Skip to content

CIS Ubuntu 20.04 Level 2 Workstation Benchmark

Rules and Groups employed by this XCCDF Profile

  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Network Environment

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Attempts to Alter Process and Session Initiation Information

    The audit system already collects process information for all users and root. If the <code>auditd</code> daemon is configured to use the <code>auge...
    Rule Medium Severity
  • Record Events When Privileged Executables Are Run

    Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run t...
    Rule Medium Severity
  • Ensure auditd Collects System Administrator Actions

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/group

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/gshadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/security/opasswd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/passwd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/shadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls

    At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present e...
    Group
  • Record Events that Modify the System's Discretionary Access Controls - chmod

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - chown

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchmod

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity
  • Record Events that Modify the System's Discretionary Access Controls - fchmodat

    At a minimum, the audit system should collect file permission changes for all users and root. If the <code>auditd</code> daemon is configured to us...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules