon.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.059062 seconds |
File /var/log/daemon.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000385 seconds |
File /var/log/daemon.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00016 seconds |
File /var/log/daemon.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.00011 seconds |
File /var/log/daemon.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
File /var/log/dpkg.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.059804 seconds |
File /var/log/dpkg.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00031 seconds |
File /var/log/dpkg.log.4.gz
Status: | Failed |
---|---|
Duration: | 0.000217 seconds |
File /var/log/dpkg.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000106 seconds |
File /var/log/dpkg.log.4.gz
Status: | Passed |
---|---|
Duration: | 9.1e-05 seconds |
File /var/log/btmp
Status: | Passed |
---|---|
Duration: | 0.106614 seconds |
File /var/log/btmp
Status: | Passed |
---|---|
Duration: | 0.00034 seconds |
File /var/log/btmp
Status: | Passed |
---|---|
Duration: | 0.000149 seconds |
File /var/log/btmp
Status: | Passed |
---|---|
Duration: | 0.000116 seconds |
File /var/log/alternatives.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.058609 seconds |
File /var/log/alternatives.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000498 seconds |
File /var/log/alternatives.log.3.gz
Status: | Failed |
---|---|
Duration: | 0.000686 seconds |
File /var/log/alternatives.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000425 seconds |
File /var/log/alternatives.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000195 seconds |
File /var/log/mail.warn.3.gz
Status: | Passed |
---|---|
Duration: | 0.104678 seconds |
File /var/log/mail.warn.3.gz
Status: | Passed |
---|---|
Duration: | 0.000946 seconds |
File /var/log/mail.warn.3.gz
Status: | Passed |
---|---|
Duration: | 0.000241 seconds |
File /var/log/mail.warn.3.gz
Status: | Passed |
---|---|
Duration: | 0.000149 seconds |
File /var/log/mail.warn.3.gz
Status: | Passed |
---|---|
Duration: | 0.000138 seconds |
File /var/log/kern.log
Status: | Passed |
---|---|
Duration: | 0.061114 seconds |
File /var/log/kern.log
Status: | Passed |
---|---|
Duration: | 0.000664 seconds |
File /var/log/kern.log
Status: | Passed |
---|---|
Duration: | 0.000116 seconds |
File /var/log/kern.log
Status: | Passed |
---|---|
Duration: | 8.9e-05 seconds |
File /var/log/kern.log
Status: | Passed |
---|---|
Duration: | 8.7e-05 seconds |
File /var/log/alternatives.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.108019 seconds |
File /var/log/alternatives.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.00055 seconds |
File /var/log/alternatives.log.8.gz
Status: | Failed |
---|---|
Duration: | 0.000496 seconds |
File /var/log/alternatives.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000316 seconds |
File /var/log/alternatives.log.8.gz
Status: | Passed |
---|---|
Duration: | 0.000167 seconds |
File /var/log/messages.1
Status: | Passed |
---|---|
Duration: | 0.060976 seconds |
File /var/log/messages.1
Status: | Passed |
---|---|
Duration: | 0.00041 seconds |
File /var/log/messages.1
Status: | Passed |
---|---|
Duration: | 0.000127 seconds |
File /var/log/messages.1
Status: | Passed |
---|---|
Duration: | 0.000204 seconds |
File /var/log/messages.1
Status: | Passed |
---|---|
Duration: | 0.000245 seconds |
File /var/log/user.log.1
Status: | Passed |
---|---|
Duration: | 0.103997 seconds |
File /var/log/user.log.1
Status: | Passed |
---|---|
Duration: | 0.000426 seconds |
File /var/log/user.log.1
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /var/log/user.log.1
Status: | Passed |
---|---|
Duration: | 0.000109 seconds |
File /var/log/user.log.1
Status: | Passed |
---|---|
Duration: | 9.5e-05 seconds |
File /var/log/mail.info.2.gz
Status: | Passed |
---|---|
Duration: | 0.058828 seconds |
File /var/log/mail.info.2.gz
Status: | Passed |
---|---|
Duration: | 0.000876 seconds |
File /var/log/mail.info.2.gz
Status: | Passed |
---|---|
Duration: | 0.000201 seconds |
File /var/log/mail.info.2.gz
Status: | Passed |
---|---|
Duration: | 0.000165 seconds |
File /var/log/mail.info.2.gz
Status: | Passed |
---|---|
Duration: | 0.000158 seconds |
File /var/log/fontconfig.log
Status: | Passed |
---|---|
Duration: | 0.10411 seconds |
File /var/log/fontconfig.log
Status: | Passed |
---|---|
Duration: | 0.000974 seconds |
File /var/log/fontconfig.log
Status: | Failed |
---|---|
Duration: | 0.00099 seconds |
File /var/log/fontconfig.log
Status: | Passed |
---|---|
Duration: | 0.002607 seconds |
File /var/log/fontconfig.log
Status: | Passed |
---|---|
Duration: | 0.000239 seconds |
File /var/log/syslog.7.gz
Status: | Passed |
---|---|
Duration: | 0.059548 seconds |
File /var/log/syslog.7.gz
Status: | Passed |
---|---|
Duration: | 0.00051 seconds |
File /var/log/syslog.7.gz
Status: | Passed |
---|---|
Duration: | 0.000257 seconds |
File /var/log/syslog.7.gz
Status: | Passed |
---|---|
Duration: | 0.000223 seconds |
File /var/log/syslog.7.gz
Status: | Passed |
---|---|
Duration: | 0.000214 seconds |
File /var/log/auth.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.107476 seconds |
File /var/log/auth.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00046 seconds |
File /var/log/auth.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000283 seconds |
File /var/log/auth.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000236 seconds |
File /var/log/auth.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000105 seconds |
File /var/log/syslog.5.gz
Status: | Passed |
---|---|
Duration: | 0.058961 seconds |
File /var/log/syslog.5.gz
Status: | Passed |
---|---|
Duration: | 0.000362 seconds |
File /var/log/syslog.5.gz
Status: | Passed |
---|---|
Duration: | 0.000148 seconds |
File /var/log/syslog.5.gz
Status: | Passed |
---|---|
Duration: | 0.000232 seconds |
File /var/log/syslog.5.gz
Status: | Passed |
---|---|
Duration: | 0.000217 seconds |
File /var/log/mail.err.1
Status: | Passed |
---|---|
Duration: | 0.104135 seconds |
File /var/log/mail.err.1
Status: | Passed |
---|---|
Duration: | 0.000595 seconds |
File /var/log/mail.err.1
Status: | Passed |
---|---|
Duration: | 0.000318 seconds |
File /var/log/mail.err.1
Status: | Passed |
---|---|
Duration: | 0.000255 seconds |
File /var/log/mail.err.1
Status: | Passed |
---|---|
Duration: | 0.000715 seconds |
File /var/log/syslog.4.gz
Status: | Passed |
---|---|
Duration: | 0.056985 seconds |
File /var/log/syslog.4.gz
Status: | Passed |
---|---|
Duration: | 0.00054 seconds |
File /var/log/syslog.4.gz
Status: | Passed |
---|---|
Duration: | 0.00017 seconds |
File /var/log/syslog.4.gz
Status: | Passed |
---|---|
Duration: | 0.000441 seconds |
File /var/log/syslog.4.gz
Status: | Passed |
---|---|
Duration: | 0.000205 seconds |
File /var/log/messages
Status: | Passed |
---|---|
Duration: | 0.102889 seconds |
File /var/log/messages
Status: | Passed |
---|---|
Duration: | 0.000457 seconds |
File /var/log/messages
Status: | Passed |
---|---|
Duration: | 0.000234 seconds |
File /var/log/messages
Status: | Passed |
---|---|
Duration: | 0.000142 seconds |
File /var/log/messages
Status: | Passed |
---|---|
Duration: | 0.000183 seconds |
File /var/log/mail.warn.1
Status: | Passed |
---|---|
Duration: | 0.05941 seconds |
File /var/log/mail.warn.1
Status: | Passed |
---|---|
Duration: | 0.000342 seconds |
File /var/log/mail.warn.1
Status: | Passed |
---|---|
Duration: | 0.000141 seconds |
File /var/log/mail.warn.1
Status: | Passed |
---|---|
Duration: | 0.000114 seconds |
File /var/log/mail.warn.1
Status: | Passed |
---|---|
Duration: | 0.00043 seconds |
File /var/log/dpkg.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.102799 seconds |
File /var/log/dpkg.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000495 seconds |
File /var/log/dpkg.log.10.gz
Status: | Failed |
---|---|
Duration: | 0.00039 seconds |
File /var/log/dpkg.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000588 seconds |
File /var/log/dpkg.log.10.gz
Status: | Passed |
---|---|
Duration: | 0.000183 seconds |
File /var/log/alternatives.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.058536 seconds |
File /var/log/alternatives.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000652 seconds |
File /var/log/alternatives.log.2.gz
Status: | Failed |
---|---|
Duration: | 0.000637 seconds |
File /var/log/alternatives.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000326 seconds |
File /var/log/alternatives.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000263 seconds |
File /var/log/kern.log.1
Status: | Passed |
---|---|
Duration: | 0.100624 seconds |
File /var/log/kern.log.1
Status: | Passed |
---|---|
Duration: | 0.000549 seconds |
File /var/log/kern.log.1
Status: | Passed |
---|---|
Duration: | 0.000461 seconds |
File /var/log/kern.log.1
Status: | Passed |
---|---|
Duration: | 0.000179 seconds |
File /var/log/kern.log.1
Status: | Passed |
---|---|
Duration: | 0.000177 seconds |
File /var/log/mail.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.058964 seconds |
File /var/log/mail.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000653 seconds |
File /var/log/mail.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000297 seconds |
File /var/log/mail.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000301 seconds |
File /var/log/mail.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000295 seconds |
File /var/log/alternatives.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.101527 seconds |
File /var/log/alternatives.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000591 seconds |
File /var/log/alternatives.log.9.gz
Status: | Failed |
---|---|
Duration: | 0.000495 seconds |
File /var/log/alternatives.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000285 seconds |
File /var/log/alternatives.log.9.gz
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
File /var/log/daemon.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.05661 seconds |
File /var/log/daemon.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000413 seconds |
File /var/log/daemon.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000147 seconds |
File /var/log/daemon.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000111 seconds |
File /var/log/daemon.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000103 seconds |
File /var/log/auth.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.059012 seconds |
File /var/log/auth.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000884 seconds |
File /var/log/auth.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000515 seconds |
File /var/log/auth.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000296 seconds |
File /var/log/auth.log.2.gz
Status: | Passed |
---|---|
Duration: | 0.000248 seconds |
File /var/log/mail.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.105036 seconds |
File /var/log/mail.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000317 seconds |
File /var/log/mail.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000147 seconds |
File /var/log/mail.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.00046 seconds |
File /var/log/mail.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000102 seconds |
File /var/log/syslog
Status: | Passed |
---|---|
Duration: | 0.061308 seconds |
File /var/log/syslog
Status: | Passed |
---|---|
Duration: | 0.004478 seconds |
File /var/log/syslog
Status: | Passed |
---|---|
Duration: | 0.000427 seconds |
File /var/log/syslog
Status: | Passed |
---|---|
Duration: | 0.000143 seconds |
File /var/log/syslog
Status: | Passed |
---|---|
Duration: | 0.000102 seconds |
File /var/log/messages.4.gz
Status: | Passed |
---|---|
Duration: | 0.061845 seconds |
File /var/log/messages.4.gz
Status: | Passed |
---|---|
Duration: | 0.000326 seconds |
File /var/log/messages.4.gz
Status: | Passed |
---|---|
Duration: | 0.000211 seconds |
File /var/log/messages.4.gz
Status: | Passed |
---|---|
Duration: | 0.000488 seconds |
File /var/log/messages.4.gz
Status: | Passed |
---|---|
Duration: | 0.000243 seconds |
File /var/log/kern.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.060317 seconds |
File /var/log/kern.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000725 seconds |
File /var/log/kern.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000298 seconds |
File /var/log/kern.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.000249 seconds |
File /var/log/kern.log.3.gz
Status: | Passed |
---|---|
Duration: | 0.00058 seconds |
File /var/log/debug.3.gz
Status: | Passed |
---|---|
Duration: | 0.107306 seconds |
File /var/log/debug.3.gz
Status: | Passed |
---|---|
Duration: | 0.000555 seconds |
File /var/log/debug.3.gz
Status: | Passed |
---|---|
Duration: | 0.000275 seconds |
File /var/log/debug.3.gz
Status: | Passed |
---|---|
Duration: | 0.000275 seconds |
File /var/log/debug.3.gz
Status: | Passed |
---|---|
Duration: | 0.000977 seconds |
File /var/log/alternatives.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.108185 seconds |
File /var/log/alternatives.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.001175 seconds |
File /var/log/alternatives.log.7.gz
Status: | Failed |
---|---|
Duration: | 0.001 seconds |
File /var/log/alternatives.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.000382 seconds |
File /var/log/alternatives.log.7.gz
Status: | Passed |
---|---|
Duration: | 0.00026 seconds |
File /var/log/dpkg.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.06138 seconds |
File /var/log/dpkg.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000501 seconds |
File /var/log/dpkg.log.12.gz
Status: | Failed |
---|---|
Duration: | 0.000439 seconds |
File /var/log/dpkg.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000329 seconds |
File /var/log/dpkg.log.12.gz
Status: | Passed |
---|---|
Duration: | 0.000335 seconds |
File /var/log/user.log
Status: | Passed |
---|---|
Duration: | 0.111522 seconds |
File /var/log/user.log
Status: | Passed |
---|---|
Duration: | 0.0006 seconds |
File /var/log/user.log
Status: | Passed |
---|---|
Duration: | 0.000891 seconds |
File /var/log/user.log
Status: | Passed |
---|---|
Duration: | 0.000558 seconds |
File /var/log/user.log
Status: | Passed |
---|---|
Duration: | 0.001204 seconds |
File /var/log/cron.log
Status: | Passed |
---|---|
Duration: | 0.059289 seconds |
File /var/log/cron.log
Status: | Passed |
---|---|
Duration: | 0.000437 seconds |
File /var/log/cron.log
Status: | Passed |
---|---|
Duration: | 0.000201 seconds |
File /var/log/cron.log
Status: | Passed |
---|---|
Duration: | 0.000123 seconds |
File /var/log/cron.log
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
File /var/log/cron.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.10438 seconds |
File /var/log/cron.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000373 seconds |
File /var/log/cron.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000146 seconds |
File /var/log/cron.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000113 seconds |
File /var/log/cron.log.4.gz
Status: | Passed |
---|---|
Duration: | 0.000126 seconds |
File /var/log/alternatives.log.1
Status: | Passed |
---|---|
Duration: | 0.056 seconds |
File /var/log/alternatives.log.1
Status: | Passed |
---|---|
Duration: | 0.000515 seconds |
File /var/log/alternatives.log.1
Status: | Failed |
---|---|
Duration: | 0.000689 seconds |
File /var/log/alternatives.log.1
Status: | Passed |
---|---|
Duration: | 0.000269 seconds |
File /var/log/alternatives.log.1
Status: | Passed |
---|---|
Duration: | 0.000226 seconds |
cis-dil-benchmark-4.3
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure logrotate is configured | ||||
Description: | The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/syslog is the configuration file used to rotate log files created by syslog or rsyslog. Rationale: By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-4.3
Status: | Skipped |
---|---|
Duration: | 9.0e-06 seconds |
cis-dil-benchmark-5.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure cron daemon is enabled | ||||
Description: | The cron daemon is used to execute batch jobs on the system. Rationale: While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Service cron
Status: | Failed |
---|---|
Duration: | 0.00021 seconds |
Service cron
Status: | Failed |
---|---|
Duration: | 0.000118 seconds |
Service crond
Status: | Failed |
---|---|
Duration: | 0.00018 seconds |
Service crond
Status: | Failed |
---|---|
Duration: | 0.000116 seconds |
cis-dil-benchmark-5.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/crontab are configured | ||||
Description: | The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. Rationale: This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide user with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.023863 seconds |
File /etc/crontab
Status: | Failed |
---|---|
Duration: | 0.035942 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.000615 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.000393 seconds |
File /etc/crontab
Status: | Failed |
---|---|
Duration: | 0.00043 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.000289 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.000247 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.024715 seconds |
File /etc/crontab
Status: | Passed |
---|---|
Duration: | 0.012489 seconds |
cis-dil-benchmark-5.1.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/cron.hourly are configured | ||||
Description: | This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.hourly
Status: | Passed |
---|---|
Duration: | 0.024271 seconds |
File /etc/cron.hourly
Status: | Failed |
---|---|
Duration: | 0.03436 seconds |
File /etc/cron.hourly
Status: | Passed |
---|---|
Duration: | 0.000821 seconds |
File /etc/cron.hourly
Status: | Failed |
---|---|
Duration: | 0.001439 seconds |
File /etc/cron.hourly
Status: | Failed |
---|---|
Duration: | 0.000248 seconds |
File /etc/cron.hourly
Status: | Passed |
---|---|
Duration: | 0.000153 seconds |
File /etc/cron.hourly
Status: | Failed |
---|---|
Duration: | 0.000371 seconds |
File /etc/cron.hourly
Status: | Passed |
---|---|
Duration: | 0.009555 seconds |
File /etc/cron.hourly
Status: | Passed |
---|---|
Duration: | 0.005873 seconds |
cis-dil-benchmark-5.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/cron.daily are configured | ||||
Description: | The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.daily
Status: | Passed |
---|---|
Duration: | 0.02405 seconds |
File /etc/cron.daily
Status: | Failed |
---|---|
Duration: | 0.034433 seconds |
File /etc/cron.daily
Status: | Passed |
---|---|
Duration: | 0.000558 seconds |
File /etc/cron.daily
Status: | Failed |
---|---|
Duration: | 0.000209 seconds |
File /etc/cron.daily
Status: | Failed |
---|---|
Duration: | 0.000143 seconds |
File /etc/cron.daily
Status: | Passed |
---|---|
Duration: | 0.00011 seconds |
File /etc/cron.daily
Status: | Failed |
---|---|
Duration: | 0.000176 seconds |
File /etc/cron.daily
Status: | Passed |
---|---|
Duration: | 0.007903 seconds |
File /etc/cron.daily
Status: | Passed |
---|---|
Duration: | 0.008872 seconds |
cis-dil-benchmark-5.1.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/cron.weekly are configured | ||||
Description: | The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.weekly
Status: | Passed |
---|---|
Duration: | 0.050362 seconds |
File /etc/cron.weekly
Status: | Failed |
---|---|
Duration: | 0.041246 seconds |
File /etc/cron.weekly
Status: | Passed |
---|---|
Duration: | 0.000412 seconds |
File /etc/cron.weekly
Status: | Failed |
---|---|
Duration: | 0.000377 seconds |
File /etc/cron.weekly
Status: | Failed |
---|---|
Duration: | 0.000452 seconds |
File /etc/cron.weekly
Status: | Passed |
---|---|
Duration: | 0.000337 seconds |
File /etc/cron.weekly
Status: | Failed |
---|---|
Duration: | 0.001635 seconds |
File /etc/cron.weekly
Status: | Passed |
---|---|
Duration: | 0.00614 seconds |
File /etc/cron.weekly
Status: | Passed |
---|---|
Duration: | 0.00562 seconds |
cis-dil-benchmark-5.1.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/cron.monthly are configured | ||||
Description: | The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.monthly
Status: | Passed |
---|---|
Duration: | 0.022637 seconds |
File /etc/cron.monthly
Status: | Failed |
---|---|
Duration: | 0.083233 seconds |
File /etc/cron.monthly
Status: | Passed |
---|---|
Duration: | 0.001229 seconds |
File /etc/cron.monthly
Status: | Failed |
---|---|
Duration: | 0.000423 seconds |
File /etc/cron.monthly
Status: | Failed |
---|---|
Duration: | 0.000242 seconds |
File /etc/cron.monthly
Status: | Passed |
---|---|
Duration: | 0.000178 seconds |
File /etc/cron.monthly
Status: | Failed |
---|---|
Duration: | 0.000138 seconds |
File /etc/cron.monthly
Status: | Passed |
---|---|
Duration: | 0.007138 seconds |
File /etc/cron.monthly
Status: | Passed |
---|---|
Duration: | 0.005355 seconds |
cis-dil-benchmark-5.1.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/cron.d are configured | ||||
Description: | The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.d
Status: | Passed |
---|---|
Duration: | 0.024334 seconds |
File /etc/cron.d
Status: | Failed |
---|---|
Duration: | 0.035779 seconds |
File /etc/cron.d
Status: | Passed |
---|---|
Duration: | 0.000489 seconds |
File /etc/cron.d
Status: | Failed |
---|---|
Duration: | 0.000363 seconds |
File /etc/cron.d
Status: | Failed |
---|---|
Duration: | 0.000309 seconds |
File /etc/cron.d
Status: | Passed |
---|---|
Duration: | 0.000198 seconds |
File /etc/cron.d
Status: | Failed |
---|---|
Duration: | 0.000172 seconds |
File /etc/cron.d
Status: | Passed |
---|---|
Duration: | 0.010841 seconds |
File /etc/cron.d
Status: | Passed |
---|---|
Duration: | 0.008552 seconds |
cis-dil-benchmark-5.1.8
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure at/cron is restricted to authorized users | ||||
Description: | Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Rationale: On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/cron.deny
Status: | Passed |
---|---|
Duration: | 0.048282 seconds |
File /etc/cron.allow
Status: | Failed |
---|---|
Duration: | 0.024372 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.00049 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.000271 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.00036 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.000251 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.000244 seconds |
File /etc/cron.allow
Status: | Passed |
---|---|
Duration: | 0.000234 seconds |
File /etc/cron.allow
Status: | Failed |
---|---|
Duration: | 0.045418 seconds |
File /etc/cron.allow
Status: | Failed |
---|---|
Duration: | 0.009659 seconds |
File /etc/at.deny
Status: | Passed |
---|---|
Duration: | 0.024471 seconds |
File /etc/at.allow
Status: | Failed |
---|---|
Duration: | 0.072155 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.000615 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.000309 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.000267 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.000237 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.00023 seconds |
File /etc/at.allow
Status: | Passed |
---|---|
Duration: | 0.007476 seconds |
File /etc/at.allow
Status: | Failed |
---|---|
Duration: | 0.05283 seconds |
File /etc/at.allow
Status: | Failed |
---|---|
Duration: | 0.006654 seconds |
cis-dil-benchmark-5.2.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/ssh/sshd_config are configured (Scored) | ||||
Description: | The /etc/ssh/sshd_config file contains configuration specifications for sshd. The commandn below sets the owner and group of the file to root. Rationale: The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non-privileged users. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.028219 seconds |
File /etc/ssh/sshd_config
Status: | Failed |
---|---|
Duration: | 0.004071 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.000237 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.000152 seconds |
File /etc/ssh/sshd_config
Status: | Failed |
---|---|
Duration: | 0.000204 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.000225 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.000271 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.004327 seconds |
File /etc/ssh/sshd_config
Status: | Passed |
---|---|
Duration: | 0.005259 seconds |
cis-dil-benchmark-5.2.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on SSH private host key files are configured (Scored) | ||||
Description: | An SSH private key is one of two files used in SSH public key authentication. Rationale: If an unauthorized user obtains the private SSH host key file, the host could be impersonated | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.101436 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.000577 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.006643 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.00034 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.000114 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.000109 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.010886 seconds |
File /etc/ssh/ssh_host_ecdsa_key
Status: | Passed |
---|---|
Duration: | 0.005026 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.107072 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.000534 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.000479 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.000222 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.004569 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.008242 seconds |
File /etc/ssh/ssh_host_rsa_key
Status: | Passed |
---|---|
Duration: | 0.007068 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.073963 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.000387 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.00045 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.004707 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.00028 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.00018 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.005687 seconds |
File /etc/ssh/ssh_host_ed25519_key
Status: | Passed |
---|---|
Duration: | 0.007486 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.107874 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.000487 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.000395 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.005181 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.000241 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.000137 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.009237 seconds |
File /etc/ssh/ssh_host_dsa_key
Status: | Passed |
---|---|
Duration: | 0.005388 seconds |
cis-dil-benchmark-5.2.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on SSH public host key files are configured (Scored) | ||||
Description: | An SSH public key is one of two files used in SSH public key authentication. Rationale: If a public host key file is modified by an unauthorized user, the SSH service may be compromised. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.119259 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000365 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000209 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000182 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000363 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000171 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.010053 seconds |
File /etc/ssh/ssh_host_ecdsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.00488 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.056573 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000462 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000291 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.002799 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000229 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.003643 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.006253 seconds |
File /etc/ssh/ssh_host_rsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.005195 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.138063 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.000661 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.000277 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.000215 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.000221 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.000254 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.007135 seconds |
File /etc/ssh/ssh_host_ed25519_key.pub
Status: | Passed |
---|---|
Duration: | 0.005771 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.055787 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000609 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.001266 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000295 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000267 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.000117 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.006248 seconds |
File /etc/ssh/ssh_host_dsa_key.pub
Status: | Passed |
---|---|
Duration: | 0.004676 seconds |
cis-dil-benchmark-5.2.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH Protocol is set to 2 (Scored) | ||||
Description: | SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.001136 seconds |
cis-dil-benchmark-5.2.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH LogLevel is appropriate (Scored) | ||||
Description: | INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. Rationale: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.00099 seconds |
cis-dil-benchmark-5.2.6
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH X11 forwarding is disabled (Scored) | ||||
Description: | The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. Rationale: Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Passed |
---|---|
Duration: | 0.00089 seconds |
cis-dil-benchmark-5.2.7
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH MaxAuthTries is set to 4 or less (Scored) | ||||
Description: | The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Rationale: Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000604 seconds |
cis-dil-benchmark-5.2.8
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH IgnoreRhosts is enabled (Scored) | ||||
Description: | The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. Rationale: Setting this parameter forces users to enter a password when authenticating with ssh. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000722 seconds |
cis-dil-benchmark-5.2.9
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH HostbasedAuthentication is disabled (Scored) | ||||
Description: | The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2. Rationale: Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000834 seconds |
cis-dil-benchmark-5.2.10
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH root login is disabled (Scored) | ||||
Description: | The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Passed |
---|---|
Duration: | 0.000987 seconds |
cis-dil-benchmark-5.2.11
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH PermitEmptyPasswords is disabled (Scored) | ||||
Description: | The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. Rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Passed |
---|---|
Duration: | 0.00084 seconds |
cis-dil-benchmark-5.2.12
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH PermitUserEnvironment is disabled (Scored) | ||||
Description: | The PermitUserEnvironment option allows users to present environment options to the ssh daemon. Rationale: Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan`d programs) | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000633 seconds |
cis-dil-benchmark-5.2.13
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure only strong Ciphers are used (Scored) | ||||
Description: | This variable limits the types of ciphers that SSH can use during communication. Rationale: Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000423 seconds |
cis-dil-benchmark-5.2.14
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure only strong MAC algorithms are used (Scored) | ||||
Description: | This variable limits the types of MAC algorithms that SSH can use during communication. Rationale: MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000408 seconds |
cis-dil-benchmark-5.2.15
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure only strong Key Exchange algorithms are used (Scored) | ||||
Description: | Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. Rationale: Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000667 seconds |
cis-dil-benchmark-5.2.16
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH Idle Timeout Interval is configured (Scored) | ||||
Description: | The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time. Rationale: Having no timeout value associated with a connection could allow an unauthorized user access to another user`s ssh session (e.g. user walks away from their computer and doesn`t lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000929 seconds |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000198 seconds |
cis-dil-benchmark-5.2.17
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH LoginGraceTime is set to one minute or less (Scored) | ||||
Description: | The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access. Rationale: Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.038299 seconds |
cis-dil-benchmark-5.2.18
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH access is limited (Scored) | ||||
Description: | There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of comma separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. AllowGroups The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of comma separated group names. Numeric group IDs are not recognized with this variable. DenyUsers The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of comma separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user`s access from a particular host, the entry can be specified in the form of user@host. DenyGroups\nThe DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of comma separated group names. Numeric group IDs are not recognized with this variable. Rationale: Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 8.9e-05 seconds |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 5.0e-05 seconds |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 4.7e-05 seconds |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 4.5e-05 seconds |
cis-dil-benchmark-5.2.19
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH warning banner is configured (Scored) | ||||
Description: | The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. Rationale: Banners are used to warn connecting users of the particular site`s policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.00027 seconds |
cis-dil-benchmark-5.2.20
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH PAM is enabled (Scored) | ||||
Description: | UsePAM Enables the Pluggable Authentication Module interface. If set to "yes" this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types Rationale: When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Passed |
---|---|
Duration: | 0.000278 seconds |
cis-dil-benchmark-5.2.21
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH AllowTcpForwarding is disabled (Scored) | ||||
Description: | SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines Rationale: Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH to hide their unauthorized communications, or to exfiltrate stolen data from the target network | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000278 seconds |
cis-dil-benchmark-5.2.22
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH MaxStartups is configured (Scored) | ||||
Description: | The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Rationale: To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000247 seconds |
cis-dil-benchmark-5.2.23
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure SSH MaxSessions is set to 4 or less (Scored) | ||||
Description: | The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. Rationale: To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
SSHD Configuration
Status: | Failed |
---|---|
Duration: | 0.000239 seconds |
cis-dil-benchmark-5.3.1
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure password creation requirements are configured | ||||
Description: | The pam_cracklib.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. * retry=3 - Allow 3 tries before sending back a failure. * minlen=14 - password must be 14 characters or more * dcredit=-1 - provide at least one digit * ucredit=-1 - provide at least one uppercase character * ocredit=-1 - provide at least one special character * lcredit=-1 - provide at least one lowercase character The pam_pwquality.so module functions similarly but the minlen, dcredit, ucredit , ocredit , and lcredit parameters are stored in the /etc/security/pwquality.conf file. The settings shown above are one possible policy. Alter these values to conform to your own organization`s password policies. Rationale: Strong passwords protect systems from being hacked through brute force methods. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-5.3.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure lockout for failed password attempts is configured | ||||
Description: | Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site. Rationale: Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-5.3.2
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
cis-dil-benchmark-5.3.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure password reuse is limited | ||||
Description: | The /etc/security/opasswd file stores the users` old passwords and can be checked to ensure that users are not recycling recent passwords. Rationale: Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/pam.d/common-password
Status: | Failed |
---|---|
Duration: | 0.000365 seconds |
File /etc/pam.d/common-password
Status: | Failed |
---|---|
Duration: | 0.00024 seconds |
File /etc/pam.d/system-auth
Status: | Failed |
---|---|
Duration: | 0.000128 seconds |
File /etc/pam.d/system-auth
Status: | Failed |
---|---|
Duration: | 5.4e-05 seconds |
cis-dil-benchmark-5.3.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure password hashing algorithm is SHA-512 | ||||
Description: | The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Rationale: The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/pam.d/common-password
Status: | Passed |
---|---|
Duration: | 4.9e-05 seconds |
cis-dil-benchmark-5.4.1.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure password expiration is 365 days or less | ||||
Description: | The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days. Rationale: The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
login.defs
Status: | Failed |
---|---|
Duration: | 0.000538 seconds |
cis-dil-benchmark-5.4.1.2
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure minimum days between password changes is 7 or more | ||||
Description: | The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
login.defs
Status: | Failed |
---|---|
Duration: | 0.000524 seconds |
cis-dil-benchmark-5.4.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure password expiration warning days is 7 or more | ||||
Description: | The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. Rationale: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
login.defs
Status: | Passed |
---|---|
Duration: | 0.000527 seconds |
cis-dil-benchmark-5.4.1.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure inactive password lock is 30 days or less | ||||
Description: | User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled. Rationale: Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `useradd -D`
Status: | Failed |
---|---|
Duration: | 0.021673 seconds |
cis-dil-benchmark-5.4.1.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure all users last password change date is in the past | ||||
Description: | All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-5.4.2
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure system accounts are secured | ||||
Description: | There are a number of accounts provided with Ubuntu that are used to manage applications and are not intended to provide an interactive shell. Rationale: It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to /sbin/nologin. This prevents the account from potentially being used to run any commands. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 6.0e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 4.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.8e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.4e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.3e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.4e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.0e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.4e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.3e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.0e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.0e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.3e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 3.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.2e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 4.1e-05 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
/etc/passwd with uid to_i < 1000 one entry
Status: | Passed |
---|---|
Duration: | 0.00011 seconds |
Inspec::Resources::Shadow (Can't read file: /etc/shadow)
Status: | Skipped |
---|---|
Duration: | 2.0e-06 seconds |
cis-dil-benchmark-5.4.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure default group for the root account is GID 0 | ||||
Description: | The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/passwd with user == "root"
Status: | Passed |
---|---|
Duration: | 8.6e-05 seconds |
cis-dil-benchmark-5.4.4
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure default user umask is 027 or more restrictive | ||||
Description: | The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories. Rationale: Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/bash.bashrc
Status: | Passed |
---|---|
Duration: | 0.065505 seconds |
File /etc/bash.bashrc
Status: | Failed |
---|---|
Duration: | 0.000664 seconds |
File /etc/profile
Status: | Passed |
---|---|
Duration: | 0.030447 seconds |
File /etc/profile
Status: | Failed |
---|---|
Duration: | 0.000668 seconds |
cis-dil-benchmark-5.4.5
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure default user shell timeout is 900 seconds or less | ||||
Description: | The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/bash.bashrc
Status: | Failed |
---|---|
Duration: | 0.000724 seconds |
File /etc/profile
Status: | Failed |
---|---|
Duration: | 0.000396 seconds |
cis-dil-benchmark-5.5
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Ensure root login is restricted to system console | ||||
Description: | The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles have not been defined. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-5.5
Status: | Skipped |
---|---|
Duration: | 6.0e-06 seconds |
cis-dil-benchmark-5.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure access to the su command is restricted | ||||
Description: | The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su. Rationale: Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/pam.d/su
Status: | Failed |
---|---|
Duration: | 0.032886 seconds |
cis-dil-benchmark-6.1.1
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Audit system file permissions | ||||
Description: | The RPM and Debian package manager have a number of useful options. One of these, the --verify (or -v for RPM) option, can be used to verify that system packages are correctly installed. The --verify option can be used to verify a particular package or to verify all system packages. If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: Code Meaning S File size differs. M File mode differs (includes permissions and file type). 5 The MD5 checksum differs. D The major and minor version numbers differ on a device file. L A mismatch occurs in a link. U The file ownership differs. G The file group owner differs. T The file time (mtime) differs. The `rpm -qf` or `dpkg -S` command can be used to determine which package a particular file belongs to. For example the following commands determines which package the /bin/bash file belongs to: ```shell-session # rpm -qf /bin/bash bash-4.1.2-29.el6.x86_64 # dpkg -S /bin/bash bash: /bin/bash ``` To verify the settings for the package that controls the /bin/bash file, run the following: ```shell-session # rpm -V bash-4.1.2-29.el6.x86_64 .M....... /bin/bash # dpkg --verify bash ??5?????? c /etc/bash.bashrc ``` Note that you can feed the output of the rpm -qf command to the rpm -V command: ```shell-session # rpm -V `rpm -qf /etc/passwd` .M...... c /etc/passwd\nS.5....T c /etc/printcap ``` Rationale: It is important to confirm that packaged system files and directories are maintained with the permissions they were intended to have from the OS vendor. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-6.1.1
Status: | Skipped |
---|---|
Duration: | 1.4e-05 seconds |
cis-dil-benchmark-6.1.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/passwd are configured | ||||
Description: | The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.024363 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.010337 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.005971 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.000338 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.000164 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.000127 seconds |
File /etc/passwd
Status: | Passed |
---|---|
Duration: | 0.000106 seconds |
cis-dil-benchmark-6.1.3
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/shadow are configured | ||||
Description: | The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/shadow
Status: | Passed |
---|---|
Duration: | 0.02245 seconds |
File /etc/shadow
Status: | Passed |
---|---|
Duration: | 0.019057 seconds |
File /etc/shadow
Status: | Passed |
---|---|
Duration: | 0.004642 seconds |
File /etc/shadow
Status: | Passed |
---|---|
Duration: | 0.000241 seconds |
cis-dil-benchmark-6.1.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/group are configured | ||||
Description: | The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but needs to be readable as this information is used with many non-privileged programs. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/group
Status: | Passed |
---|---|
Duration: | 0.047895 seconds |
File /etc/group
Status: | Passed |
---|---|
Duration: | 0.009364 seconds |
File /etc/group
Status: | Passed |
---|---|
Duration: | 0.007331 seconds |
File /etc/group
Status: | Passed |
---|---|
Duration: | 0.000276 seconds |
cis-dil-benchmark-6.1.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/gshadow are configured | ||||
Description: | The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/gshadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/gshadow file (such as group administrators) could also be useful to subvert the group. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/gshadow
Status: | Passed |
---|---|
Duration: | 0.022843 seconds |
File /etc/gshadow
Status: | Passed |
---|---|
Duration: | 0.045377 seconds |
File /etc/gshadow
Status: | Passed |
---|---|
Duration: | 0.007513 seconds |
File /etc/gshadow
Status: | Passed |
---|---|
Duration: | 0.000505 seconds |
cis-dil-benchmark-6.1.6
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/passwd- are configured | ||||
Description: | The /etc/passwd- file contains backup user account information. Rationale: It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/passwd-
Status: | Passed |
---|---|
Duration: | 0.055679 seconds |
File /etc/passwd-
Status: | Failed |
---|---|
Duration: | 0.046914 seconds |
File /etc/passwd-
Status: | Passed |
---|---|
Duration: | 0.008889 seconds |
File /etc/passwd-
Status: | Passed |
---|---|
Duration: | 0.006439 seconds |
cis-dil-benchmark-6.1.7
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/shadow- are configured | ||||
Description: | The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: It is critical to ensure that the /etc/shadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/shadow-
Status: | Passed |
---|---|
Duration: | 0.024302 seconds |
File /etc/shadow-
Status: | Passed |
---|---|
Duration: | 0.083945 seconds |
File /etc/shadow-
Status: | Passed |
---|---|
Duration: | 0.008106 seconds |
File /etc/shadow-
Status: | Passed |
---|---|
Duration: | 0.000745 seconds |
cis-dil-benchmark-6.1.8
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/group- are configured | ||||
Description: | The /etc/group- file contains a backup list of all the valid groups defined in the system. Rationale: It is critical to ensure that the /etc/group- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/group-
Status: | Passed |
---|---|
Duration: | 0.024407 seconds |
File /etc/group-
Status: | Passed |
---|---|
Duration: | 0.047538 seconds |
File /etc/group-
Status: | Passed |
---|---|
Duration: | 0.008951 seconds |
File /etc/group-
Status: | Passed |
---|---|
Duration: | 0.006064 seconds |
cis-dil-benchmark-6.1.9
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure permissions on /etc/gshadow- are configured | ||||
Description: | The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: It is critical to ensure that the /etc/gshadow- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /etc/gshadow-
Status: | Passed |
---|---|
Duration: | 0.051731 seconds |
File /etc/gshadow-
Status: | Passed |
---|---|
Duration: | 0.04565 seconds |
File /etc/gshadow-
Status: | Passed |
---|---|
Duration: | 0.01052 seconds |
File /etc/gshadow-
Status: | Passed |
---|---|
Duration: | 0.000577 seconds |
cis-dil-benchmark-6.1.10
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no world writable files exist | ||||
Description: | Unix-based systems support variable settings to control access to files. World writable files are the least secure. See the chmod(2) man page for more information. Rationale: Data in world-writable files can be modified and compromised by any user on the system. World writable files may also indicate an incorrectly written script or program that could potentially be the cause of a larger compromise to the system's integrity. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type f -perm -0002`
Status: | Passed |
---|---|
Duration: | 44.70461 seconds |
cis-dil-benchmark-6.1.11
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no unowned files or directories exist | ||||
Description: | Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system. Rationale: A new user who is assigned the deleted user's user ID or group ID may then end up "owning" these files, and thus have more access on the system than was intended. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -nouser`
Status: | Passed |
---|---|
Duration: | 100.164635 seconds |
cis-dil-benchmark-6.1.12
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no ungrouped files or directories exist | ||||
Description: | Sometimes when administrators delete users or groups from the system they neglect to remove all files owned by those users or groups. Rationale: A new user who is assigned the deleted user's user ID or group ID may then end up "owning" these files, and thus have more access on the system than was intended. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -nogroup`
Status: | Passed |
---|---|
Duration: | 101.260721 seconds |
cis-dil-benchmark-6.1.13
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Audit SUID executables | ||||
Description: | The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID program is to enable users to perform functions (such as changing their password) that require root privileges. Rationale: There are valid reasons for SUID programs, but it is important to identify and review such programs to ensure they are legitimate. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-6.1.13
Status: | Skipped |
---|---|
Duration: | 3.8e-05 seconds |
cis-dil-benchmark-6.1.14
Status: | Skipped | ||||
---|---|---|---|---|---|
Title: | Audit SGID executables | ||||
Description: | The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SGID program is to enable users to perform functions (such as changing their password) that require root privileges. Rationale: There are valid reasons for SGID programs, but it is important to identify and review such programs to ensure they are legitimate. Review the files returned by the action in the audit section and check to see if system binaries have a different md5 checksum than what from the package. This is an indication that the binary may have been replaced. | ||||
Impact: | 0.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-6.1.14
Status: | Skipped |
---|---|
Duration: | 1.4e-05 seconds |
cis-dil-benchmark-6.2.1
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure password fields are not empty | ||||
Description: | An account with an empty password field means that anybody may log in as that user without providing a password. Rationale All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/shadow
Status: | Failed |
---|---|
Duration: | 0.005649 seconds |
cis-dil-benchmark-6.2.2
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no legacy "+" entries exist in /etc/passwd | ||||
Description: | The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: These entries may provide an avenue for attackers to gain privileged access on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/passwd
Status: | Passed |
---|---|
Duration: | 0.000775 seconds |
cis-dil-benchmark-6.2.3
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure no legacy "+" entries exist in /etc/shadow | ||||
Description: | The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: These entries may provide an avenue for attackers to gain privileged access on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/shadow
Status: | Failed |
---|---|
Duration: | 0.000762 seconds |
cis-dil-benchmark-6.2.4
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no legacy "+" entries exist in /etc/group | ||||
Description: | The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: These entries may provide an avenue for attackers to gain privileged access on the system. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000503 seconds |
cis-dil-benchmark-6.2.5
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure root is the only UID 0 account | ||||
Description: | Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/passwd with uid == 0
Status: | Passed |
---|---|
Duration: | 0.000877 seconds |
cis-dil-benchmark-6.2.6
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure root PATH Integrity | ||||
Description: | The root user can execute any command on the system and could be fooled into executing programs unintentionally if the PATH is not set correctly. Rationale: Including the current working directory (.) or other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a Trojan horse program. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
["/usr/local/bin", "/usr/bin", "/bin", "/usr/games"]
Status: | Passed |
---|---|
Duration: | 0.008929 seconds |
["/usr/local/bin", "/usr/bin", "/bin", "/usr/games"]
Status: | Passed |
---|---|
Duration: | 0.000271 seconds |
["/usr/local/bin", "/usr/bin", "/bin", "/usr/games"]
Status: | Passed |
---|---|
Duration: | 0.000112 seconds |
File /usr/local/bin
Status: | Passed |
---|---|
Duration: | 0.069897 seconds |
File /usr/local/bin
Status: | Passed |
---|---|
Duration: | 0.024187 seconds |
File /usr/local/bin
Status: | Passed |
---|---|
Duration: | 0.000389 seconds |
File /usr/local/bin
Status: | Passed |
---|---|
Duration: | 0.007523 seconds |
File /usr/bin
Status: | Passed |
---|---|
Duration: | 0.047238 seconds |
File /usr/bin
Status: | Passed |
---|---|
Duration: | 0.025453 seconds |
File /usr/bin
Status: | Passed |
---|---|
Duration: | 0.000613 seconds |
File /usr/bin
Status: | Passed |
---|---|
Duration: | 0.007474 seconds |
File /bin
Status: | Passed |
---|---|
Duration: | 0.075254 seconds |
File /bin
Status: | Passed |
---|---|
Duration: | 0.025339 seconds |
File /bin
Status: | Passed |
---|---|
Duration: | 0.000547 seconds |
File /bin
Status: | Passed |
---|---|
Duration: | 0.009218 seconds |
File /usr/games
Status: | Passed |
---|---|
Duration: | 0.043154 seconds |
File /usr/games
Status: | Passed |
---|---|
Duration: | 0.068068 seconds |
File /usr/games
Status: | Passed |
---|---|
Duration: | 0.000819 seconds |
File /usr/games
Status: | Passed |
---|---|
Duration: | 0.016486 seconds |
cis-dil-benchmark-6.2.7
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure all users' home directories exist | ||||
Description: | Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale: If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local environment variables set. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /home/r-goto
Status: | Passed |
---|---|
Duration: | 0.042908 seconds |
cis-dil-benchmark-6.2.8
Status: | Failed | ||||
---|---|---|---|---|---|
Title: | Ensure users' home directories permissions are 750 or more restrictive | ||||
Description: | While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system privileges. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /home/r-goto
Status: | Passed |
---|---|
Duration: | 0.024583 seconds |
File /home/r-goto
Status: | Passed |
---|---|
Duration: | 0.000565 seconds |
File /home/r-goto
Status: | Failed |
---|---|
Duration: | 0.000747 seconds |
File /home/r-goto
Status: | Passed |
---|---|
Duration: | 0.000277 seconds |
File /home/r-goto
Status: | Failed |
---|---|
Duration: | 0.000345 seconds |
cis-dil-benchmark-6.2.9
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure users own their home directories | ||||
Description: | The user home directory is space defined for the particular user to set local environment variables and to store personal files. Rationale: Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /home/r-goto
Status: | Passed |
---|---|
Duration: | 0.009156 seconds |
cis-dil-benchmark-6.2.10
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure users' dot files are not group or world writable | ||||
Description: | While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /home/r-goto/.bash_logout
Status: | Passed |
---|---|
Duration: | 0.1051 seconds |
File /home/r-goto/.bash_logout
Status: | Passed |
---|---|
Duration: | 0.000538 seconds |
File /home/r-goto/.lesshst
Status: | Passed |
---|---|
Duration: | 0.063651 seconds |
File /home/r-goto/.lesshst
Status: | Passed |
---|---|
Duration: | 0.00031 seconds |
File /home/r-goto/.viminfo
Status: | Passed |
---|---|
Duration: | 0.105121 seconds |
File /home/r-goto/.viminfo
Status: | Passed |
---|---|
Duration: | 0.000378 seconds |
File /home/r-goto/.wget-hsts
Status: | Passed |
---|---|
Duration: | 0.063321 seconds |
File /home/r-goto/.wget-hsts
Status: | Passed |
---|---|
Duration: | 0.000335 seconds |
File /home/r-goto/.selected_editor
Status: | Passed |
---|---|
Duration: | 0.071672 seconds |
File /home/r-goto/.selected_editor
Status: | Passed |
---|---|
Duration: | 0.000581 seconds |
File /home/r-goto/.zcompdump
Status: | Passed |
---|---|
Duration: | 0.108691 seconds |
File /home/r-goto/.zcompdump
Status: | Passed |
---|---|
Duration: | 0.000347 seconds |
File /home/r-goto/.zshrc
Status: | Passed |
---|---|
Duration: | 0.061616 seconds |
File /home/r-goto/.zshrc
Status: | Passed |
---|---|
Duration: | 0.000514 seconds |
File /home/r-goto/.profile
Status: | Passed |
---|---|
Duration: | 0.109716 seconds |
File /home/r-goto/.profile
Status: | Passed |
---|---|
Duration: | 0.000619 seconds |
File /home/r-goto/.bash_history
Status: | Passed |
---|---|
Duration: | 0.061144 seconds |
File /home/r-goto/.bash_history
Status: | Passed |
---|---|
Duration: | 0.000653 seconds |
File /home/r-goto/.bashrc
Status: | Passed |
---|---|
Duration: | 0.109665 seconds |
File /home/r-goto/.bashrc
Status: | Passed |
---|---|
Duration: | 0.000471 seconds |
cis-dil-benchmark-6.2.11
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no users have .forward files | ||||
Description: | The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /root/.forward
Status: | Passed |
---|---|
Duration: | 0.023364 seconds |
File /usr/sbin/.forward
Status: | Passed |
---|---|
Duration: | 0.025388 seconds |
File /bin/.forward
Status: | Passed |
---|---|
Duration: | 0.071917 seconds |
File /dev/.forward
Status: | Passed |
---|---|
Duration: | 0.022995 seconds |
File /bin/.forward
Status: | Passed |
---|---|
Duration: | 0.000395 seconds |
File /usr/games/.forward
Status: | Passed |
---|---|
Duration: | 0.02203 seconds |
File /var/cache/man/.forward
Status: | Passed |
---|---|
Duration: | 0.027005 seconds |
File /var/spool/lpd/.forward
Status: | Passed |
---|---|
Duration: | 0.026468 seconds |
File /var/mail/.forward
Status: | Passed |
---|---|
Duration: | 0.066478 seconds |
File /var/spool/news/.forward
Status: | Passed |
---|---|
Duration: | 0.02729 seconds |
File /var/spool/uucp/.forward
Status: | Passed |
---|---|
Duration: | 0.024918 seconds |
File /bin/.forward
Status: | Passed |
---|---|
Duration: | 0.000798 seconds |
File /var/www/.forward
Status: | Passed |
---|---|
Duration: | 0.024619 seconds |
File /var/backups/.forward
Status: | Passed |
---|---|
Duration: | 0.068639 seconds |
File /var/list/.forward
Status: | Passed |
---|---|
Duration: | 0.023731 seconds |
File /var/run/ircd/.forward
Status: | Passed |
---|---|
Duration: | 0.022546 seconds |
File /var/lib/gnats/.forward
Status: | Passed |
---|---|
Duration: | 0.074083 seconds |
File /nonexistent/.forward
Status: | Passed |
---|---|
Duration: | 0.022005 seconds |
File /run/systemd/.forward
Status: | Passed |
---|---|
Duration: | 0.072479 seconds |
File /run/systemd/.forward
Status: | Passed |
---|---|
Duration: | 0.000488 seconds |
File /run/systemd/.forward
Status: | Passed |
---|---|
Duration: | 0.000182 seconds |
File /nonexistent/.forward
Status: | Passed |
---|---|
Duration: | 0.000124 seconds |
File /nonexistent/.forward
Status: | Passed |
---|---|
Duration: | 0.000179 seconds |
File /run/rpcbind/.forward
Status: | Passed |
---|---|
Duration: | 0.025765 seconds |
File /var/lib/nfs/.forward
Status: | Passed |
---|---|
Duration: | 0.024862 seconds |
File /run/sshd/.forward
Status: | Passed |
---|---|
Duration: | 0.068269 seconds |
File /var/run/avahi-daemon/.forward
Status: | Passed |
---|---|
Duration: | 0.023026 seconds |
File //.forward
Status: | Passed |
---|---|
Duration: | 0.022545 seconds |
File /home/r-goto/.forward
Status: | Passed |
---|---|
Duration: | 0.024389 seconds |
File /var/lib/chrony/.forward
Status: | Passed |
---|---|
Duration: | 0.025505 seconds |
File /var/lib/usbmux/.forward
Status: | Passed |
---|---|
Duration: | 0.022849 seconds |
cis-dil-benchmark-6.2.12
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no users have .netrc files | ||||
Description: | The .netrc file contains data for logging into a remote host for file transfers via FTP. Rationale: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /root/.netrc
Status: | Passed |
---|---|
Duration: | 0.000176 seconds |
File /usr/sbin/.netrc
Status: | Passed |
---|---|
Duration: | 9.6e-05 seconds |
File /bin/.netrc
Status: | Passed |
---|---|
Duration: | 9.1e-05 seconds |
File /dev/.netrc
Status: | Passed |
---|---|
Duration: | 0.000189 seconds |
File /bin/.netrc
Status: | Passed |
---|---|
Duration: | 0.000237 seconds |
File /usr/games/.netrc
Status: | Passed |
---|---|
Duration: | 0.000346 seconds |
File /var/cache/man/.netrc
Status: | Passed |
---|---|
Duration: | 0.000221 seconds |
File /var/spool/lpd/.netrc
Status: | Passed |
---|---|
Duration: | 0.000194 seconds |
File /var/mail/.netrc
Status: | Passed |
---|---|
Duration: | 0.000236 seconds |
File /var/spool/news/.netrc
Status: | Passed |
---|---|
Duration: | 0.000485 seconds |
File /var/spool/uucp/.netrc
Status: | Passed |
---|---|
Duration: | 8.6e-05 seconds |
File /bin/.netrc
Status: | Passed |
---|---|
Duration: | 8.0e-05 seconds |
File /var/www/.netrc
Status: | Passed |
---|---|
Duration: | 9.2e-05 seconds |
File /var/backups/.netrc
Status: | Passed |
---|---|
Duration: | 8.1e-05 seconds |
File /var/list/.netrc
Status: | Passed |
---|---|
Duration: | 7.7e-05 seconds |
File /var/run/ircd/.netrc
Status: | Passed |
---|---|
Duration: | 7.8e-05 seconds |
File /var/lib/gnats/.netrc
Status: | Passed |
---|---|
Duration: | 8.6e-05 seconds |
File /nonexistent/.netrc
Status: | Passed |
---|---|
Duration: | 6.9e-05 seconds |
File /run/systemd/.netrc
Status: | Passed |
---|---|
Duration: | 6.7e-05 seconds |
File /run/systemd/.netrc
Status: | Passed |
---|---|
Duration: | 7.2e-05 seconds |
File /run/systemd/.netrc
Status: | Passed |
---|---|
Duration: | 6.9e-05 seconds |
File /nonexistent/.netrc
Status: | Passed |
---|---|
Duration: | 7.4e-05 seconds |
File /nonexistent/.netrc
Status: | Passed |
---|---|
Duration: | 7.3e-05 seconds |
File /run/rpcbind/.netrc
Status: | Passed |
---|---|
Duration: | 7.0e-05 seconds |
File /var/lib/nfs/.netrc
Status: | Passed |
---|---|
Duration: | 7.5e-05 seconds |
File /run/sshd/.netrc
Status: | Passed |
---|---|
Duration: | 0.000466 seconds |
File /var/run/avahi-daemon/.netrc
Status: | Passed |
---|---|
Duration: | 0.000126 seconds |
File //.netrc
Status: | Passed |
---|---|
Duration: | 0.000124 seconds |
File /home/r-goto/.netrc
Status: | Passed |
---|---|
Duration: | 0.000127 seconds |
File /var/lib/chrony/.netrc
Status: | Passed |
---|---|
Duration: | 0.000124 seconds |
File /var/lib/usbmux/.netrc
Status: | Passed |
---|---|
Duration: | 0.000131 seconds |
cis-dil-benchmark-6.2.13
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure users' .netrc Files are not group or world accessible | ||||
Description: | While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. Rationale: .netrc files may contain unencrypted passwords that may be used to attack other systems. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
cis-dil-benchmark-6.2.14
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no users have .rhosts files | ||||
Description: | While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
File /root/.rhosts
Status: | Passed |
---|---|
Duration: | 0.058987 seconds |
File /usr/sbin/.rhosts
Status: | Passed |
---|---|
Duration: | 0.022937 seconds |
File /bin/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024482 seconds |
File /dev/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024125 seconds |
File /bin/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000726 seconds |
File /usr/games/.rhosts
Status: | Passed |
---|---|
Duration: | 0.03386 seconds |
File /var/cache/man/.rhosts
Status: | Passed |
---|---|
Duration: | 0.071468 seconds |
File /var/spool/lpd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023344 seconds |
File /var/mail/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023955 seconds |
File /var/spool/news/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024469 seconds |
File /var/spool/uucp/.rhosts
Status: | Passed |
---|---|
Duration: | 0.064129 seconds |
File /bin/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000303 seconds |
File /var/www/.rhosts
Status: | Passed |
---|---|
Duration: | 0.026289 seconds |
File /var/backups/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023296 seconds |
File /var/list/.rhosts
Status: | Passed |
---|---|
Duration: | 0.025698 seconds |
File /var/run/ircd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024622 seconds |
File /var/lib/gnats/.rhosts
Status: | Passed |
---|---|
Duration: | 0.070571 seconds |
File /nonexistent/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024222 seconds |
File /run/systemd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.022771 seconds |
File /run/systemd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000388 seconds |
File /run/systemd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000562 seconds |
File /nonexistent/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000135 seconds |
File /nonexistent/.rhosts
Status: | Passed |
---|---|
Duration: | 0.000126 seconds |
File /run/rpcbind/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023312 seconds |
File /var/lib/nfs/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023519 seconds |
File /run/sshd/.rhosts
Status: | Passed |
---|---|
Duration: | 0.075907 seconds |
File /var/run/avahi-daemon/.rhosts
Status: | Passed |
---|---|
Duration: | 0.023665 seconds |
File //.rhosts
Status: | Passed |
---|---|
Duration: | 0.024784 seconds |
File /home/r-goto/.rhosts
Status: | Passed |
---|---|
Duration: | 0.024666 seconds |
File /var/lib/chrony/.rhosts
Status: | Passed |
---|---|
Duration: | 0.069211 seconds |
File /var/lib/usbmux/.rhosts
Status: | Passed |
---|---|
Duration: | 0.025003 seconds |
cis-dil-benchmark-6.2.15
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure all groups in /etc/passwd exist in /etc/group | ||||
Description: | Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale: Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.00042 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.00019 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000136 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000128 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000112 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000156 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000122 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000115 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000118 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000128 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000129 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.00018 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000149 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000136 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000149 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000158 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000184 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000139 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000132 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000144 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.00016 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000193 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000132 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000127 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.00019 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000292 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000164 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000138 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000122 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000217 seconds |
/etc/group
Status: | Passed |
---|---|
Duration: | 0.000196 seconds |
cis-dil-benchmark-6.2.16
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no duplicate UIDs exist | ||||
Description: | Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access protections. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Status: | Passed |
---|---|
Duration: | 0.00017 seconds |
cis-dil-benchmark-6.2.17
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no duplicate GIDs exist | ||||
Description: | Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate access protections. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Status: | Passed |
---|---|
Duration: | 0.000107 seconds |
cis-dil-benchmark-6.2.18
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no duplicate user names exist | ||||
Description: | Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the first UID for that username in /etc/passwd. For example, if "test4" has a UID of 1000 and a subsequent "test4" entry has a UID of 2000, logging in as "test4" will use UID 1000. Effectively, the UID is shared, which is a security problem. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Status: | Passed |
---|---|
Duration: | 9.3e-05 seconds |
cis-dil-benchmark-6.2.19
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure no duplicate group names exist | ||||
Description: | Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with the first GID for that group in /etc/group. Effectively, the GID is shared, which is a security problem. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
Status: | Passed |
---|---|
Duration: | 8.9e-05 seconds |
cis-dil-benchmark-6.2.20
Status: | Passed | ||||
---|---|---|---|---|---|
Title: | Ensure shadow group is empty | ||||
Description: | The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts. | ||||
Impact: | 1.0 | ||||
Tags: |
|
||||
Source Code: |
#
Status: | Passed |
---|---|
Duration: | 0.007437 seconds |
Platform Information | |
---|---|
Name: | raspbian |
Release: | 10.13 |
Target: | ssh://r-goto@myCloud:51042 |
Control Statistics | |
---|---|
Passed: | 74 |
Skipped: | 51 |
Failed: | 105 |
Duration: | 266.968935 seconds |
Time Finished: | 2023-12-05 13:22:44 +0900 |