Complete CIS feature

[nanory]

What would you like to be added: As of now, there is already a CIS feature but it hasn't been completed yet. It contains references to CIS tests, that we would like to integrate in the Garden Linux build.

Thereby, it is important that these test are executed in the target image (rootfs) instead of executing them on the build system (container).

Why is this needed: This is needed to complete the roadmap goal "Testcases"

[gyptazy]

Ok, I just gave it a short try and executed the OVH/debian-cis test suite on a shiny new kvm-dev image. First, we should discuss which tests we may drop/exclude and create new issues to solve the left ones:

1.1.1.5_disable_squashfs  [ KO ] squashfs is enabled!
1.1.1.5_disable_squashfs  [ KO ] Check Failed
1.1.1.6_disable_udf       [ KO ] udf is enabled!
1.1.1.6_disable_udf       [ KO ] Check Failed
1.1.1.7_restrict_fat      [ KO ] CONFIG_VFAT_FS is enabled!
1.1.1.7_restrict_fat      [ KO ] Check Failed
1.1.10_var_tmp_noexec     [ KO ] /var/tmp is not a partition
1.1.10_var_tmp_noexec     [ KO ] Check Failed
1.1.11_var_log_partition  [ KO ] /var/log is not a partition
1.1.11_var_log_partition  [ KO ] Check Failed
1.1.12_var_log_audit_part [ KO ] /var/log/audit is not a partition
1.1.12_var_log_audit_part [ KO ] Check Failed
1.1.13_home_partition     [ KO ] /home is not a partition
1.1.13_home_partition     [ KO ] Check Failed
1.1.14_home_nodev         [ KO ] /home is not a partition
1.1.14_home_nodev         [ KO ] Check Failed
1.1.15_run_shm_nodev      [ KO ] /dev/shm is not a partition
1.1.15_run_shm_nodev      [ KO ] Check Failed
1.1.16_run_shm_nosuid     [ KO ] /dev/shm is not a partition
1.1.16_run_shm_nosuid     [ KO ] Check Failed
1.1.17_run_shm_noexec     [ KO ] /dev/shm is not a partition
1.1.17_run_shm_noexec     [ KO ] Check Failed
1.1.2_tmp_partition       [ KO ] /tmp is not a partition
1.1.2_tmp_partition       [ KO ] Check Failed
1.1.3_tmp_nodev           [ KO ] /tmp is not a partition
1.1.3_tmp_nodev           [ KO ] Check Failed
1.1.4_tmp_nosuid          [ KO ] /tmp is not a partition
1.1.4_tmp_nosuid          [ KO ] Check Failed
1.1.5_tmp_noexec          [ KO ] /tmp is not a partition
1.1.5_tmp_noexec          [ KO ] Check Failed
1.1.7_var_tmp_partition   [ KO ] /var/tmp is not a partition
1.1.7_var_tmp_partition   [ KO ] Check Failed
1.1.8_var_tmp_nodev       [ KO ] /var/tmp is not a partition
1.1.8_var_tmp_nodev       [ KO ] Check Failed
1.1.9_var_tmp_nosuid      [ KO ] /var/tmp is not a partition
1.1.9_var_tmp_nosuid      [ KO ] Check Failed
1.3.3_logfile_sudo        [ KO ] Defaults log file not found in sudoers files
1.3.3_logfile_sudo        [ KO ] Check Failed
1.4.1_install_tripwire    [ KO ] tripwire is not installed!
1.4.1_install_tripwire    [ KO ] Check Failed
1.4.2_tripwire_cron       [ KO ] tripwire --check is not present in /etc/crontab /etc/cron.d/sysstat
1.4.2_tripwire_cron       [ KO ] Check Failed
1.5.1_bootloader_ownershi [ KO ] Check failed with unexpected exit code: 2
1.5.2_bootloader_password [ KO ] Check failed with unexpected exit code: 2
1.5.3_root_password       [ KO ] ^root:[*\!]: is present in /etc/shadow
1.5.3_root_password       [ KO ] Check Failed
1.6.4_restrict_core_dumps [ KO ] ^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$ is not present in /etc/security/limits.conf 
1.6.4_restrict_core_dumps [ KO ] fs.suid_dumpable was not set to 0
1.6.4_restrict_core_dumps [ KO ] Check Failed
1.7.1.1_install_apparmor  [ KO ] apparmor is absent!
1.7.1.1_install_apparmor  [ KO ] apparmor-utils is absent!
1.7.1.1_install_apparmor  [ KO ] Check Failed
1.7.1.2_enable_apparmor   [ KO ] apparmor is absent!
1.7.1.2_enable_apparmor   [ KO ] apparmor-utils is absent!
1.7.1.2_enable_apparmor   [ KO ] Check Failed
1.7.1.3_enforce_or_compla [ KO ] apparmor is absent!
1.7.1.3_enforce_or_compla [ KO ] apparmor-utils is absent!
1.7.1.3_enforce_or_compla [ KO ] Check Failed
1.7.1.4_enforcing_apparmo [ KO ] apparmor is absent!
1.7.1.4_enforcing_apparmo [ KO ] apparmor-utils is absent!
1.7.1.4_enforcing_apparmo [ KO ] Check Failed
2.2.1.1_use_time_sync     [ KO ] None of the following time sync packages are installed: ntp chrony
2.2.1.1_use_time_sync     [ KO ] Check Failed
2.2.1.3_configure_chrony  [ KO ] Check failed with unexpected exit code: 2
2.2.1.4_configure_ntp     [ KO ] Check failed with unexpected exit code: 2
3.1.1_disable_ipv6        [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.1.1_disable_ipv6        [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.1.1_disable_ipv6        [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.1.1_disable_ipv6        [ KO ] ipv6 is enabled
3.1.1_disable_ipv6        [ KO ] Check Failed
3.2.1_disable_send_packet [ KO ] net.ipv4.conf.all.send_redirects was not set to 0
3.2.1_disable_send_packet [ KO ] net.ipv4.conf.default.send_redirects was not set to 0
3.2.1_disable_send_packet [ KO ] Check Failed
3.2.2_disable_ip_forwardi [ KO ] net.ipv4.ip_forward was not set to 0
3.2.2_disable_ip_forwardi [ KO ] Check Failed
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.1_disable_source_rout [ KO ] Check Failed
3.3.2_disable_icmp_redire [ KO ] net.ipv4.conf.default.accept_redirects was not set to 0
3.3.2_disable_icmp_redire [ KO ] net.ipv6.conf.all.accept_redirects was not set to 0
3.3.2_disable_icmp_redire [ KO ] net.ipv6.conf.default.accept_redirects was not set to 0
3.3.2_disable_icmp_redire [ KO ] Check Failed
3.3.3_disable_secure_icmp [ KO ] net.ipv4.conf.all.secure_redirects was not set to 0
3.3.3_disable_secure_icmp [ KO ] net.ipv4.conf.default.secure_redirects was not set to 0
3.3.3_disable_secure_icmp [ KO ] Check Failed
3.3.4_log_martian_packets [ KO ] net.ipv4.conf.all.log_martians was not set to 1
3.3.4_log_martian_packets [ KO ] net.ipv4.conf.default.log_martians was not set to 1
3.3.4_log_martian_packets [ KO ] Check Failed
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] Check Failed
3.4.1_disable_dccp        [ KO ] dccp is enabled!
3.4.1_disable_dccp        [ KO ] Check Failed
3.4.2_disable_sctp        [ KO ] sctp is enabled!
3.4.2_disable_sctp        [ KO ] Check Failed
3.4.3_disable_rds         [ KO ] rds is enabled!
3.4.3_disable_rds         [ KO ] Check Failed
3.4.4_disable_tipc        [ KO ] tipc is enabled!
3.4.4_disable_tipc        [ KO ] Check Failed
3.5.4.1.1_net_fw_default_ [ KO ] Policy set to ACCEPT for chain INPUT, should be DROP.
3.5.4.1.1_net_fw_default_ [ KO ] Policy set to ACCEPT for chain FORWARD, should be DROP.
3.5.4.1.1_net_fw_default_ [ KO ] Check Failed
4.1.1.3_audit_bootloader  [ KO ] /etc/default/grub does not exist
4.1.1.3_audit_bootloader  [ KO ] Check Failed
4.1.1.4_audit_backlog_lim [ KO ] /etc/default/grub does not exist
4.1.1.4_audit_backlog_lim [ KO ] Check Failed
4.1.10_record_failed_acce [ KO ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is not in file /etc/audit/audit.rules
4.1.10_record_failed_acce [ KO ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is not in file /etc/audit/audit.rules
4.1.10_record_failed_acce [ KO ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is not in file /etc/audit/audit.rules
4.1.10_record_failed_acce [ KO ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is not in file /etc/audit/audit.rules
4.1.10_record_failed_acce [ KO ] Check Failed
4.1.12_record_successful_ [ KO ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is not in file /etc/audit/audit.rules
4.1.12_record_successful_ [ KO ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is not in file /etc/audit/audit.rules
4.1.12_record_successful_ [ KO ] Check Failed
4.1.13_record_file_deleti [ KO ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is not in file /etc/audit/audit.rules
4.1.13_record_file_deleti [ KO ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is not in file /etc/audit/audit.rules
4.1.13_record_file_deleti [ KO ] Check Failed
4.1.14_record_sudoers_edi [ KO ] -w /etc/sudoers -p wa -k sudoers is not in file /etc/audit/audit.rules
4.1.14_record_sudoers_edi [ KO ] -w /etc/sudoers.d/ -p wa -k sudoers is not in file /etc/audit/audit.rules
4.1.14_record_sudoers_edi [ KO ] Check Failed
4.1.15_record_sudo_usage  [ KO ] -w /var/log/auth.log -p wa -k sudoaction is not in file /etc/audit/audit.rules
4.1.15_record_sudo_usage  [ KO ] Check Failed
4.1.16_record_kernel_modu [ KO ] -w /sbin/insmod -p x -k modules is not in file /etc/audit/audit.rules
4.1.16_record_kernel_modu [ KO ] -w /sbin/rmmod -p x -k modules is not in file /etc/audit/audit.rules
4.1.16_record_kernel_modu [ KO ] -w /sbin/modprobe -p x -k modules is not in file /etc/audit/audit.rules
4.1.16_record_kernel_modu [ KO ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is not in file /etc/audit/audit.rules
4.1.16_record_kernel_modu [ KO ] Check Failed
4.1.17_freeze_auditd_conf [ KO ] -e 2 is not in file /etc/audit/audit.rules
4.1.17_freeze_auditd_conf [ KO ] Check Failed
4.1.2.2_halt_when_audit_l [ KO ] ^space_left_action[[:space:]]*=[[:space:]]*email is not present in /etc/audit/auditd.conf
4.1.2.2_halt_when_audit_l [ KO ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is not present in /etc/audit/auditd.conf
4.1.2.2_halt_when_audit_l [ KO ] Check Failed
4.1.2.3_keep_all_audit_lo [ KO ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is not present in /etc/audit/auditd.conf
4.1.2.3_keep_all_audit_lo [ KO ] Check Failed
4.1.3_record_date_time_ed [ KO ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is not in file /etc/audit/audit.rules
4.1.3_record_date_time_ed [ KO ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is not in file /etc/audit/audit.rules
4.1.3_record_date_time_ed [ KO ] -a always,exit -F arch=b64 -S clock_settime -k time-change is not in file /etc/audit/audit.rules
4.1.3_record_date_time_ed [ KO ] -a always,exit -F arch=b32 -S clock_settime -k time-change is not in file /etc/audit/audit.rules
4.1.3_record_date_time_ed [ KO ] -w /etc/localtime -p wa -k time-change is not in file /etc/audit/audit.rules
4.1.3_record_date_time_ed [ KO ] Check Failed
4.1.4_record_user_group_e [ KO ] -w /etc/group -p wa -k identity is not in file /etc/audit/audit.rules
4.1.4_record_user_group_e [ KO ] -w /etc/passwd -p wa -k identity is not in file /etc/audit/audit.rules
4.1.4_record_user_group_e [ KO ] -w /etc/gshadow -p wa -k identity is not in file /etc/audit/audit.rules
4.1.4_record_user_group_e [ KO ] -w /etc/shadow -p wa -k identity is not in file /etc/audit/audit.rules
4.1.4_record_user_group_e [ KO ] -w /etc/security/opasswd -p wa -k identity is not in file /etc/audit/audit.rules
4.1.4_record_user_group_e [ KO ] Check Failed
4.1.5_record_network_edit [ KO ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] -w /etc/issue -p wa -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] -w /etc/issue.net -p wa -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] -w /etc/hosts -p wa -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] -w /etc/network -p wa -k system-locale is not in file /etc/audit/audit.rules
4.1.5_record_network_edit [ KO ] Check Failed
4.1.6_record_mac_edit     [ KO ] -w /etc/selinux/ -p wa -k MAC-policy is not in file /etc/audit/audit.rules
4.1.6_record_mac_edit     [ KO ] Check Failed
4.1.7_record_login_logout [ KO ] -w /var/log/faillog -p wa -k logins is not in file /etc/audit/audit.rules
4.1.7_record_login_logout [ KO ] -w /var/log/lastlog -p wa -k logins is not in file /etc/audit/audit.rules
4.1.7_record_login_logout [ KO ] -w /var/log/tallylog -p wa -k logins is not in file /etc/audit/audit.rules
4.1.7_record_login_logout [ KO ] Check Failed
4.1.8_record_session_init [ KO ] -w /var/run/utmp -p wa -k session is not in file /etc/audit/audit.rules
4.1.8_record_session_init [ KO ] -w /var/log/wtmp -p wa -k session is not in file /etc/audit/audit.rules
4.1.8_record_session_init [ KO ] -w /var/log/btmp -p wa -k session is not in file /etc/audit/audit.rules
4.1.8_record_session_init [ KO ] Check Failed
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is not in file /etc/audit/audit.rules
4.1.9_record_dac_edit     [ KO ] Check Failed
4.2.1.1_install_syslog-ng [ KO ] syslog-ng is not installed!
4.2.1.1_install_syslog-ng [ KO ] Check Failed
4.2.1.2_enable_syslog-ng  [ KO ] syslog-ng is not installed!
4.2.1.2_enable_syslog-ng  [ KO ] Check Failed
4.2.1.4_syslog_ng_logfile [ KO ] syslog-ng is not installed!
4.2.1.4_syslog_ng_logfile [ KO ] Check Failed
4.2.1.5_syslog-ng_remote_ [ KO ] syslog-ng is not installed!
4.2.1.5_syslog-ng_remote_ [ KO ] Check Failed
4.2.1.6_remote_syslog-ng_ [ KO ] syslog-ng is not installed!
4.2.1.6_remote_syslog-ng_ [ KO ] Check Failed
4.2.2.3_journald_write_pe [ KO ] ^Storage=persistent is not present in /etc/systemd/journald.conf
4.2.2.3_journald_write_pe [ KO ] Check Failed
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sar15 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sa14 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sar14 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sa15 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sa16 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/sysstat/sa17 permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/wtmp permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/lastlog permissions were not set to 640
4.2.3_logs_permissions    [ KO ] /var/log/btmp permissions were not set to 640
4.2.3_logs_permissions    [ KO ] Check Failed
4.4_logrotate_permissions [ KO ] Logrotate permissions are not configured
4.4_logrotate_permissions [ KO ] Check Failed
5.1.1_enable_cron         [ KO ] cron is not installed!
5.1.1_enable_cron         [ KO ] Check Failed
5.1.2_crontab_perm_owners [ KO ] /etc/crontab permissions were not set to 600
5.1.2_crontab_perm_owners [ KO ] Check Failed
5.1.3_cron_hourly_perm_ow [ KO ] /etc/cron.hourly permissions were not set to 700
5.1.3_cron_hourly_perm_ow [ KO ] Check Failed
5.1.4_cron_daily_perm_own [ KO ] /etc/cron.daily permissions were not set to 700
5.1.4_cron_daily_perm_own [ KO ] Check Failed
5.1.5_cron_weekly_perm_ow [ KO ] /etc/cron.weekly permissions were not set to 700
5.1.5_cron_weekly_perm_ow [ KO ] Check Failed
5.1.6_cron_monthly_perm_o [ KO ] /etc/cron.monthly permissions were not set to 700
5.1.6_cron_monthly_perm_o [ KO ] Check Failed
5.1.7_cron_d_perm_ownersh [ KO ] /etc/cron.d permissions were not set to 700
5.1.7_cron_d_perm_ownersh [ KO ] Check Failed
5.1.8_cron_users          [ KO ] /etc/cron.allow is absent, should exist
5.1.8_cron_users          [ KO ] /etc/at.allow is absent, should exist
5.1.8_cron_users          [ KO ] Check Failed
5.2.11_disable_sshd_permi [ KO ] ^PermitEmptyPasswords[[:space:]]*no is not present in /etc/ssh/sshd_config
5.2.11_disable_sshd_permi [ KO ] Check Failed
5.2.12_disable_sshd_seten [ KO ] ^PermitUserEnvironment[[:space:]]*no is not present in /etc/ssh/sshd_config
5.2.12_disable_sshd_seten [ KO ] Check Failed
5.2.14_ssh_cry_mac        [ KO ] ^MACs[[:space:]]*hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 is not present in /etc/ssh/sshd_config
5.2.14_ssh_cry_mac        [ KO ] Check Failed
5.2.15_ssh_cry_kex        [ KO ] ^KexAlgorithms[[:space:]]*curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 is not present in /etc/ssh/sshd_config
5.2.15_ssh_cry_kex        [ KO ] Check Failed
5.2.16_sshd_idle_timeout  [ KO ] ^ClientAliveInterval[[:space:]]*300 is not present in /etc/ssh/sshd_config
5.2.16_sshd_idle_timeout  [ KO ] Check Failed
5.2.17_sshd_login_grace_t [ KO ] ^LoginGraceTime[[:space:]]*60 is not present in /etc/ssh/sshd_config
5.2.17_sshd_login_grace_t [ KO ] Check Failed
5.2.18_sshd_limit_access  [ KO ] ^AllowUsers[[:space:]]** is not present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ KO ] ^AllowGroups[[:space:]]** is not present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ KO ] ^DenyUsers[[:space:]]*nobody is not present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ KO ] ^DenyGroups[[:space:]]*nobody is not present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ KO ] Check Failed
5.2.19_ssh_banner         [ KO ] ^Banner[[:space:]]* is not present in /etc/ssh/sshd_config
5.2.19_ssh_banner         [ KO ] Check Failed
5.2.1_sshd_conf_perm_owne [ KO ] /etc/ssh/sshd_config permissions were not set to 600
5.2.1_sshd_conf_perm_owne [ KO ] Check Failed
5.2.21_disable_ssh_allow_ [ KO ] ^AllowTCPForwarding[[:space:]]*no is not present in /etc/ssh/sshd_config
5.2.21_disable_ssh_allow_ [ KO ] Check Failed
5.2.22_configure_ssh_max_ [ KO ] ^maxstartups[[:space:]]*10:30:60 is not present in /etc/ssh/sshd_config
5.2.22_configure_ssh_max_ [ KO ] Check Failed
5.2.23_limit_ssh_max_sess [ KO ] ^maxsessions[[:space:]]*10 is not present in /etc/ssh/sshd_config
5.2.23_limit_ssh_max_sess [ KO ] Check Failed
5.2.7_sshd_maxauthtries   [ KO ] ^MaxAuthTries[[:space:]]*4 is not present in /etc/ssh/sshd_config
5.2.7_sshd_maxauthtries   [ KO ] Check Failed
5.3.1_enable_pwquality    [ KO ] libpam-pwquality is not installed!
5.3.1_enable_pwquality    [ KO ] Check Failed
5.3.4_acc_pam_sha512      [ KO ] ^\s*password\s.+\s+pam_unix\.so\s+.*sha512 is not present in /etc/pam.d/common-password
5.3.4_acc_pam_sha512      [ KO ] Check Failed
5.4.1.1_set_password_exp_ [ KO ] ^PASS_MAX_DAYS[[:space:]]*90 is not present in /etc/login.defs
5.4.1.1_set_password_exp_ [ KO ] Check Failed
5.4.1.2_set_password_min_ [ KO ] ^PASS_MIN_DAYS[[:space:]]*7 is not present in /etc/login.defs
5.4.1.2_set_password_min_ [ KO ] Check Failed
5.4.4_default_umask       [ KO ] umask 077 is not present in /etc/bash.bashrc /etc/profile.d /etc/profile
5.4.4_default_umask       [ KO ] Check Failed
5.6_restrict_su           [ KO ] ^auth[[:space:]]*required[[:space:]]*pam_wheel.so is not present in /etc/pam.d/su
5.6_restrict_su           [ KO ] Check Failed
6.1.13_find_suid_files    [ KO ] Some suid files are present
6.1.13_find_suid_files    [ KO ]  /usr/lib/dbus-1.0/dbus-daemon-launch-helper 
6.1.13_find_suid_files    [ KO ] Check Failed
6.1.14_find_sgid_files    [ KO ] Some sgid files are present
6.1.14_find_sgid_files    [ KO ]  /usr/bin/write /usr/lib/systemd-cron/crontab_setgid 
6.1.14_find_sgid_files    [ KO ] Check Failed
stat: cannot statx '/etc/gshadow-': No such file or directory
6.1.3_etc_gshadow-_permis [ KO ] /etc/gshadow- permissions were not set to 640
stat: cannot statx '/etc/gshadow-': No such file or directory
stat: cannot statx '/etc/gshadow-': No such file or directory
stat: cannot statx '/etc/gshadow-': No such file or directory
6.1.3_etc_gshadow-_permis [ KO ] /etc/gshadow- ownership was not set to root:root shadow
6.1.3_etc_gshadow-_permis [ KO ] Check Failed
stat: cannot statx '/etc/passwd-': No such file or directory
6.1.6_etc_passwd-_permiss [ KO ] /etc/passwd- permissions were not set to 600
stat: cannot statx '/etc/passwd-': No such file or directory
6.1.6_etc_passwd-_permiss [ KO ] /etc/passwd- ownership was not set to root:root
6.1.6_etc_passwd-_permiss [ KO ] Check Failed
stat: cannot statx '/etc/shadow-': No such file or directory
6.1.7_etc_shadow-_permiss [ KO ] /etc/shadow- permissions were not set to 600
stat: cannot statx '/etc/shadow-': No such file or directory
6.1.7_etc_shadow-_permiss [ KO ] /etc/shadow- ownership was not set to root:shadow
6.1.7_etc_shadow-_permiss [ KO ] Check Failed
stat: cannot statx '/etc/group-': No such file or directory
6.1.8_etc_group-_permissi [ KO ] /etc/group- permissions were not set to 600
stat: cannot statx '/etc/group-': No such file or directory
6.1.8_etc_group-_permissi [ KO ] /etc/group- ownership was not set to root:root
6.1.8_etc_group-_permissi [ KO ] Check Failed

6.2.8_check_user_dir_perm [ KO ] Other Read permission set on directory /home/dev
6.2.8_check_user_dir_perm [ KO ] Other Execute permission set on directory /home/dev
6.2.8_check_user_dir_perm [ KO ] Check Failed

99.1.1.23_disable_usb_dev [ KO ] ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" is not present in /etc/udev/rules.d
99.1.1.23_disable_usb_dev [ KO ] Check Failed
99.3.3.1_install_tcp_wrap [ KO ] tcpd is not installed!
99.3.3.1_install_tcp_wrap [ KO ] Check Failed
99.3.3.3_hosts_deny       [ KO ] ALL: ALL is not present in /etc/hosts.deny, we have to deny everything
99.3.3.3_hosts_deny       [ KO ] Check Failed
99.5.2.1_ssh_auth_pubk_on [ KO ] ^PubkeyAuthentication[[:space:]]+yes is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^PasswordAuthentication[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^KbdInteractiveAuthentication[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^KerberosAuthentication[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^ChallengeResponseAuthentication[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^GSSAPIAuthentication[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] ^GSSAPIKeyExchange[[:space:]]+no is not present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ KO ] Check Failed
99.5.2.2_ssh_cry_rekey    [ KO ] ^RekeyLimit[[:space:]]*512M\s+6h is not present in /etc/ssh/sshd_config
99.5.2.2_ssh_cry_rekey    [ KO ] Check Failed
99.5.2.3_ssh_disable_feat [ KO ] ^AllowAgentForwarding[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] ^AllowTcpForwarding[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] ^AllowStreamLocalForwarding[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] ^PermitTunnel[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] ^PermitUserRC[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] ^GatewayPorts[[:space:]]*no is not present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ KO ] Check Failed
99.5.2.4_ssh_keys_from    [ KO ] There are anywhere access keys in /home/dev/.ssh/authorized_keys at lines (1 3).
99.5.2.4_ssh_keys_from    [ KO ] Check Failed
99.5.2.6_ssh_sys_accept_e [ KO ] ^\s*AcceptEnv\s+LANG LC_\* is not present in /etc/ssh/sshd_config
99.5.2.6_ssh_sys_accept_e [ KO ] Check Failed
99.5.2.8_ssh_sys_sandbox  [ KO ] ^UsePrivilegeSeparation[[:space:]]*sandbox is not present in /etc/ssh/sshd_config
99.5.2.8_ssh_sys_sandbox  [ KO ] Check Failed
99.99_check_distribution  [ KO ] Your distribution is too recent and is not yet supported.
99.99_check_distribution  [ KO ] Check Failed

[gyptazy]

To proceed on this we need to solve:

1. gardenlinux/gardenlinux#683
2. gardenlinux/gardenlinux#682
3. gardenlinux/gardenlinux#647

A first draft PR for gardenlinux/gardenlinux#683 and gardenlinux/gardenlinux#682 will be attached this evening.

[gyptazy]

The issue is still blocked by:

1. gardenlinux/gardenlinux#683
2. gardenlinux/gardenlinux#682 However, the related PR gardenlinux/gardenlinux#684 is ready for review. After merge, the work on this issue can be proceeded.

[gyptazy]

The mentioned issues are ready to merge and already approved. However, there's a new discussion for the integration of unit tests and wether to keep them or not. This could result in a change to integration tests. Probably we will know more tomorrow in the noon.

Next to this, we have just 1 warning and 40 suggestions left.

Warning

• No iptables rules active

Suggestions

  * Consider hardening system services [BOOT-5264] 
    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
      https://cisofy.com/lynis/controls/BOOT-5264/

  * Determine why /vmlinuz or /boot/vmlinuz is missing on this Debian/Ubuntu system. [KRNL-5788] 
    - Details  : /vmlinuz or /boot/vmlinuz
      https://cisofy.com/lynis/controls/KRNL-5788/

  * If not required, consider explicit disabling of core dump in /etc/security/limits.conf file [KRNL-5820] 
      https://cisofy.com/lynis/controls/KRNL-5820/

  * Configure password hashing rounds in /etc/login.defs [AUTH-9230] 
      https://cisofy.com/lynis/controls/AUTH-9230/

  * Look at the locked accounts and consider removing them [AUTH-9284] 
      https://cisofy.com/lynis/controls/AUTH-9284/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/lynis/controls/AUTH-9286/

  * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] 
      https://cisofy.com/lynis/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [USB-1000] 
      https://cisofy.com/lynis/controls/USB-1000/

  * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] 
      https://cisofy.com/lynis/controls/STRG-1846/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/lynis/controls/NAME-4028/

  * Split resolving between localhost and the hostname of the system [NAME-4406] 
      https://cisofy.com/lynis/controls/NAME-4406/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/lynis/controls/PKGS-7370/

  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
      https://cisofy.com/lynis/controls/PKGS-7394/

  * Consider using a tool to automatically apply upgrades [PKGS-7420] 
      https://cisofy.com/lynis/controls/PKGS-7420/

  * Determine if protocol 'dccp' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'sctp' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'rds' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Determine if protocol 'tipc' is really needed on this system [NETW-3200] 
      https://cisofy.com/lynis/controls/NETW-3200/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (set YES to NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveInterval (set 600 to 300)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (set YES to NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (set 6 to 3)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (set 10 to 2)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (set 22 to )
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (set YES to NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (set YES to NO)
      https://cisofy.com/lynis/controls/SSH-7408/

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] 
      https://cisofy.com/lynis/controls/LOGG-2154/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/lynis/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/lynis/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/lynis/controls/ACCT-9622/

  * Enable sysstat to collect accounting (disabled) [ACCT-9626] 
      https://cisofy.com/lynis/controls/ACCT-9626/

  * Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630] 
      https://cisofy.com/lynis/controls/ACCT-9630/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/lynis/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/lynis/controls/TOOL-5002/

  * Consider restricting file permissions [FILE-7524] 
    - Details  : See screen output or log file
    - Solution : Use chmod to change file permissions
      https://cisofy.com/lynis/controls/FILE-7524/

  * Double check the permissions of home directories as some might be not strict enough. [HOME-9304] 
      https://cisofy.com/lynis/controls/HOME-9304/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
    - Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
      https://cisofy.com/lynis/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/lynis/controls/HRDN-7222/

Maybe we should integrate a default policy / ruleset for iptables. If desired we can whitelist this issue. The suggestions may be fixed but won't result in any further warnings/erros. (Tested with Lynis 3.0.7)

[gyptazy]

With my PR in gardenlinux/gardenlinux#760 I already integrated the Debian-CIS check with a PyTest Wrapper and made several changes to be CIS compliant. All information are based on (files can be accessed on https://downloads.cisecurity.org/):

• CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf
• CIS_CentOS_Linux_8_Benchmark_v2.0.0.pdf

Still left for further discussion are:

Filesystems

Partition Layout

Regarding the docs we should create separate partitions for:

• /tmp
• /var/tmp
• /var/log
• /var/log/audit
• /home

While this makes sense (e.g. a full root fs or application stack wouldn't bother any security related logs from being written) this intercepts with out concept for cloud images. Next to it, it would make sense to extend the mentioned partitions to have them usable (e.g. enough space for writing logs) which would intercept our concept of small images again. We need to decide if we will whitelist these checks or if we want to go this way when the CIS feature is used.

Current state: Whitelisted ❌

Partition Options

While this only makes sense when having separate partitions further options should be applied. We should apply nodev, noexec, nosuid options in the above mentioned partitions. This can be applied when we want to create separate ones or it needs to be whitelisted.

Current state: Whitelisted ❌

Mandatory Access Control

Access Control is a mandatory part of CIS. While the given checks of DebianCIS use AppArmor (default for Debian), other docs state other ones like SeLinux on CentOS. These chapters are described in detail in chapter 1.7 for Debian Linux (AppArmor) and chapter 1.6 for CentOS (SeLinux). While the Debian docs already describe that AppArmor is the default one in Debian but there also other ones exist (e.g. SELinux) and Garden Linux already integrates SELinux, we probably may use SELinux instead. This should be discussed and if SELinux is the way to go, we should create additional tests for an equal framework in DebianCIS.

Current state: Whitelisted (Need to create additional test for SELinux) ❌

Root Password

We may not deliver the artifact without a root password set. Therefore, we should discuss a way how to solve this. Probably, the easiest way would be by defining a random one within the CIS feature and print it after building the artifact on stdout. Note: The generated password must be SHA512 hashed.

Current state: Not implemented (test will fail) ❌

Firewall

We need to provide a firewall service. However, this means that the default policy for INPUT and FORWARD chains should be changed from ALLOW to DROP. With the CIS feature we will introduce a basic firewall service called Garden Linux CIS Firewall. In default, only tcp/22 (SSH) and tcp/2222+2223 (SSH unit tests), as well as state/related+established are allowed. This should fulfill the needs and still allow external access to the image.

Current state: Implemented ✅

Logging

While DebianCIS validated for further configuration on syslog-ng this feature integrates this service (chapter 4.2.2). However, this shouldn't be a big deal and works coexisted to journalctl. Keep in mind that the local operator needs to adjust the configs (e.g. remote syslog server) for his needs on his own. Furthermore, journalctl logs are persistent, now.

Current state: Implemented ✅

Filesystem Integrity Checking

A further part is filesystem integrity checking which is in DebianCIS done by Tripwire. While this seems easy to configure and use it comes with a dependency to libdb (BerkleyDB) which we avoid to use. However, the chapter 1.4 describes that the filesystem integrity must be checked and we may use something else like AIDE or maybe Samhein. This needs to be evaluated for their dependencies. While these ones can not prevent intrusions, they still can detect unauthorized changes to configuration files by alerting when the files are changed. Keep Tripwire with libdb dependency or validate for something similar.

Current state: Whitelisted ❌

Other Checks

All other checks have no priority to be mentioned here. Therefore, they're already integrated.

Handling out of CIS

General

By using CIS feature in Garden Linux we need to ensure that the included changes will still have the highest priority and won't be overwritten by any other feature at build time. Therefore, we need to validate how to apply all changes (appending configs, editing key/vlaues by given configs), adding files for dropin directories etc.. This shows how important the CIS PyTests are to ensure that the final artifact will be CIS complaint.

Other Unit Tests

We need to create a feature to avoid failing regular unit tests when running with CIS feature. This could happen when changing cipher suites for services like SSHd.

[gyptazy]

With merging PR gardenlinux/gardenlinux#771 the first iteration of the new CIS feature got merged. However, this is still WIP. As a result, the following tasks still needs to be done:

• [x] gardenlinux/gardenlinux#782
• [x] gardenlinux/gardenlinux#783
• [x] gardenlinux/gardenlinux#784
• [x] gardenlinux/gardenlinux#785
• [x] gardenlinux/gardenlinux#786
• [x] gardenlinux/gardenlinux#787
• [x] gardenlinux/gardenlinux#823
• [x] gardenlinux/gardenlinux#838
• [x] gardenlinux/gardenlinux#842
• [x] gardenlinux/gardenlinux#912
• [x] gardenlinux/gardenlinux#913
• [x] gardenlinux/gardenlinux#937
• [x] gardenlinux/gardenlinux#939
• [x] gardenlinux/gardenlinux#943
• [x] gardenlinux/gardenlinux#946
• [ ] gardenlinux/gardenlinux#993
• [ ] gardenlinux/gardenlinux-backlog#29

Next to this, we should adjust the Debian_CIS class for unit tests where vars (options) should be sourced from a config file (probably YAML). This has a low priority and will be done in gardenlinux/gardenlinux#788.

[gyptazy]

SELinux is now running in enforcing mode. With this change, we pass all tests. However, there's still a bug for system-resolvd, which'll be fixed in gardenlinux/gardenlinux#993

1.1.1.1_disable_freevxfs  [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs  [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1.1.1_disable_freevxfs  [INFO] Checking Configuration
1.1.1.1_disable_freevxfs  [INFO] Performing audit
1.1.1.1_disable_freevxfs  [ OK ] freevxfs is disabled
1.1.1.1_disable_freevxfs  [ OK ] Check Passed
1.1.1.2_disable_jffs2     [INFO] Working on 1.1.1.2_disable_jffs2
1.1.1.2_disable_jffs2     [INFO] [DESCRIPTION] Disable mounting of jffs2 filesystems.
1.1.1.2_disable_jffs2     [INFO] Checking Configuration
1.1.1.2_disable_jffs2     [INFO] Performing audit
1.1.1.2_disable_jffs2     [ OK ] jffs2 is disabled
1.1.1.2_disable_jffs2     [ OK ] Check Passed
1.1.1.3_disable_hfs       [INFO] Working on 1.1.1.3_disable_hfs
1.1.1.3_disable_hfs       [INFO] [DESCRIPTION] Disable mounting of hfs filesystems.
1.1.1.3_disable_hfs       [INFO] Checking Configuration
1.1.1.3_disable_hfs       [INFO] Performing audit
1.1.1.3_disable_hfs       [ OK ] hfs is disabled
1.1.1.3_disable_hfs       [ OK ] Check Passed
1.1.1.4_disable_hfsplus   [INFO] Working on 1.1.1.4_disable_hfsplus
1.1.1.4_disable_hfsplus   [INFO] [DESCRIPTION] Disable mounting of hfsplus filesystems.
1.1.1.4_disable_hfsplus   [INFO] Checking Configuration
1.1.1.4_disable_hfsplus   [INFO] Performing audit
1.1.1.4_disable_hfsplus   [ OK ] hfsplus is disabled
1.1.1.4_disable_hfsplus   [ OK ] Check Passed
1.1.1.5_disable_squashfs  [INFO] Working on 1.1.1.5_disable_squashfs
1.1.1.5_disable_squashfs  [INFO] [DESCRIPTION] Disable mounting of squashfs filesytems.
1.1.1.5_disable_squashfs  [INFO] Checking Configuration
1.1.1.5_disable_squashfs  [INFO] Performing audit
1.1.1.5_disable_squashfs  [ OK ] squashfs is disabled
1.1.1.5_disable_squashfs  [ OK ] Check Passed
1.1.1.6_disable_udf       [INFO] Working on 1.1.1.6_disable_udf
1.1.1.6_disable_udf       [INFO] [DESCRIPTION] Disable mounting of udf filesystems.
1.1.1.6_disable_udf       [INFO] Checking Configuration
1.1.1.6_disable_udf       [INFO] Performing audit
1.1.1.6_disable_udf       [ OK ] udf is disabled
1.1.1.6_disable_udf       [ OK ] Check Passed
1.1.1.7_restrict_fat      [INFO] Working on 1.1.1.7_restrict_fat
1.1.1.7_restrict_fat      [INFO] [DESCRIPTION] Limit mounting of FAT filesystems.
1.1.1.7_restrict_fat      [INFO] 1.1.1.7_restrict_fat is disabled, ignoring
1.1.10_var_tmp_noexec     [INFO] Working on 1.1.10_var_tmp_noexec
1.1.10_var_tmp_noexec     [INFO] [DESCRIPTION] /var/tmp partition with noexec option.
1.1.10_var_tmp_noexec     [INFO] Checking Configuration
1.1.10_var_tmp_noexec     [INFO] Performing audit
1.1.10_var_tmp_noexec     [INFO] Verifying that /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp is a partition
1.1.10_var_tmp_noexec     [ OK ] /var/tmp has noexec in fstab
1.1.10_var_tmp_noexec     [ OK ] /var/tmp mounted with noexec
1.1.10_var_tmp_noexec     [ OK ] Check Passed
1.1.11_var_log_partition  [INFO] Working on 1.1.11_var_log_partition
1.1.11_var_log_partition  [INFO] [DESCRIPTION] /var/log on separate partition.
1.1.11_var_log_partition  [INFO] Checking Configuration
1.1.11_var_log_partition  [INFO] Performing audit
1.1.11_var_log_partition  [INFO] Verifying that /var/log is a partition
1.1.11_var_log_partition  [ OK ] /var/log is a partition
1.1.11_var_log_partition  [ OK ] /var/log is mounted
1.1.11_var_log_partition  [ OK ] Check Passed
1.1.12_var_log_audit_part [INFO] Working on 1.1.12_var_log_audit_partition
1.1.12_var_log_audit_part [INFO] [DESCRIPTION] /var/log/audit on a separate partition.
1.1.12_var_log_audit_part [INFO] Checking Configuration
1.1.12_var_log_audit_part [INFO] Performing audit
1.1.12_var_log_audit_part [INFO] Verifying that /var/log/audit is a partition
1.1.12_var_log_audit_part [ OK ] /var/log/audit is a partition
1.1.12_var_log_audit_part [ OK ] /var/log/audit is mounted
1.1.12_var_log_audit_part [ OK ] Check Passed
1.1.13_home_partition     [INFO] Working on 1.1.13_home_partition
1.1.13_home_partition     [INFO] [DESCRIPTION] /home on a separate partition.
1.1.13_home_partition     [INFO] Checking Configuration
1.1.13_home_partition     [INFO] Performing audit
1.1.13_home_partition     [INFO] Verifying that /home is a partition
1.1.13_home_partition     [ OK ] /home is a partition
1.1.13_home_partition     [ OK ] /home is mounted
1.1.13_home_partition     [ OK ] Check Passed
1.1.14_home_nodev         [INFO] Working on 1.1.14_home_nodev
1.1.14_home_nodev         [INFO] [DESCRIPTION] /home partition with nodev option.
1.1.14_home_nodev         [INFO] Checking Configuration
1.1.14_home_nodev         [INFO] Performing audit
1.1.14_home_nodev         [INFO] Verifying that /home is a partition
1.1.14_home_nodev         [ OK ] /home is a partition
1.1.14_home_nodev         [ OK ] /home has nodev in fstab
1.1.14_home_nodev         [ OK ] /home mounted with nodev
1.1.14_home_nodev         [ OK ] Check Passed
1.1.15_run_shm_nodev      [INFO] Working on 1.1.15_run_shm_nodev
1.1.15_run_shm_nodev      [INFO] [DESCRIPTION] /run/shm with nodev option.
1.1.15_run_shm_nodev      [INFO] 1.1.15_run_shm_nodev is disabled, ignoring
1.1.16_run_shm_nosuid     [INFO] Working on 1.1.16_run_shm_nosuid
1.1.16_run_shm_nosuid     [INFO] [DESCRIPTION] /run/shm with nosuid option.
1.1.16_run_shm_nosuid     [INFO] 1.1.16_run_shm_nosuid is disabled, ignoring
1.1.17_run_shm_noexec     [INFO] Working on 1.1.17_run_shm_noexec
1.1.17_run_shm_noexec     [INFO] [DESCRIPTION] /run/shm with noexec option.
1.1.17_run_shm_noexec     [INFO] 1.1.17_run_shm_noexec is disabled, ignoring
1.1.18_removable_device_n [INFO] Working on 1.1.18_removable_device_nodev
1.1.18_removable_device_n [INFO] [DESCRIPTION] nodev option for removable media partitions.
1.1.18_removable_device_n [INFO] Checking Configuration
1.1.18_removable_device_n [INFO] Performing audit
1.1.18_removable_device_n [INFO] Verifying if there is /media\S* like partition
1.1.18_removable_device_n [ OK ] There is no partition like /media\S*
1.1.18_removable_device_n [ OK ] Check Passed
1.1.19_removable_device_n [INFO] Working on 1.1.19_removable_device_nosuid
1.1.19_removable_device_n [INFO] [DESCRIPTION] nosuid option for removable media partitions.
1.1.19_removable_device_n [INFO] Checking Configuration
1.1.19_removable_device_n [INFO] Performing audit
1.1.19_removable_device_n [INFO] Verifying if there is /media\S* like partition
1.1.19_removable_device_n [ OK ] There is no partition like /media\S*
1.1.19_removable_device_n [ OK ] Check Passed
1.1.20_removable_device_n [INFO] Working on 1.1.20_removable_device_noexec
1.1.20_removable_device_n [INFO] [DESCRIPTION] noexec option for removable media partitions.
1.1.20_removable_device_n [INFO] Checking Configuration
1.1.20_removable_device_n [INFO] Performing audit
1.1.20_removable_device_n [INFO] Verifying if there is /media\S* like partition
1.1.20_removable_device_n [ OK ] There is no partition like /media\S*
1.1.20_removable_device_n [ OK ] Check Passed
1.1.21_sticky_bit_world_w [INFO] Working on 1.1.21_sticky_bit_world_writable_folder
1.1.21_sticky_bit_world_w [INFO] [DESCRIPTION] Set sticky bit on world writable directories to prevent users from deleting or renaming files that are not owned by them.
1.1.21_sticky_bit_world_w [INFO] Checking Configuration
1.1.21_sticky_bit_world_w [INFO] Performing audit
1.1.21_sticky_bit_world_w [INFO] Checking if setuid is set on world writable Directories
1.1.21_sticky_bit_world_w [ OK ] All world writable directories have a sticky bit
1.1.21_sticky_bit_world_w [ OK ] Check Passed
1.1.22_disable_automounti [INFO] Working on 1.1.22_disable_automounting
1.1.22_disable_automounti [INFO] [DESCRIPTION] Disable automounting of devices.
1.1.22_disable_automounti [INFO] Checking Configuration
1.1.22_disable_automounti [INFO] Performing audit
1.1.22_disable_automounti [INFO] Checking if autofs is enabled
1.1.22_disable_automounti [ OK ] autofs is disabled
1.1.22_disable_automounti [ OK ] Check Passed
1.1.23_disable_usb_storag [INFO] Working on 1.1.23_disable_usb_storage
1.1.23_disable_usb_storag [INFO] [DESCRIPTION] Disable USB storage.
1.1.23_disable_usb_storag [INFO] Checking Configuration
1.1.23_disable_usb_storag [INFO] Performing audit
1.1.23_disable_usb_storag [ OK ] usb-storage is disabled
1.1.23_disable_usb_storag [ OK ] Check Passed
1.1.2_tmp_partition       [INFO] Working on 1.1.2_tmp_partition
1.1.2_tmp_partition       [INFO] [DESCRIPTION] Ensure /tmp is configured (Scored)
1.1.2_tmp_partition       [INFO] 1.1.2_tmp_partition is disabled, ignoring
1.1.3_tmp_nodev           [INFO] Working on 1.1.3_tmp_nodev
1.1.3_tmp_nodev           [INFO] [DESCRIPTION] /tmp partition with nodev option.
1.1.3_tmp_nodev           [INFO] 1.1.3_tmp_nodev is disabled, ignoring
1.1.4_tmp_nosuid          [INFO] Working on 1.1.4_tmp_nosuid
1.1.4_tmp_nosuid          [INFO] [DESCRIPTION] /tmp partition with nosuid option.
1.1.4_tmp_nosuid          [INFO] 1.1.4_tmp_nosuid is disabled, ignoring
1.1.5_tmp_noexec          [INFO] Working on 1.1.5_tmp_noexec
1.1.5_tmp_noexec          [INFO] [DESCRIPTION] /tmp partition with noexec option.
1.1.5_tmp_noexec          [INFO] 1.1.5_tmp_noexec is disabled, ignoring
1.1.6_var_partition       [INFO] Working on 1.1.6_var_partition
1.1.6_var_partition       [INFO] [DESCRIPTION] /var on a separate partition.
1.1.6_var_partition       [INFO] Checking Configuration
1.1.6_var_partition       [INFO] Performing audit
1.1.6_var_partition       [INFO] Verifying that /var is a partition
1.1.6_var_partition       [ OK ] /var is a partition
1.1.6_var_partition       [ OK ] /var is mounted
1.1.6_var_partition       [ OK ] Check Passed
1.1.7_var_tmp_partition   [INFO] Working on 1.1.7_var_tmp_partition
1.1.7_var_tmp_partition   [INFO] [DESCRIPTION] /var/tmp on a separate partition.
1.1.7_var_tmp_partition   [INFO] Checking Configuration
1.1.7_var_tmp_partition   [INFO] Performing audit
1.1.7_var_tmp_partition   [INFO] Verifying that /var/tmp is a partition
1.1.7_var_tmp_partition   [ OK ] /var/tmp is a partition
1.1.7_var_tmp_partition   [ OK ] /var/tmp is mounted
1.1.7_var_tmp_partition   [ OK ] Check Passed
1.1.8_var_tmp_nodev       [INFO] Working on 1.1.8_var_tmp_nodev
1.1.8_var_tmp_nodev       [INFO] [DESCRIPTION] /var/tmp partition with nodev option.
1.1.8_var_tmp_nodev       [INFO] Checking Configuration
1.1.8_var_tmp_nodev       [INFO] Performing audit
1.1.8_var_tmp_nodev       [INFO] Verifying that /var/tmp is a partition
1.1.8_var_tmp_nodev       [ OK ] /var/tmp is a partition
1.1.8_var_tmp_nodev       [ OK ] /var/tmp has nodev in fstab
1.1.8_var_tmp_nodev       [ OK ] /var/tmp mounted with nodev
1.1.8_var_tmp_nodev       [ OK ] Check Passed
1.1.9_var_tmp_nosuid      [INFO] Working on 1.1.9_var_tmp_nosuid
1.1.9_var_tmp_nosuid      [INFO] [DESCRIPTION] /var/tmp partition with nosuid option.
1.1.9_var_tmp_nosuid      [INFO] Checking Configuration
1.1.9_var_tmp_nosuid      [INFO] Performing audit
1.1.9_var_tmp_nosuid      [INFO] Verifying that /var/tmp is a partition
1.1.9_var_tmp_nosuid      [ OK ] /var/tmp is a partition
1.1.9_var_tmp_nosuid      [ OK ] /var/tmp has nosuid in fstab
1.1.9_var_tmp_nosuid      [ OK ] /var/tmp mounted with nosuid
1.1.9_var_tmp_nosuid      [ OK ] Check Passed
1.2.1_ensure_repository_i [INFO] Working on 1.2.1_ensure_repository_is_configured
1.2.1_ensure_repository_i [INFO] [DESCRIPTION] Garden Linux repository is present.
1.2.1_ensure_repository_i [INFO] Checking Configuration
1.2.1_ensure_repository_i [INFO] Performing audit
1.2.1_ensure_repository_i [ OK ] APT policy looks good
1.2.1_ensure_repository_i [ OK ] Garden Linux repository is configured
1.2.1_ensure_repository_i [ OK ] Check Passed
1.2.2_ensure_apt_gpg_keys [INFO] Working on 1.2.2_ensure_apt_gpg_keys
1.2.2_ensure_apt_gpg_keys [INFO] [DESCRIPTION] Check for GPG key in repo list.
1.2.2_ensure_apt_gpg_keys [INFO] Checking Configuration
1.2.2_ensure_apt_gpg_keys [INFO] Performing audit
1.2.2_ensure_apt_gpg_keys [ OK ] signed-by=/etc/apt/trusted.gpg.d/gardenlinux.asc is present in /etc/apt/sources.list /etc/apt/apt.conf.d/01autoremove
/etc/apt/apt.conf.d/70debconf
/etc/apt/apt.conf.d/gzip-indexes
/etc/apt/apt.conf.d/autoclean
/etc/apt/apt.conf.d/no-suggests
/etc/apt/apt.conf.d/no-caches
/etc/apt/apt.conf.d/no-languages
/etc/apt/apt.conf.d/no-recommends
/etc/apt/sources.list
/etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
/etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg
/etc/apt/trusted.gpg.d/gardenlinux.asc
/etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg
/etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg
/etc/apt/preferences.d/gardenlinux
1.2.2_ensure_apt_gpg_keys [ OK ] Check Passed
1.3.1_install_sudo        [INFO] Working on 1.3.1_install_sudo
1.3.1_install_sudo        [INFO] [DESCRIPTION] Install sudo to permit users to execute command as superuser or as another user.
1.3.1_install_sudo        [INFO] Checking Configuration
1.3.1_install_sudo        [INFO] Performing audit
1.3.1_install_sudo        [ OK ] sudo is installed
1.3.1_install_sudo        [ OK ] Check Passed
1.3.2_pty_sudo            [INFO] Working on 1.3.2_pty_sudo
1.3.2_pty_sudo            [INFO] [DESCRIPTION] Ensure sudo can only be run from a pseudo pty.
1.3.2_pty_sudo            [INFO] Checking Configuration
1.3.2_pty_sudo            [INFO] Performing audit
1.3.2_pty_sudo            [ OK ] Defaults use_pty found in sudoers file
1.3.2_pty_sudo            [ OK ] Check Passed
[  392.024528] systemd-journald[264]: Data hash table of /var/log/journal/1234567800000000000002f599de2c65/system.journal has a fill level at 75.0 (1777 of 2368 items, 1363968 file 
1.3.3_logfile_sudo        [INFO] Working on 1.3.3_logfile_sudo
[  392.029143] systemd-journald[264]: /var/log/journal/1234567800000000000002f599de2c65/system.journal: Journal header limits reached or header out-of-date, rotating.
1.3.3_logfile_sudo        [INFO] [DESCRIPTION] Ensure sudo log files exists.
1.3.3_logfile_sudo        [INFO] Checking Configuration
1.3.3_logfile_sudo        [INFO] Performing audit
1.3.3_logfile_sudo        [ OK ] Defaults log file found in sudoers file
1.3.3_logfile_sudo        [ OK ] Check Passed
1.4.1_install_tripwire    [INFO] Working on 1.4.1_install_tripwire
1.4.1_install_tripwire    [INFO] [DESCRIPTION] Ensure tripwire package is installed.
1.4.1_install_tripwire    [INFO] 1.4.1_install_tripwire is disabled, ignoring
1.4.2_tripwire_cron       [INFO] Working on 1.4.2_tripwire_cron
1.4.2_tripwire_cron       [INFO] [DESCRIPTION] Implemet periodic execution of file integrity.
1.4.2_tripwire_cron       [INFO] 1.4.2_tripwire_cron is disabled, ignoring
1.4.3_install_aide        [INFO] Working on 1.4.3_install_aide
1.4.3_install_aide        [INFO] [DESCRIPTION] Ensure aide package is installed.
1.4.3_install_aide        [INFO] Checking Configuration
1.4.3_install_aide        [INFO] Performing audit
1.4.3_install_aide        [ OK ] aide is installed
1.4.3_install_aide        [ OK ] Check Passed
1.4.4_aide_cron           [INFO] Working on 1.4.4_aide_cron
1.4.4_aide_cron           [INFO] [DESCRIPTION] Implement periodic execution of file integrity.
1.4.4_aide_cron           [INFO] Checking Configuration
1.4.4_aide_cron           [INFO] Performing audit
1.4.4_aide_cron           [ OK ] aide --check is present in /etc/crontab /var/spool/cron/crontabs/root /etc/cron.d/sysstat
/etc/cron.d/.placeholder
1.4.4_aide_cron           [ OK ] Check Passed
1.5.1_bootloader_ownershi [INFO] Working on 1.5.1_bootloader_ownership
1.5.1_bootloader_ownershi [INFO] [DESCRIPTION] User and group root owner of grub bootloader config.
1.5.1_bootloader_ownershi [INFO] 1.5.1_bootloader_ownership is disabled, ignoring
1.5.1_bootloader_ownershi [INFO] Working on 1.5.1_bootloader_ownership_syslinux
1.5.1_bootloader_ownershi [INFO] [DESCRIPTION] User and group root owner of syslinux bootloader config.
1.5.1_bootloader_ownershi [INFO] Checking Configuration
1.5.1_bootloader_ownershi [INFO] Performing audit
1.5.1_bootloader_ownershi [ OK ] /boot/efi/syslinux/syslinux.cfg has correct ownership
1.5.1_bootloader_ownershi [ OK ] /boot/efi/syslinux/syslinux.cfg has correct permissions
1.5.1_bootloader_ownershi [ OK ] Check Passed
1.5.2_bootloader_password [INFO] Working on 1.5.2_bootloader_password
1.5.2_bootloader_password [INFO] [DESCRIPTION] Setting bootloader password to secure boot parameters.
1.5.2_bootloader_password [INFO] 1.5.2_bootloader_password is disabled, ignoring
1.5.3_root_password       [INFO] Working on 1.5.3_root_password
1.5.3_root_password       [INFO] [DESCRIPTION] Root password for single user mode.
1.5.3_root_password       [INFO] Checking Configuration
1.5.3_root_password       [INFO] Performing audit
1.5.3_root_password       [ OK ] ^root:[*\!]: is not present in /etc/shadow
1.5.3_root_password       [ OK ] Check Passed
1.6.1_enable_nx_support   [INFO] Working on 1.6.1_enable_nx_support
1.6.1_enable_nx_support   [INFO] [DESCRIPTION] Enable NoExecute/ExecuteDisable to prevent buffer overflow attacks.
1.6.1_enable_nx_support   [INFO] Checking Configuration
1.6.1_enable_nx_support   [INFO] Performing audit
1.6.1_enable_nx_support   [ OK ] NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active is present in dmesg
1.6.1_enable_nx_support   [ OK ] Check Passed
1.6.2_enable_randomized_v [INFO] Working on 1.6.2_enable_randomized_vm_placement
1.6.2_enable_randomized_v [INFO] [DESCRIPTION] Enable Randomized Virtual Memory Region Placement to prevent memory page exploits.
1.6.2_enable_randomized_v [INFO] Checking Configuration
1.6.2_enable_randomized_v [INFO] Performing audit
1.6.2_enable_randomized_v [ OK ] kernel.randomize_va_space correctly set to 2
1.6.2_enable_randomized_v [ OK ] Check Passed
1.6.3_disable_prelink     [INFO] Working on 1.6.3_disable_prelink
1.6.3_disable_prelink     [INFO] [DESCRIPTION] Disable prelink to prevent libraries compromission.
1.6.3_disable_prelink     [INFO] Checking Configuration
1.6.3_disable_prelink     [INFO] Performing audit
1.6.3_disable_prelink     [ OK ] prelink is absent
1.6.3_disable_prelink     [ OK ] Check Passed
1.6.4_restrict_core_dumps [INFO] Working on 1.6.4_restrict_core_dumps
1.6.4_restrict_core_dumps [INFO] [DESCRIPTION] Restrict core dumps.
1.6.4_restrict_core_dumps [INFO] Checking Configuration
1.6.4_restrict_core_dumps [INFO] Performing audit
1.6.4_restrict_core_dumps [ OK ] ^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$ present in /etc/security/limits.conf
1.6.4_restrict_core_dumps [ OK ] fs.suid_dumpable correctly set to 0
1.6.4_restrict_core_dumps [ OK ] Check Passed
1.7.1.1_install_apparmor  [INFO] Working on 1.7.1.1_install_apparmor
1.7.1.1_install_apparmor  [INFO] [DESCRIPTION] Install AppArmor.
1.7.1.1_install_apparmor  [INFO] 1.7.1.1_install_apparmor is disabled, ignoring
1.7.1.1_install_selinux   [INFO] Working on 1.7.1.1_install_selinux
1.7.1.1_install_selinux   [INFO] [DESCRIPTION] Install SELinux.
1.7.1.1_install_selinux   [INFO] Checking Configuration
1.7.1.1_install_selinux   [INFO] Performing audit
1.7.1.1_install_selinux   [ OK ] libselinux1 is installed
1.7.1.1_install_selinux   [ OK ] selinux-utils is installed
1.7.1.1_install_selinux   [ OK ] Check Passed
1.7.1.2_enable_apparmor   [INFO] Working on 1.7.1.2_enable_apparmor
1.7.1.2_enable_apparmor   [INFO] [DESCRIPTION] Activate AppArmor to enforce permissions control.
1.7.1.2_enable_apparmor   [INFO] 1.7.1.2_enable_apparmor is disabled, ignoring
1.7.1.2_enable_selinux    [INFO] Working on 1.7.1.2_enable_selinux
1.7.1.2_enable_selinux    [INFO] [DESCRIPTION] Enable auditing for processes that start prior to auditd.
1.7.1.2_enable_selinux    [INFO] Checking Configuration
1.7.1.2_enable_selinux    [INFO] Performing audit
1.7.1.2_enable_selinux    [ OK ] SELinux is configured in syslinux bootloader
1.7.1.2_enable_selinux    [ OK ] Bootloader SYSLINUX found
1.7.1.2_enable_selinux    [ OK ] Check Passed
1.7.1.3_enforce_or_compla [INFO] Working on 1.7.1.3_enforce_or_complain_apparmor
1.7.1.3_enforce_or_compla [INFO] [DESCRIPTION] Enforce or complain AppArmor profiles.
1.7.1.3_enforce_or_compla [INFO] 1.7.1.3_enforce_or_complain_apparmor is disabled, ignoring
1.7.1.4_enforcing_apparmo [INFO] Working on 1.7.1.4_enforcing_apparmor
1.7.1.4_enforcing_apparmo [INFO] [DESCRIPTION] Enforce Apparmor profiles.
1.7.1.4_enforcing_apparmo [INFO] 1.7.1.4_enforcing_apparmor is disabled, ignoring
1.7.1.4_enforcing_selinux [INFO] Working on 1.7.1.4_enforcing_selinux
1.7.1.4_enforcing_selinux [INFO] [DESCRIPTION] Ensure SELinux is enforcing.
1.7.1.4_enforcing_selinux [INFO] Checking Configuration
1.7.1.4_enforcing_selinux [INFO] Performing audit
1.7.1.4_enforcing_selinux [ OK ] SELinux is active.
1.7.1.4_enforcing_selinux [ OK ] Check Passed
1.8.1.1_remove_os_info_mo [INFO] Working on 1.8.1.1_remove_os_info_motd
1.8.1.1_remove_os_info_mo [INFO] [DESCRIPTION] Remove OS information from motd
1.8.1.1_remove_os_info_mo [INFO] Checking Configuration
1.8.1.1_remove_os_info_mo [INFO] Performing audit
1.8.1.1_remove_os_info_mo [ OK ] (\v|\r|\m|\s) is not present in /etc/motd
1.8.1.1_remove_os_info_mo [ OK ] Check Passed
1.8.1.2_remove_os_info_is [INFO] Working on 1.8.1.2_remove_os_info_issue
1.8.1.2_remove_os_info_is [INFO] [DESCRIPTION] Remove OS information from Login Warning Banners.
1.8.1.2_remove_os_info_is [INFO] Checking Configuration
1.8.1.2_remove_os_info_is [INFO] Performing audit
1.8.1.2_remove_os_info_is [ OK ] (\v|\r|\m|\s) is not present in /etc/issue
1.8.1.2_remove_os_info_is [ OK ] Check Passed
1.8.1.3_remove_os_info_is [INFO] Working on 1.8.1.3_remove_os_info_issue_net
1.8.1.3_remove_os_info_is [INFO] [DESCRIPTION] Remove OS information from remote Login Warning Banners.
1.8.1.3_remove_os_info_is [INFO] Checking Configuration
1.8.1.3_remove_os_info_is [INFO] Performing audit
1.8.1.3_remove_os_info_is [ OK ] (\v|\r|\m|\s) is not present in /etc/issue.net
1.8.1.3_remove_os_info_is [ OK ] Check Passed
1.8.1.4_motd_perms        [INFO] Working on 1.8.1.4_motd_perms
1.8.1.4_motd_perms        [INFO] [DESCRIPTION] Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net .
1.8.1.4_motd_perms        [INFO] Checking Configuration
1.8.1.4_motd_perms        [INFO] Performing audit
1.8.1.4_motd_perms        [ OK ] /etc/motd has correct ownership
1.8.1.4_motd_perms        [ OK ] /etc/motd has correct permissions
1.8.1.4_motd_perms        [ OK ] Check Passed
1.8.1.5_etc_issue_perms   [INFO] Working on 1.8.1.5_etc_issue_perms
1.8.1.5_etc_issue_perms   [INFO] [DESCRIPTION] Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net .
1.8.1.5_etc_issue_perms   [INFO] Checking Configuration
1.8.1.5_etc_issue_perms   [INFO] Performing audit
1.8.1.5_etc_issue_perms   [ OK ] /etc/issue has correct ownership
1.8.1.5_etc_issue_perms   [ OK ] /etc/issue has correct permissions
1.8.1.5_etc_issue_perms   [ OK ] Check Passed
1.8.1.6_etc_issue_net_per [INFO] Working on 1.8.1.6_etc_issue_net_perms
1.8.1.6_etc_issue_net_per [INFO] [DESCRIPTION] Checking root ownership and 644 permissions on banner files: /etc/motd|issue|issue.net .
1.8.1.6_etc_issue_net_per [INFO] Checking Configuration
1.8.1.6_etc_issue_net_per [INFO] Performing audit
1.8.1.6_etc_issue_net_per [ OK ] /etc/issue.net has correct ownership
1.8.1.6_etc_issue_net_per [ OK ] /etc/issue.net has correct permissions
1.8.1.6_etc_issue_net_per [ OK ] Check Passed
1.8.2_graphical_warning_b [INFO] Working on 1.8.2_graphical_warning_banners
1.8.2_graphical_warning_b [INFO] [DESCRIPTION] Set graphical warning banner.
1.8.2_graphical_warning_b [INFO] Checking Configuration
1.8.2_graphical_warning_b [INFO] Performing audit
1.8.2_graphical_warning_b [INFO] Not implemented yet
1.8.2_graphical_warning_b [ OK ] Check Passed
1.9_install_updates       [INFO] Working on 1.9_install_updates
1.9_install_updates       [INFO] [DESCRIPTION] Ensure updates, patches, and additional security software are installed (Not Scored)
1.9_install_updates       [INFO] 1.9_install_updates is disabled, ignoring
2.1.1_disable_xinetd      [INFO] Working on 2.1.1_disable_xinetd
2.1.1_disable_xinetd      [INFO] [DESCRIPTION] Ensure xinetd is not enabled.
2.1.1_disable_xinetd      [INFO] Checking Configuration
2.1.1_disable_xinetd      [INFO] Performing audit
2.1.1_disable_xinetd      [ OK ] xinetd is absent
2.1.1_disable_xinetd      [ OK ] Check Passed
2.1.2_disable_bsd_inetd   [INFO] Working on 2.1.2_disable_bsd_inetd
2.1.2_disable_bsd_inetd   [INFO] [DESCRIPTION] Ensure bsd-inetd is not enabled.
2.1.2_disable_bsd_inetd   [INFO] Checking Configuration
2.1.2_disable_bsd_inetd   [INFO] Performing audit
2.1.2_disable_bsd_inetd   [ OK ] openbsd-inetd is absent
2.1.2_disable_bsd_inetd   [ OK ] inetutils-inetd is absent
2.1.2_disable_bsd_inetd   [ OK ] Check Passed
2.2.1.1_use_time_sync     [INFO] Working on 2.2.1.1_use_time_sync
2.2.1.1_use_time_sync     [INFO] [DESCRIPTION] Ensure time synchronization is in use
2.2.1.1_use_time_sync     [INFO] 2.2.1.1_use_time_sync is disabled, ignoring
2.2.1.2_configure_systemd [INFO] Working on 2.2.1.2_configure_systemd-timesyncd
2.2.1.2_configure_systemd [INFO] [DESCRIPTION] Configure systemd-timesyncd.
2.2.1.2_configure_systemd [INFO] Checking Configuration
2.2.1.2_configure_systemd [INFO] Performing audit
2.2.1.2_configure_systemd [ OK ] systemd-timesyncd is enabled
2.2.1.2_configure_systemd [ OK ] Check Passed
2.2.1.3_configure_chrony  [INFO] Working on 2.2.1.3_configure_chrony
2.2.1.3_configure_chrony  [INFO] [DESCRIPTION] Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user.
2.2.1.3_configure_chrony  [INFO] 2.2.1.3_configure_chrony is disabled, ignoring
2.2.1.4_configure_ntp     [INFO] Working on 2.2.1.4_configure_ntp
2.2.1.4_configure_ntp     [INFO] [DESCRIPTION] Configure Network Time Protocol (ntp). Check restrict parameters and ntp daemon runs ad unprivileged user.
2.2.1.4_configure_ntp     [INFO] 2.2.1.4_configure_ntp is disabled, ignoring
2.2.10_disable_http_serve [INFO] Working on 2.2.10_disable_http_server
2.2.10_disable_http_serve [INFO] [DESCRIPTION] Ensure HTTP server is not enabled.
2.2.10_disable_http_serve [INFO] Checking Configuration
2.2.10_disable_http_serve [INFO] Performing audit
2.2.10_disable_http_serve [ OK ] nginx is absent
2.2.10_disable_http_serve [ OK ] apache2 is absent
2.2.10_disable_http_serve [ OK ] lighttpd is absent
2.2.10_disable_http_serve [ OK ] micro-httpd is absent
2.2.10_disable_http_serve [ OK ] mini-httpd is absent
2.2.10_disable_http_serve [ OK ] yaws is absent
2.2.10_disable_http_serve [ OK ] boa is absent
2.2.10_disable_http_serve [ OK ] bozohttpd is absent
2.2.10_disable_http_serve [ OK ] Check Passed
2.2.11_disable_imap_pop   [INFO] Working on 2.2.11_disable_imap_pop
2.2.11_disable_imap_pop   [INFO] [DESCRIPTION] Ensure IMAP and POP servers are not installed
2.2.11_disable_imap_pop   [INFO] Checking Configuration
2.2.11_disable_imap_pop   [INFO] Performing audit
2.2.11_disable_imap_pop   [ OK ] citadel-server is absent
2.2.11_disable_imap_pop   [ OK ] courier-imap is absent
2.2.11_disable_imap_pop   [ OK ] cyrus-imapd-2.4 is absent
2.2.11_disable_imap_pop   [ OK ] dovecot-imapd is absent
2.2.11_disable_imap_pop   [ OK ] mailutils-imap4d is absent
2.2.11_disable_imap_pop   [ OK ] courier-pop is absent
2.2.11_disable_imap_pop   [ OK ] cyrus-pop3d-2.4 is absent
2.2.11_disable_imap_pop   [ OK ] dovecot-pop3d is absent
2.2.11_disable_imap_pop   [ OK ] heimdal-servers is absent
2.2.11_disable_imap_pop   [ OK ] mailutils-pop3d is absent
2.2.11_disable_imap_pop   [ OK ] popa3d is absent
2.2.11_disable_imap_pop   [ OK ] solid-pop3d is absent
2.2.11_disable_imap_pop   [ OK ] xmail is absent
2.2.11_disable_imap_pop   [ OK ] Check Passed
2.2.12_disable_samba      [INFO] Working on 2.2.12_disable_samba
2.2.12_disable_samba      [INFO] [DESCRIPTION] Ensure Samba is not enabled.
2.2.12_disable_samba      [INFO] Checking Configuration
2.2.12_disable_samba      [INFO] Performing audit
2.2.12_disable_samba      [ OK ] samba is absent
2.2.12_disable_samba      [ OK ] Service smbd is disabled
2.2.12_disable_samba      [ OK ] Check Passed
2.2.13_disable_http_proxy [INFO] Working on 2.2.13_disable_http_proxy
2.2.13_disable_http_proxy [INFO] [DESCRIPTION] Ensure HTTP-proxy is not enabled.
2.2.13_disable_http_proxy [INFO] Checking Configuration
2.2.13_disable_http_proxy [INFO] Performing audit
2.2.13_disable_http_proxy [ OK ] squid3 is absent
2.2.13_disable_http_proxy [ OK ] squid is absent
2.2.13_disable_http_proxy [ OK ] Check Passed
2.2.14_disable_snmp_serve [INFO] Working on 2.2.14_disable_snmp_server
2.2.14_disable_snmp_serve [INFO] [DESCRIPTION] Enure SNMP server is not enabled.
2.2.14_disable_snmp_serve [INFO] Checking Configuration
2.2.14_disable_snmp_serve [INFO] Performing audit
2.2.14_disable_snmp_serve [ OK ] snmpd is absent
2.2.14_disable_snmp_serve [ OK ] Check Passed
2.2.15_mta_localhost      [INFO] Working on 2.2.15_mta_localhost
2.2.15_mta_localhost      [INFO] [DESCRIPTION] Configure Mail Transfert Agent for Local-Only Mode.
2.2.15_mta_localhost      [INFO] Checking Configuration
2.2.15_mta_localhost      [INFO] Performing audit
2.2.15_mta_localhost      [INFO] Checking netport ports opened
2.2.15_mta_localhost      [ OK ] Nothing listens on 25 port, probably unix socket configured
2.2.15_mta_localhost      [ OK ] Check Passed
2.2.16_disable_rsync      [INFO] Working on 2.2.16_disable_rsync
2.2.16_disable_rsync      [INFO] [DESCRIPTION] Ensure rsync service is not enabled.
2.2.16_disable_rsync      [INFO] Checking Configuration
2.2.16_disable_rsync      [INFO] Performing audit
2.2.16_disable_rsync      [ OK ] rsync is not installed
2.2.16_disable_rsync      [ OK ] Check Passed
2.2.17_disable_nis        [INFO] Working on 2.2.17_disable_nis
2.2.17_disable_nis        [INFO] [DESCRIPTION] Disable NIS Server.
2.2.17_disable_nis        [INFO] Checking Configuration
2.2.17_disable_nis        [INFO] Performing audit
2.2.17_disable_nis        [ OK ] nis is absent
2.2.17_disable_nis        [ OK ] Check Passed
2.2.2_disable_xwindow_sys [INFO] Working on 2.2.2_disable_xwindow_system
2.2.2_disable_xwindow_sys [INFO] [DESCRIPTION] Ensure the X Window system is not installed.
2.2.2_disable_xwindow_sys [INFO] Checking Configuration
2.2.2_disable_xwindow_sys [INFO] Performing audit
2.2.2_disable_xwindow_sys [ OK ] xserver-xorg-core is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-xorg-core-dbg is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-common is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-xephyr is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-xfbdev is absent
2.2.2_disable_xwindow_sys [ OK ] tightvncserver is absent
2.2.2_disable_xwindow_sys [ OK ] vnc4server is absent
2.2.2_disable_xwindow_sys [ OK ] fglrx-driver is absent
2.2.2_disable_xwindow_sys [ OK ] xvfb is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-xorg-video-nvidia-legacy-173xx is absent
2.2.2_disable_xwindow_sys [ OK ] xserver-xorg-video-nvidia-legacy-96xx is absent
2.2.2_disable_xwindow_sys [ OK ] xnest is absent
2.2.2_disable_xwindow_sys [ OK ] Check Passed
2.2.3_disable_avahi_serve [INFO] Working on 2.2.3_disable_avahi_server
2.2.3_disable_avahi_serve [INFO] [DESCRIPTION] Ensure Avahi server is not enabled.
2.2.3_disable_avahi_serve [INFO] Checking Configuration
2.2.3_disable_avahi_serve [INFO] Performing audit
2.2.3_disable_avahi_serve [ OK ] avahi-daemon is absent
2.2.3_disable_avahi_serve [ OK ] libavahi-common-data is absent
2.2.3_disable_avahi_serve [ OK ] libavahi-common3 is absent
2.2.3_disable_avahi_serve [ OK ] libavahi-core7 is absent
2.2.3_disable_avahi_serve [ OK ] Check Passed
2.2.4_disable_print_serve [INFO] Working on 2.2.4_disable_print_server
2.2.4_disable_print_serve [INFO] [DESCRIPTION] Ensure print server (Common Unix Print System) is not enabled.
2.2.4_disable_print_serve [INFO] Checking Configuration
2.2.4_disable_print_serve [INFO] Performing audit
2.2.4_disable_print_serve [ OK ] libcups2 is absent
2.2.4_disable_print_serve [ OK ] libcupscgi1 is absent
2.2.4_disable_print_serve [ OK ] libcupsimage2 is absent
2.2.4_disable_print_serve [ OK ] libcupsmime1 is absent
2.2.4_disable_print_serve [ OK ] libcupsppdc1 is absent
2.2.4_disable_print_serve [ OK ] cups-common is absent
2.2.4_disable_print_serve [ OK ] cups-client is absent
2.2.4_disable_print_serve [ OK ] cups-ppdc is absent
2.2.4_disable_print_serve [ OK ] libcupsfilters1 is absent
2.2.4_disable_print_serve [ OK ] cups-filters is absent
2.2.4_disable_print_serve [ OK ] cups is absent
2.2.4_disable_print_serve [ OK ] Check Passed
2.2.5_disable_dhcp        [INFO] Working on 2.2.5_disable_dhcp
2.2.5_disable_dhcp        [INFO] [DESCRIPTION] Ensure DHCP server is not enabled.
2.2.5_disable_dhcp        [INFO] Checking Configuration
2.2.5_disable_dhcp        [INFO] Performing audit
2.2.5_disable_dhcp        [ OK ] udhcpd is absent
2.2.5_disable_dhcp        [ OK ] isc-dhcp-server is absent
2.2.5_disable_dhcp        [ OK ] Check Passed
2.2.6_disable_ldap        [INFO] Working on 2.2.6_disable_ldap
2.2.6_disable_ldap        [INFO] [DESCRIPTION] Ensure LDAP is not enabled.
2.2.6_disable_ldap        [INFO] Checking Configuration
2.2.6_disable_ldap        [INFO] Performing audit
2.2.6_disable_ldap        [ OK ] slapd is absent
2.2.6_disable_ldap        [ OK ] Check Passed
2.2.7_disable_nfs_rpc     [INFO] Working on 2.2.7_disable_nfs_rpc
2.2.7_disable_nfs_rpc     [INFO] [DESCRIPTION] Ensure Network File System (nfs) and RPC are not enabled.
2.2.7_disable_nfs_rpc     [INFO] Checking Configuration
2.2.7_disable_nfs_rpc     [INFO] Performing audit
2.2.7_disable_nfs_rpc     [ OK ] rpcbind is absent
2.2.7_disable_nfs_rpc     [ OK ] nfs-kernel-server is absent
2.2.7_disable_nfs_rpc     [ OK ] Check Passed
2.2.8_disable_dns_server  [INFO] Working on 2.2.8_disable_dns_server
2.2.8_disable_dns_server  [INFO] [DESCRIPTION] Ensure Domain Name System (dns) server is not enabled.
2.2.8_disable_dns_server  [INFO] Checking Configuration
2.2.8_disable_dns_server  [INFO] Performing audit
2.2.8_disable_dns_server  [ OK ] bind9 is absent
2.2.8_disable_dns_server  [ OK ] unbound is absent
2.2.8_disable_dns_server  [ OK ] Check Passed
2.2.9_disable_ftp         [INFO] Working on 2.2.9_disable_ftp
2.2.9_disable_ftp         [INFO] [DESCRIPTION] Ensure File Transfer Protocol (ftp) is not enabled.
2.2.9_disable_ftp         [INFO] Checking Configuration
2.2.9_disable_ftp         [INFO] Performing audit
2.2.9_disable_ftp         [ OK ] ftpd is absent
2.2.9_disable_ftp         [ OK ] ftpd-ssl is absent
2.2.9_disable_ftp         [ OK ] heimdal-servers is absent
2.2.9_disable_ftp         [ OK ] inetutils-ftpd is absent
2.2.9_disable_ftp         [ OK ] krb5-ftpd is absent
2.2.9_disable_ftp         [ OK ] muddleftpd is absent
2.2.9_disable_ftp         [ OK ] proftpd-basic is absent
2.2.9_disable_ftp         [ OK ] pure-ftpd is absent
2.2.9_disable_ftp         [ OK ] pure-ftpd-ldap is absent
2.2.9_disable_ftp         [ OK ] pure-ftpd-mysql is absent
2.2.9_disable_ftp         [ OK ] pure-ftpd-postgresql is absent
2.2.9_disable_ftp         [ OK ] twoftpd-run is absent
2.2.9_disable_ftp         [ OK ] vsftpd is absent
2.2.9_disable_ftp         [ OK ] wzdftpd is absent
2.2.9_disable_ftp         [ OK ] Check Passed
2.3.1_disable_nis         [INFO] Working on 2.3.1_disable_nis
2.3.1_disable_nis         [INFO] [DESCRIPTION] Ensure that Network Information Service is not installed. Recommended alternative : LDAP.
2.3.1_disable_nis         [INFO] Checking Configuration
2.3.1_disable_nis         [INFO] Performing audit
2.3.1_disable_nis         [ OK ] nis is absent
2.3.1_disable_nis         [ OK ] Check Passed
2.3.2_disable_rsh_client  [INFO] Working on 2.3.2_disable_rsh_client
2.3.2_disable_rsh_client  [INFO] [DESCRIPTION] Ensure rsh client is not installed, Recommended alternative : ssh.
2.3.2_disable_rsh_client  [INFO] Checking Configuration
2.3.2_disable_rsh_client  [INFO] Performing audit
2.3.2_disable_rsh_client  [ OK ] rsh-client is absent
2.3.2_disable_rsh_client  [ OK ] rsh-redone-client is absent
2.3.2_disable_rsh_client  [ OK ] heimdal-clients is absent
2.3.2_disable_rsh_client  [ OK ] Check Passed
2.3.3_disable_talk_client [INFO] Working on 2.3.3_disable_talk_client
2.3.3_disable_talk_client [INFO] [DESCRIPTION] Ensure talk client is not installed.
2.3.3_disable_talk_client [INFO] Checking Configuration
2.3.3_disable_talk_client [INFO] Performing audit
2.3.3_disable_talk_client [ OK ] talk is absent
2.3.3_disable_talk_client [ OK ] inetutils-talk is absent
2.3.3_disable_talk_client [ OK ] Check Passed
2.3.4_disable_telnet_clie [INFO] Working on 2.3.4_disable_telnet_client
2.3.4_disable_telnet_clie [INFO] [DESCRIPTION] Ensure telnet client is not installed.
2.3.4_disable_telnet_clie [INFO] Checking Configuration
2.3.4_disable_telnet_clie [INFO] Performing audit
2.3.4_disable_telnet_clie [ OK ] telnet is absent
2.3.4_disable_telnet_clie [ OK ] Check Passed
2.3.5_disable_ldap_client [INFO] Working on 2.3.5_disable_ldap_client
2.3.5_disable_ldap_client [INFO] [DESCRIPTION] Ensure ldap client is not installed.
2.3.5_disable_ldap_client [INFO] Checking Configuration
2.3.5_disable_ldap_client [INFO] Performing audit
2.3.5_disable_ldap_client [ OK ] ldap-utils is absent
2.3.5_disable_ldap_client [ OK ] Check Passed
3.1.1_disable_ipv6        [INFO] Working on 3.1.1_disable_ipv6
3.1.1_disable_ipv6        [INFO] [DESCRIPTION] Disable IPv6.
3.1.1_disable_ipv6        [INFO] Checking Configuration
3.1.1_disable_ipv6        [INFO] Performing audit
3.1.1_disable_ipv6        [ OK ] ipv6 is disabled
3.1.1_disable_ipv6        [ OK ] Check Passed
3.1.2_disable_wireless    [INFO] Working on 3.1.2_disable_wireless
3.1.2_disable_wireless    [INFO] [DESCRIPTION] Deactivate wireless interfaces.
3.1.2_disable_wireless    [INFO] Checking Configuration
3.1.2_disable_wireless    [INFO] Performing audit
3.1.2_disable_wireless    [INFO] Not implemented yet
3.1.2_disable_wireless    [ OK ] Check Passed
3.2.1_disable_send_packet [INFO] Working on 3.2.1_disable_send_packet_redirects
3.2.1_disable_send_packet [INFO] [DESCRIPTION] Disable send packet redirects to prevent malicious ICMP corruption.
3.2.1_disable_send_packet [INFO] Checking Configuration
3.2.1_disable_send_packet [INFO] Performing audit
3.2.1_disable_send_packet [ OK ] net.ipv4.conf.all.send_redirects correctly set to 0
3.2.1_disable_send_packet [ OK ] net.ipv4.conf.default.send_redirects correctly set to 0
3.2.1_disable_send_packet [ OK ] Check Passed
3.2.2_disable_ip_forwardi [INFO] Working on 3.2.2_disable_ip_forwarding
3.2.2_disable_ip_forwardi [INFO] [DESCRIPTION] Disable IP forwarding.
3.2.2_disable_ip_forwardi [INFO] Checking Configuration
3.2.2_disable_ip_forwardi [INFO] Performing audit
3.2.2_disable_ip_forwardi [ OK ] net.ipv4.ip_forward correctly set to 0
3.2.2_disable_ip_forwardi [ OK ] net.ipv6.conf.all.forwarding correctly set to 0
3.2.2_disable_ip_forwardi [ OK ] Check Passed
3.3.1_disable_source_rout [INFO] Working on 3.3.1_disable_source_routed_packets
3.3.1_disable_source_rout [INFO] [DESCRIPTION] Disable source routed packet acceptance.
3.3.1_disable_source_rout [INFO] Checking Configuration
3.3.1_disable_source_rout [INFO] Performing audit
3.3.1_disable_source_rout [ OK ] Check Passed
3.3.2_disable_icmp_redire [INFO] Working on 3.3.2_disable_icmp_redirect
3.3.2_disable_icmp_redire [INFO] [DESCRIPTION] Disable ICMP redirect acceptance to prevent routing table corruption.
3.3.2_disable_icmp_redire [INFO] Checking Configuration
3.3.2_disable_icmp_redire [INFO] Performing audit
3.3.2_disable_icmp_redire [ OK ] net.ipv4.conf.all.accept_redirects correctly set to 0
3.3.2_disable_icmp_redire [ OK ] net.ipv4.conf.default.accept_redirects correctly set to 0
3.3.2_disable_icmp_redire [ OK ] net.ipv6.conf.all.accept_redirects correctly set to 0
3.3.2_disable_icmp_redire [ OK ] net.ipv6.conf.default.accept_redirects correctly set to 0
3.3.2_disable_icmp_redire [ OK ] Check Passed
3.3.3_disable_secure_icmp [INFO] Working on 3.3.3_disable_secure_icmp_redirect
3.3.3_disable_secure_icmp [INFO] [DESCRIPTION] Disable secure ICMP redirect acceptance to prevent routing tables corruptions.
3.3.3_disable_secure_icmp [INFO] Checking Configuration
3.3.3_disable_secure_icmp [INFO] Performing audit
3.3.3_disable_secure_icmp [ OK ] net.ipv4.conf.all.secure_redirects correctly set to 0
3.3.3_disable_secure_icmp [ OK ] net.ipv4.conf.default.secure_redirects correctly set to 0
3.3.3_disable_secure_icmp [ OK ] Check Passed
3.3.4_log_martian_packets [INFO] Working on 3.3.4_log_martian_packets
3.3.4_log_martian_packets [INFO] [DESCRIPTION] Log suspicious packets, like spoofed packets.
3.3.4_log_martian_packets [INFO] Checking Configuration
3.3.4_log_martian_packets [INFO] Performing audit
3.3.4_log_martian_packets [ OK ] net.ipv4.conf.all.log_martians correctly set to 1
3.3.4_log_martian_packets [ OK ] net.ipv4.conf.default.log_martians correctly set to 1
3.3.4_log_martian_packets [ OK ] Check Passed
3.3.5_ignore_broadcast_re [INFO] Working on 3.3.5_ignore_broadcast_requests
3.3.5_ignore_broadcast_re [INFO] [DESCRIPTION] Ignore broadcast requests to prevent attacks such as Smurf attack.
3.3.5_ignore_broadcast_re [INFO] Checking Configuration
3.3.5_ignore_broadcast_re [INFO] Performing audit
3.3.5_ignore_broadcast_re [ OK ] net.ipv4.icmp_echo_ignore_broadcasts correctly set to 1
3.3.5_ignore_broadcast_re [ OK ] Check Passed
3.3.6_enable_bad_error_me [INFO] Working on 3.3.6_enable_bad_error_message_protection
3.3.6_enable_bad_error_me [INFO] [DESCRIPTION] Enable bad error message protection to prevent logfiles fillup.
3.3.6_enable_bad_error_me [INFO] Checking Configuration
3.3.6_enable_bad_error_me [INFO] Performing audit
3.3.6_enable_bad_error_me [ OK ] net.ipv4.icmp_ignore_bogus_error_responses correctly set to 1
3.3.6_enable_bad_error_me [ OK ] Check Passed
3.3.7_enable_source_route [INFO] Working on 3.3.7_enable_source_route_validation
3.3.7_enable_source_route [INFO] [DESCRIPTION] Enable RFC-recommended source route validation.
3.3.7_enable_source_route [INFO] Checking Configuration
3.3.7_enable_source_route [INFO] Performing audit
3.3.7_enable_source_route [ OK ] net.ipv4.conf.all.rp_filter correctly set to 1
3.3.7_enable_source_route [ OK ] net.ipv4.conf.default.rp_filter correctly set to 1
3.3.7_enable_source_route [ OK ] Check Passed
3.3.8_enable_tcp_syn_cook [INFO] Working on 3.3.8_enable_tcp_syn_cookies
3.3.8_enable_tcp_syn_cook [INFO] [DESCRIPTION] Enable TCP-SYN cookie to prevent TCP-SYN flood attack.
3.3.8_enable_tcp_syn_cook [INFO] Checking Configuration
3.3.8_enable_tcp_syn_cook [INFO] Performing audit
3.3.8_enable_tcp_syn_cook [ OK ] net.ipv4.tcp_syncookies correctly set to 1
3.3.8_enable_tcp_syn_cook [ OK ] Check Passed
3.3.9_disable_ipv6_router [INFO] Working on 3.3.9_disable_ipv6_router_advertisement
3.3.9_disable_ipv6_router [INFO] [DESCRIPTION] Disable IPv6 router advertisements.
3.3.9_disable_ipv6_router [INFO] Checking Configuration
3.3.9_disable_ipv6_router [INFO] Performing audit
3.3.9_disable_ipv6_router [ OK ] ipv6 disabled
3.3.9_disable_ipv6_router [ OK ] Check Passed
3.4.1_disable_dccp        [INFO] Working on 3.4.1_disable_dccp
3.4.1_disable_dccp        [INFO] [DESCRIPTION] Disable Datagram Congestion Control Protocol (DCCP).
3.4.1_disable_dccp        [INFO] Checking Configuration
3.4.1_disable_dccp        [INFO] Performing audit
3.4.1_disable_dccp        [ OK ] dccp is disabled
3.4.1_disable_dccp        [ OK ] Check Passed
3.4.2_disable_sctp        [INFO] Working on 3.4.2_disable_sctp
3.4.2_disable_sctp        [INFO] [DESCRIPTION] Disable Stream Control Transmission Protocol (SCTP).
3.4.2_disable_sctp        [INFO] Checking Configuration
3.4.2_disable_sctp        [INFO] Performing audit
3.4.2_disable_sctp        [ OK ] sctp is disabled
3.4.2_disable_sctp        [ OK ] Check Passed
3.4.3_disable_rds         [INFO] Working on 3.4.3_disable_rds
3.4.3_disable_rds         [INFO] [DESCRIPTION] Disable Reliable Datagram Sockets (RDS).
3.4.3_disable_rds         [INFO] Checking Configuration
3.4.3_disable_rds         [INFO] Performing audit
3.4.3_disable_rds         [ OK ] rds is disabled
3.4.3_disable_rds         [ OK ] Check Passed
3.4.4_disable_tipc        [INFO] Working on 3.4.4_disable_tipc
3.4.4_disable_tipc        [INFO] [DESCRIPTION] Disable Transperent Inter-Process Communication (TIPC).
3.4.4_disable_tipc        [INFO] Checking Configuration
3.4.4_disable_tipc        [INFO] Performing audit
3.4.4_disable_tipc        [ OK ] tipc is disabled
3.4.4_disable_tipc        [ OK ] Check Passed
3.5.1.1_enable_firewall   [INFO] Working on 3.5.1.1_enable_firewall
3.5.1.1_enable_firewall   [INFO] [DESCRIPTION] Ensure firewall is active (iptables is installed, does not check for its configuration).
3.5.1.1_enable_firewall   [INFO] Checking Configuration
[  482.757079] systemd-journald[264]: Data hash table of /var/log/journal/1234567800000000000002f599de2c65/system.journal has a fill level at 75.0 (1777 of 2368 items, 1363968 file 
3.5.1.1_enable_firewall   [INFO] Performing audit
[  482.764894] systemd-journald[264]: /var/log/journal/1234567800000000000002f599de2c65/system.journal: Journal header limits reached or header out-of-date, rotating.
3.5.1.1_enable_firewall   [ OK ] iptables is installed
3.5.1.1_enable_firewall   [ OK ] Check Passed
3.5.4.1.1_net_fw_default_ [INFO] Working on 3.5.4.1.1_net_fw_default_policy_drop
3.5.4.1.1_net_fw_default_ [INFO] [DESCRIPTION] Check iptables firewall default policy for DROP on INPUT and FORWARD.
3.5.4.1.1_net_fw_default_ [INFO] Checking Configuration
3.5.4.1.1_net_fw_default_ [INFO] Performing audit
3.5.4.1.1_net_fw_default_ [ OK ] Policy correctly set to DROP for chain INPUT
3.5.4.1.1_net_fw_default_ [ OK ] Policy correctly set to DROP for chain FORWARD
3.5.4.1.1_net_fw_default_ [ OK ] Check Passed
4.1.1.1_install_auditd    [INFO] Working on 4.1.1.1_install_auditd
4.1.1.1_install_auditd    [INFO] [DESCRIPTION] Install auditd.
4.1.1.1_install_auditd    [INFO] Checking Configuration
4.1.1.1_install_auditd    [INFO] Performing audit
4.1.1.1_install_auditd    [ OK ] auditd is installed
4.1.1.1_install_auditd    [ OK ] Check Passed
4.1.1.2_enable_auditd     [INFO] Working on 4.1.1.2_enable_auditd
4.1.1.2_enable_auditd     [INFO] [DESCRIPTION] Ensure auditd service is installed and running.
4.1.1.2_enable_auditd     [INFO] Checking Configuration
4.1.1.2_enable_auditd     [INFO] Performing audit
4.1.1.2_enable_auditd     [ OK ] auditd is installed
4.1.1.2_enable_auditd     [ OK ] auditd is enabled
4.1.1.2_enable_auditd     [ OK ] Check Passed
4.1.1.3_audit_bootloader  [INFO] Working on 4.1.1.3_audit_bootloader
4.1.1.3_audit_bootloader  [INFO] [DESCRIPTION] Enable auditing for processes that start prior to auditd.
4.1.1.3_audit_bootloader  [INFO] Checking Configuration
4.1.1.3_audit_bootloader  [INFO] Performing audit
4.1.1.3_audit_bootloader  [ OK ] Audit proc is set in SYSLINUX bootloader
4.1.1.3_audit_bootloader  [ OK ] Bootloader SYSLINUX found
4.1.1.3_audit_bootloader  [ OK ] Check Passed
4.1.1.4_audit_backlog_lim [INFO] Working on 4.1.1.4_audit_backlog_limit
4.1.1.4_audit_backlog_lim [INFO] [DESCRIPTION] Configure audit_backlog_limit to be sufficient.
4.1.1.4_audit_backlog_lim [INFO] Checking Configuration
4.1.1.4_audit_backlog_lim [INFO] Performing audit
4.1.1.4_audit_backlog_lim [ OK ] Audit log backlog limit is set in SYSLINUX bootloader
4.1.1.4_audit_backlog_lim [ OK ] Bootloader SYSLINUX found
4.1.1.4_audit_backlog_lim [ OK ] Check Passed
4.1.10_record_failed_acce [INFO] Working on 4.1.10_record_failed_access_file
4.1.10_record_failed_acce [INFO] [DESCRIPTION] Collect unsuccessful unauthorized access attemps to files.
4.1.10_record_failed_acce [INFO] Checking Configuration
4.1.10_record_failed_acce [INFO] Performing audit
4.1.10_record_failed_acce [ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is presen
4.1.10_record_failed_acce [ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is presen
4.1.10_record_failed_acce [ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present
4.1.10_record_failed_acce [ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is presen 
4.1.10_record_failed_acce [ OK ] Check Passed
4.1.11_record_privileged_ [INFO] Working on 4.1.11_record_privileged_commands
4.1.11_record_privileged_ [INFO] [DESCRIPTION] Collect use of privileged commands.
4.1.11_record_privileged_ [INFO] Checking Configuration
4.1.11_record_privileged_ [INFO] Performing audit
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/mailq -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/lib/systemd-cron/crontab_setgid -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audie
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audi
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/sbin/nullmailer-queue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged is present in /etc/audit/audit.rules
4.1.11_record_privileged_ [ OK ] Check Passed
4.1.12_record_successful_ [INFO] Working on 4.1.12_record_successful_mount
4.1.12_record_successful_ [INFO] [DESCRIPTION] Collect sucessfull file system mounts.
4.1.12_record_successful_ [INFO] Checking Configuration
4.1.12_record_successful_ [INFO] Performing audit
4.1.12_record_successful_ [ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules
4.1.12_record_successful_ [ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules
4.1.12_record_successful_ [ OK ] Check Passed
4.1.13_record_file_deleti [INFO] Working on 4.1.13_record_file_deletions
4.1.13_record_file_deleti [INFO] [DESCRIPTION] Collects file deletion events by users.
4.1.13_record_file_deleti [INFO] Checking Configuration
4.1.13_record_file_deleti [INFO] Performing audit
4.1.13_record_file_deleti [ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.ru
4.1.13_record_file_deleti [ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.ru
4.1.13_record_file_deleti [ OK ] Check Passed
4.1.14_record_sudoers_edi [INFO] Working on 4.1.14_record_sudoers_edit
4.1.14_record_sudoers_edi [INFO] [DESCRIPTION] Collect changes to system administration scopre.
4.1.14_record_sudoers_edi [INFO] Checking Configuration
4.1.14_record_sudoers_edi [INFO] Performing audit
4.1.14_record_sudoers_edi [ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules
4.1.14_record_sudoers_edi [ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules
4.1.14_record_sudoers_edi [ OK ] Check Passed
4.1.15_record_sudo_usage  [INFO] Working on 4.1.15_record_sudo_usage
4.1.15_record_sudo_usage  [INFO] [DESCRIPTION] Collect system administration actions (sudolog).
4.1.15_record_sudo_usage  [INFO] Checking Configuration
4.1.15_record_sudo_usage  [INFO] Performing audit
4.1.15_record_sudo_usage  [ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules
4.1.15_record_sudo_usage  [ OK ] Check Passed
4.1.16_record_kernel_modu [INFO] Working on 4.1.16_record_kernel_modules
4.1.16_record_kernel_modu [INFO] [DESCRIPTION] Collect kernel module loading and unloading.
4.1.16_record_kernel_modu [INFO] Checking Configuration
4.1.16_record_kernel_modu [INFO] Performing audit
4.1.16_record_kernel_modu [ OK ] -w /sbin/insmod -p x -k modules is present in /etc/audit/audit.rules
4.1.16_record_kernel_modu [ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules
4.1.16_record_kernel_modu [ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules
4.1.16_record_kernel_modu [ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules
4.1.16_record_kernel_modu [ OK ] Check Passed
4.1.17_freeze_auditd_conf [INFO] Working on 4.1.17_freeze_auditd_conf
4.1.17_freeze_auditd_conf [INFO] [DESCRIPTION] Make the audit configuration immutable.
4.1.17_freeze_auditd_conf [INFO] Checking Configuration
4.1.17_freeze_auditd_conf [INFO] Performing audit
4.1.17_freeze_auditd_conf [ OK ] -e 2 is present in /etc/audit/audit.rules
4.1.17_freeze_auditd_conf [ OK ] Check Passed
4.1.2.1_audit_log_storage [INFO] Working on 4.1.2.1_audit_log_storage
4.1.2.1_audit_log_storage [INFO] [DESCRIPTION] Configure audit log storage size.
4.1.2.1_audit_log_storage [INFO] Checking Configuration
4.1.2.1_audit_log_storage [INFO] Performing audit
4.1.2.1_audit_log_storage [ OK ] /etc/audit/auditd.conf exists, checking configuration
4.1.2.1_audit_log_storage [ OK ] max_log_file is present in /etc/audit/auditd.conf
4.1.2.1_audit_log_storage [ OK ] Check Passed
4.1.2.2_halt_when_audit_l [INFO] Working on 4.1.2.2_halt_when_audit_log_full
4.1.2.2_halt_when_audit_l [INFO] [DESCRIPTION] Disable system on audit log full.
4.1.2.2_halt_when_audit_l [INFO] Checking Configuration
4.1.2.2_halt_when_audit_l [INFO] Performing audit
4.1.2.2_halt_when_audit_l [ OK ] /etc/audit/auditd.conf exists, checking configuration
4.1.2.2_halt_when_audit_l [ OK ] ^space_left_action[[:space:]]*=[[:space:]]*email is present in /etc/audit/auditd.conf
4.1.2.2_halt_when_audit_l [ OK ] ^action_mail_acct[[:space:]]*=[[:space:]]*root is present in /etc/audit/auditd.conf
4.1.2.2_halt_when_audit_l [ OK ] ^admin_space_left_action[[:space:]]*=[[:space:]]*halt is present in /etc/audit/auditd.conf
4.1.2.2_halt_when_audit_l [ OK ] Check Passed
4.1.2.3_keep_all_audit_lo [INFO] Working on 4.1.2.3_keep_all_audit_logs
4.1.2.3_keep_all_audit_lo [INFO] [DESCRIPTION] Keep all auditing information.
4.1.2.3_keep_all_audit_lo [INFO] Checking Configuration
4.1.2.3_keep_all_audit_lo [INFO] Performing audit
4.1.2.3_keep_all_audit_lo [ OK ] /etc/audit/auditd.conf exists, checking configuration
4.1.2.3_keep_all_audit_lo [ OK ] ^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs is present in /etc/audit/auditd.conf
4.1.2.3_keep_all_audit_lo [ OK ] Check Passed
4.1.3_record_date_time_ed [INFO] Working on 4.1.3_record_date_time_edit
4.1.3_record_date_time_ed [INFO] [DESCRIPTION] Record events that modify date and time information.
4.1.3_record_date_time_ed [INFO] Checking Configuration
4.1.3_record_date_time_ed [INFO] Performing audit
4.1.3_record_date_time_ed [ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules
4.1.3_record_date_time_ed [ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules
4.1.3_record_date_time_ed [ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules
4.1.3_record_date_time_ed [ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules
4.1.3_record_date_time_ed [ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules
4.1.3_record_date_time_ed [ OK ] Check Passed
4.1.4_record_user_group_e [INFO] Working on 4.1.4_record_user_group_edit
4.1.4_record_user_group_e [INFO] [DESCRIPTION] Record events that modify user/group information.
4.1.4_record_user_group_e [INFO] Checking Configuration
4.1.4_record_user_group_e [INFO] Performing audit
4.1.4_record_user_group_e [ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules
4.1.4_record_user_group_e [ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules
4.1.4_record_user_group_e [ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules
4.1.4_record_user_group_e [ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules
4.1.4_record_user_group_e [ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules
4.1.4_record_user_group_e [ OK ] Check Passed
4.1.5_record_network_edit [INFO] Working on 4.1.5_record_network_edit
4.1.5_record_network_edit [INFO] [DESCRIPTION] Record events that modify the system's network environment.
4.1.5_record_network_edit [INFO] Checking Configuration
4.1.5_record_network_edit [INFO] Performing audit
4.1.5_record_network_edit [ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules
4.1.5_record_network_edit [ OK ] Check Passed
4.1.6_record_mac_edit     [INFO] Working on 4.1.6_record_mac_edit
4.1.6_record_mac_edit     [INFO] [DESCRIPTION] Record events that modify the system's mandatory access controls (MAC).
4.1.6_record_mac_edit     [INFO] Checking Configuration
4.1.6_record_mac_edit     [INFO] Performing audit
4.1.6_record_mac_edit     [ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules
4.1.6_record_mac_edit     [ OK ] Check Passed
4.1.7_record_login_logout [INFO] Working on 4.1.7_record_login_logout
4.1.7_record_login_logout [INFO] [DESCRIPTION] Collect login and logout events.
4.1.7_record_login_logout [INFO] Checking Configuration
4.1.7_record_login_logout [INFO] Performing audit
4.1.7_record_login_logout [ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules
4.1.7_record_login_logout [ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules
4.1.7_record_login_logout [ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules
4.1.7_record_login_logout [ OK ] Check Passed
4.1.8_record_session_init [INFO] Working on 4.1.8_record_session_init
4.1.8_record_session_init [INFO] [DESCRIPTION] Collec sessions initiation information.
4.1.8_record_session_init [INFO] Checking Configuration
4.1.8_record_session_init [INFO] Performing audit
4.1.8_record_session_init [ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules
4.1.8_record_session_init [ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules
4.1.8_record_session_init [ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules
4.1.8_record_session_init [ OK ] Check Passed
4.1.9_record_dac_edit     [INFO] Working on 4.1.9_record_dac_edit
4.1.9_record_dac_edit     [INFO] [DESCRIPTION] Collect discretionary access control (DAC) permission modification events.
4.1.9_record_dac_edit     [INFO] Checking Configuration
4.1.9_record_dac_edit     [INFO] Performing audit
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rul
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rul
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k
4.1.9_record_dac_edit     [ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k
4.1.9_record_dac_edit     [ OK ] Check Passed
4.2.1.1_install_syslog-ng [INFO] Working on 4.2.1.1_install_syslog-ng
4.2.1.1_install_syslog-ng [INFO] [DESCRIPTION] Install syslog-ng to manage logs
4.2.1.1_install_syslog-ng [INFO] Checking Configuration
4.2.1.1_install_syslog-ng [INFO] Performing audit
4.2.1.1_install_syslog-ng [ OK ] syslog-ng is installed
4.2.1.1_install_syslog-ng [ OK ] Check Passed
4.2.1.2_enable_syslog-ng  [INFO] Working on 4.2.1.2_enable_syslog-ng
4.2.1.2_enable_syslog-ng  [INFO] [DESCRIPTION] Ensure syslog-ng service is activated.
4.2.1.2_enable_syslog-ng  [INFO] Checking Configuration
4.2.1.2_enable_syslog-ng  [INFO] Performing audit
4.2.1.2_enable_syslog-ng  [INFO] Checking if syslog-ng is enabled
4.2.1.2_enable_syslog-ng  [ OK ] syslog-ng is enabled
4.2.1.2_enable_syslog-ng  [ OK ] Check Passed
4.2.1.3_configure_syslog- [INFO] Working on 4.2.1.3_configure_syslog-ng
4.2.1.3_configure_syslog- [INFO] [DESCRIPTION] Configure /etc/syslog-ng/syslog-ng.conf .
4.2.1.3_configure_syslog- [INFO] Checking Configuration
4.2.1.3_configure_syslog- [INFO] Performing audit
4.2.1.3_configure_syslog- [INFO] Ensure default and local facilities are preserved on the system
4.2.1.3_configure_syslog- [INFO] No measure here, please review the file by yourself
4.2.1.3_configure_syslog- [ OK ] Check Passed
4.2.1.4_syslog_ng_logfile [INFO] Working on 4.2.1.4_syslog_ng_logfiles_perm
4.2.1.4_syslog_ng_logfile [INFO] [DESCRIPTION] Create and set permissions on syslog-ng logfiles.
4.2.1.4_syslog_ng_logfile [INFO] Checking Configuration
4.2.1.4_syslog_ng_logfile [INFO] Performing audit
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/auth.log has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/auth.log has correct permissions (640)
4.2.1.4_syslog_ng_logfile [WARN] /var/log/cron.log does not exist
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/daemon.log has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/daemon.log has correct permissions (640)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/kern.log has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/kern.log has correct permissions (640)
4.2.1.4_syslog_ng_logfile [WARN] /var/log/lpr.log does not exist
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/mail.log has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/mail.log has correct permissions (640)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/syslog has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/syslog has correct permissions (640)
4.2.1.4_syslog_ng_logfile [WARN] /var/log/user.log does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/uucp.log does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/mail.info does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/mail.warn does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/mail.err does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/news/news.crit does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/news/news.err does not exist
4.2.1.4_syslog_ng_logfile [WARN] /var/log/news/news.notice does not exist
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/debug has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/debug has correct permissions (640)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/error has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/error has correct permissions (640)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/messages has correct ownership (root:adm)
4.2.1.4_syslog_ng_logfile [ OK ] /var/log/messages has correct permissions (640)
4.2.1.4_syslog_ng_logfile [WARN] /var/log/ppp.log does not exist
4.2.1.4_syslog_ng_logfile [ OK ] Check Passed
4.2.1.5_syslog-ng_remote_ [INFO] Working on 4.2.1.5_syslog-ng_remote_host
4.2.1.5_syslog-ng_remote_ [INFO] [DESCRIPTION] Configure syslog-ng to send logs to a remote log host.
4.2.1.5_syslog-ng_remote_ [INFO] 4.2.1.5_syslog-ng_remote_host is disabled, ignoring
4.2.1.6_remote_syslog-ng_ [INFO] Working on 4.2.1.6_remote_syslog-ng_acl
4.2.1.6_remote_syslog-ng_ [INFO] [DESCRIPTION] Configure syslog to accept remote syslog messages only on designated log hosts.
4.2.1.6_remote_syslog-ng_ [INFO] 4.2.1.6_remote_syslog-ng_acl is disabled, ignoring
4.2.2.1_journald_logs     [INFO] Working on 4.2.2.1_journald_logs
4.2.2.1_journald_logs     [INFO] [DESCRIPTION] Configure journald to send logs to syslog-ng.
4.2.2.1_journald_logs     [INFO] Checking Configuration
4.2.2.1_journald_logs     [INFO] Performing audit
4.2.2.1_journald_logs     [ OK ] /etc/systemd/journald.conf exists, checking configuration
4.2.2.1_journald_logs     [ OK ] ^ForwardToSyslog=no is not present in /etc/systemd/journald.conf
4.2.2.1_journald_logs     [ OK ] Check Passed
4.2.2.2_journald_compress [INFO] Working on 4.2.2.2_journald_compress
4.2.2.2_journald_compress [INFO] [DESCRIPTION] Configure journald to send logs to syslog-ng.
4.2.2.2_journald_compress [INFO] Checking Configuration
4.2.2.2_journald_compress [INFO] Performing audit
4.2.2.2_journald_compress [ OK ] /etc/systemd/journald.conf exists, checking configuration
4.2.2.2_journald_compress [ OK ] ^Compress=no is not present in /etc/systemd/journald.conf
4.2.2.2_journald_compress [ OK ] Check Passed
4.2.2.3_journald_write_pe [INFO] Working on 4.2.2.3_journald_write_persistent
4.2.2.3_journald_write_pe [INFO] [DESCRIPTION] Configure journald to write to a persistent location.
4.2.2.3_journald_write_pe [INFO] Checking Configuration
4.2.2.3_journald_write_pe [INFO] Performing audit
4.2.2.3_journald_write_pe [ OK ] /etc/systemd/journald.conf exists, checking configuration
4.2.2.3_journald_write_pe [ OK ] ^Storage=persistent is present in /etc/systemd/journald.conf
4.2.2.3_journald_write_pe [ OK ] Check Passed
4.2.3_logs_permissions    [INFO] Working on 4.2.3_logs_permissions
4.2.3_logs_permissions    [INFO] [DESCRIPTION] Check permissions on logs (other has no permissions on any files and group does not have write or execute permissions on any file)
4.2.3_logs_permissions    [INFO] Checking Configuration
4.2.3_logs_permissions    [INFO] Performing audit
4.2.3_logs_permissions    [ OK ] /var/log/btmp permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/sysstat/sa07 permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/kern.log permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/sudo.log permissions were set to 600
4.2.3_logs_permissions    [ OK ] /var/log/wtmp permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/auth.log permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/error permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/journal/1234567800000000000002f599de2c65/system@ca9dfbb79aaf4b738b1f499e84ae0db2-00000000000002f5-0005e0dcd3d3dd25.journal permissions were
4.2.3_logs_permissions    [ OK ] /var/log/journal/1234567800000000000002f599de2c65/system.journal permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/journal/1234567800000000000002f599de2c65/system@ca9dfbb79aaf4b738b1f499e84ae0db2-000000000000088c-0005e0dce90b176f.journal permissions were
4.2.3_logs_permissions    [ OK ] /var/log/journal/1234567800000000000002f599de2c65/system@ca9dfbb79aaf4b738b1f499e84ae0db2-0000000000000001-0005e0dcd25a26a6.journal permissions wer6
4.2.3_logs_permissions    [ OK ] /var/log/journal/1234567800000000000002f599de2c65/system@ca9dfbb79aaf4b738b1f499e84ae0db2-00000000000005d6-0005e0dcd545efa5.journal permissions were
4.2.3_logs_permissions    [ OK ] /var/log/audit/audit.log permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/lastlog permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/daemon.log permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/debug permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/mail.log permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/messages permissions were set to 640
4.2.3_logs_permissions    [ OK ] /var/log/syslog permissions were set to 640
4.2.3_logs_permissions    [ OK ] Logs in /var/log have correct permissions
4.2.3_logs_permissions    [ OK ] Check Passed
4.3_configure_logrotate   [INFO] Working on 4.3_configure_logrotate
4.3_configure_logrotate   [INFO] [DESCRIPTION] Configure logrotate to prevent logfile from growing unmanageable.
4.3_configure_logrotate   [INFO] Checking Configuration
4.3_configure_logrotate   [INFO] Performing audit
4.3_configure_logrotate   [INFO] Ensure logs are properly rotated (especially syslog-ng)
4.3_configure_logrotate   [INFO] No measure here, please review the files by yourself
4.3_configure_logrotate   [ OK ] Check Passed
4.4_logrotate_permissions [INFO] Working on 4.4_logrotate_permissions
4.4_logrotate_permissions [INFO] [DESCRIPTION] Configure logrotate to assign appropriate permissions.
4.4_logrotate_permissions [INFO] 4.4_logrotate_permissions is disabled, ignoring
5.1.1_enable_cron         [INFO] Working on 5.1.1_enable_cron
5.1.1_enable_cron         [INFO] [DESCRIPTION] Cron package is installed and enabled.
5.1.1_enable_cron         [INFO] 5.1.1_enable_cron is disabled, ignoring
5.1.2_crontab_perm_owners [INFO] Working on 5.1.2_crontab_perm_ownership
5.1.2_crontab_perm_owners [INFO] [DESCRIPTION] User/Group set to root and permissions to 600 on /etc/crontab .
5.1.2_crontab_perm_owners [INFO] Checking Configuration
5.1.2_crontab_perm_owners [INFO] Performing audit
5.1.2_crontab_perm_owners [ OK ] /etc/crontab has correct ownership
5.1.2_crontab_perm_owners [ OK ] /etc/crontab has correct permissions
5.1.2_crontab_perm_owners [ OK ] Check Passed
5.1.3_cron_hourly_perm_ow [INFO] Working on 5.1.3_cron_hourly_perm_ownership
5.1.3_cron_hourly_perm_ow [INFO] [DESCRIPTION] User/Group set to root and permissions to 700 on /etc/cron.hourly .
5.1.3_cron_hourly_perm_ow [INFO] Checking Configuration
5.1.3_cron_hourly_perm_ow [INFO] Performing audit
5.1.3_cron_hourly_perm_ow [ OK ] /etc/cron.hourly has correct ownership
5.1.3_cron_hourly_perm_ow [ OK ] /etc/cron.hourly has correct permissions
5.1.3_cron_hourly_perm_ow [ OK ] Check Passed
5.1.4_cron_daily_perm_own [INFO] Working on 5.1.4_cron_daily_perm_ownership
5.1.4_cron_daily_perm_own [INFO] [DESCRIPTION] User/group set to root and permissions to 700 on /etc/cron.daily .
5.1.4_cron_daily_perm_own [INFO] Checking Configuration
5.1.4_cron_daily_perm_own [INFO] Performing audit
5.1.4_cron_daily_perm_own [ OK ] /etc/cron.daily has correct ownership
5.1.4_cron_daily_perm_own [ OK ] /etc/cron.daily has correct permissions
5.1.4_cron_daily_perm_own [ OK ] Check Passed
5.1.5_cron_weekly_perm_ow [INFO] Working on 5.1.5_cron_weekly_perm_ownership
5.1.5_cron_weekly_perm_ow [INFO] [DESCRIPTION] User/group set to root and permissions to 700 on /etc/cron.weekly .
5.1.5_cron_weekly_perm_ow [INFO] Checking Configuration
5.1.5_cron_weekly_perm_ow [INFO] Performing audit
5.1.5_cron_weekly_perm_ow [ OK ] /etc/cron.weekly has correct ownership
5.1.5_cron_weekly_perm_ow [ OK ] /etc/cron.weekly has correct permissions
5.1.5_cron_weekly_perm_ow [ OK ] Check Passed
5.1.6_cron_monthly_perm_o [INFO] Working on 5.1.6_cron_monthly_perm_ownership
5.1.6_cron_monthly_perm_o [INFO] [DESCRIPTION] User/group set to root and permissions to 700 on /etc/cron.monthly .
5.1.6_cron_monthly_perm_o [INFO] Checking Configuration
5.1.6_cron_monthly_perm_o [INFO] Performing audit
5.1.6_cron_monthly_perm_o [ OK ] /etc/cron.monthly has correct ownership
5.1.6_cron_monthly_perm_o [ OK ] /etc/cron.monthly has correct permissions
5.1.6_cron_monthly_perm_o [ OK ] Check Passed
5.1.7_cron_d_perm_ownersh [INFO] Working on 5.1.7_cron_d_perm_ownership
5.1.7_cron_d_perm_ownersh [INFO] [DESCRIPTION] User/group set to root and permissions to 700 on /etc/cron.d .
5.1.7_cron_d_perm_ownersh [INFO] Checking Configuration
5.1.7_cron_d_perm_ownersh [INFO] Performing audit
5.1.7_cron_d_perm_ownersh [ OK ] /etc/cron.d has correct ownership
5.1.7_cron_d_perm_ownersh [ OK ] /etc/cron.d has correct permissions
5.1.7_cron_d_perm_ownersh [ OK ] Check Passed
5.1.8_cron_users          [INFO] Working on 5.1.8_cron_users
5.1.8_cron_users          [INFO] [DESCRIPTION] Restrict at/cron to authorized users.
5.1.8_cron_users          [INFO] Checking Configuration
5.1.8_cron_users          [INFO] Performing audit
5.1.8_cron_users          [ OK ] /etc/cron.deny is absent
5.1.8_cron_users          [ OK ] /etc/at.deny is absent
5.1.8_cron_users          [ OK ] /etc/cron.allow has correct ownership
5.1.8_cron_users          [ OK ] /etc/cron.allow has correct permissions
5.1.8_cron_users          [ OK ] /etc/at.allow has correct ownership
5.1.8_cron_users          [ OK ] /etc/at.allow has correct permissions
5.1.8_cron_users          [ OK ] Check Passed
5.2.10_disable_root_login [INFO] Working on 5.2.10_disable_root_login
5.2.10_disable_root_login [INFO] [DESCRIPTION] Disable SSH Root Login.
5.2.10_disable_root_login [INFO] Checking Configuration
5.2.10_disable_root_login [INFO] Performing audit
5.2.10_disable_root_login [ OK ] openssh-server is installed
5.2.10_disable_root_login [ OK ] ^PermitRootLogin[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.10_disable_root_login [ OK ] Check Passed
5.2.11_disable_sshd_permi [INFO] Working on 5.2.11_disable_sshd_permitemptypasswords
5.2.11_disable_sshd_permi [INFO] [DESCRIPTION] Set SSH PermitEmptyPasswords to No in order to disallow SSH login to accounts with empty password strigs.
5.2.11_disable_sshd_permi [INFO] Checking Configuration
5.2.11_disable_sshd_permi [INFO] Performing audit
5.2.11_disable_sshd_permi [ OK ] openssh-server is installed
5.2.11_disable_sshd_permi [ OK ] ^PermitEmptyPasswords[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.11_disable_sshd_permi [ OK ] Check Passed
5.2.12_disable_sshd_seten [INFO] Working on 5.2.12_disable_sshd_setenv
5.2.12_disable_sshd_seten [INFO] [DESCRIPTION] Do not allow users to set environment options.
5.2.12_disable_sshd_seten [INFO] Checking Configuration
5.2.12_disable_sshd_seten [INFO] Performing audit
5.2.12_disable_sshd_seten [ OK ] openssh-server is installed
5.2.12_disable_sshd_seten [ OK ] ^PermitUserEnvironment[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.12_disable_sshd_seten [ OK ] Check Passed
5.2.13_sshd_ciphers       [INFO] Working on 5.2.13_sshd_ciphers
5.2.13_sshd_ciphers       [INFO] [DESCRIPTION] Use only approved ciphers in counter mode (ctr) or Galois counter mode (gcm).
5.2.13_sshd_ciphers       [INFO] Checking Configuration
5.2.13_sshd_ciphers       [INFO] Performing audit
5.2.13_sshd_ciphers       [ OK ] openssh-server is installed
5.2.13_sshd_ciphers       [ OK ] ^Ciphers[[:space:]]*chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr is present in /etch
5.2.13_sshd_ciphers       [ OK ] Check Passed
5.2.14_ssh_cry_mac        [INFO] Working on 5.2.14_ssh_cry_mac
5.2.14_ssh_cry_mac        [INFO] [DESCRIPTION] Checking Message Authentication Code ciphers for preferred UMAC and SHA-256|512 with Encrypt-Then-Mac (etm) setting.
5.2.14_ssh_cry_mac        [INFO] Checking Configuration
5.2.14_ssh_cry_mac        [INFO] Performing audit
5.2.14_ssh_cry_mac        [ OK ] openssh-server is installed
5.2.14_ssh_cry_mac        [ OK ] ^MACs[[:space:]]*hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config
5.2.14_ssh_cry_mac        [ OK ] Check Passed
5.2.15_ssh_cry_kex        [INFO] Working on 5.2.15_ssh_cry_kex
5.2.15_ssh_cry_kex        [INFO] [DESCRIPTION] Checking key exchange ciphers.
5.2.15_ssh_cry_kex        [INFO] Checking Configuration
5.2.15_ssh_cry_kex        [INFO] Performing audit
5.2.15_ssh_cry_kex        [ OK ] openssh-server is installed
5.2.15_ssh_cry_kex        [ OK ] ^KexAlgorithms[[:space:]]*curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellmans
5.2.15_ssh_cry_kex        [ OK ] Check Passed
5.2.16_sshd_idle_timeout  [INFO] Working on 5.2.16_sshd_idle_timeout
5.2.16_sshd_idle_timeout  [INFO] [DESCRIPTION] Set Idle Timeout Interval for user login.
5.2.16_sshd_idle_timeout  [INFO] Checking Configuration
5.2.16_sshd_idle_timeout  [INFO] Performing audit
5.2.16_sshd_idle_timeout  [ OK ] openssh-server is installed
5.2.16_sshd_idle_timeout  [ OK ] ^ClientAliveInterval[[:space:]]*300 is present in /etc/ssh/sshd_config
5.2.16_sshd_idle_timeout  [ OK ] ^ClientAliveCountMax[[:space:]]*0 is present in /etc/ssh/sshd_config
5.2.16_sshd_idle_timeout  [ OK ] Check Passed
5.2.17_sshd_login_grace_t [INFO] Working on 5.2.17_sshd_login_grace_time
5.2.17_sshd_login_grace_t [INFO] [DESCRIPTION] Set Login Grace Time for user login.
5.2.17_sshd_login_grace_t [INFO] Checking Configuration
5.2.17_sshd_login_grace_t [INFO] Performing audit
5.2.17_sshd_login_grace_t [ OK ] openssh-server is installed
5.2.17_sshd_login_grace_t [ OK ] ^LoginGraceTime[[:space:]]*60 is present in /etc/ssh/sshd_config
5.2.17_sshd_login_grace_t [ OK ] Check Passed
5.2.18_sshd_limit_access  [INFO] Working on 5.2.18_sshd_limit_access
5.2.18_sshd_limit_access  [INFO] [DESCRIPTION] Limite access via SSH by (dis)allowing specific users or groups.
5.2.18_sshd_limit_access  [INFO] Checking Configuration
5.2.18_sshd_limit_access  [INFO] ALLOWED_USERS is not set, defaults to wildcard
5.2.18_sshd_limit_access  [INFO] ALLOWED_GROUPS is not set, defaults to wildcard
5.2.18_sshd_limit_access  [INFO] DENIED_USERS is not set, defaults to nobody
5.2.18_sshd_limit_access  [INFO] DENIED_GROUPS is not set, defaults to nobody
5.2.18_sshd_limit_access  [INFO] Performing audit
5.2.18_sshd_limit_access  [ OK ] openssh-server is installed
5.2.18_sshd_limit_access  [ OK ] ^AllowUsers[[:space:]]** is present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ OK ] ^AllowGroups[[:space:]]** is present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ OK ] ^DenyUsers[[:space:]]*nobody is present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ OK ] ^DenyGroups[[:space:]]*nobody is present in /etc/ssh/sshd_config
5.2.18_sshd_limit_access  [ OK ] Check Passed
5.2.19_ssh_banner         [INFO] Working on 5.2.19_ssh_banner
5.2.19_ssh_banner         [INFO] [DESCRIPTION] Set ssh banner.
5.2.19_ssh_banner         [INFO] Checking Configuration
5.2.19_ssh_banner         [INFO] BANNER_FILE is not set, defaults to wildcard
5.2.19_ssh_banner         [INFO] Performing audit
5.2.19_ssh_banner         [ OK ] openssh-server is installed
5.2.19_ssh_banner         [ OK ] ^Banner[[:space:]]* is present in /etc/ssh/sshd_config
5.2.19_ssh_banner         [ OK ] Check Passed
5.2.1_sshd_conf_perm_owne [INFO] Working on 5.2.1_sshd_conf_perm_ownership
5.2.1_sshd_conf_perm_owne [INFO] [DESCRIPTION] Checking permissions and ownership to root 600 for sshd_config.
5.2.1_sshd_conf_perm_owne [INFO] Checking Configuration
5.2.1_sshd_conf_perm_owne [INFO] Performing audit
5.2.1_sshd_conf_perm_owne [ OK ] /etc/ssh/sshd_config has correct ownership
5.2.1_sshd_conf_perm_owne [ OK ] /etc/ssh/sshd_config has correct permissions
5.2.1_sshd_conf_perm_owne [ OK ] Check Passed
5.2.20_enable_ssh_pam     [INFO] Working on 5.2.20_enable_ssh_pam
5.2.20_enable_ssh_pam     [INFO] [DESCRIPTION] Enable SSH PAM.
5.2.20_enable_ssh_pam     [INFO] Checking Configuration
5.2.20_enable_ssh_pam     [INFO] Performing audit
5.2.20_enable_ssh_pam     [ OK ] openssh-server is installed
5.2.20_enable_ssh_pam     [ OK ] ^usepam[[:space:]]*yes is present in /etc/ssh/sshd_config
5.2.20_enable_ssh_pam     [ OK ] Check Passed
5.2.21_disable_ssh_allow_ [INFO] Working on 5.2.21_disable_ssh_allow_tcp_forwarding
5.2.21_disable_ssh_allow_ [INFO] [DESCRIPTION] Disable SSH AllowTCPForwarding.
5.2.21_disable_ssh_allow_ [INFO] Checking Configuration
5.2.21_disable_ssh_allow_ [INFO] Performing audit
5.2.21_disable_ssh_allow_ [ OK ] openssh-server is installed
5.2.21_disable_ssh_allow_ [ OK ] ^AllowTCPForwarding[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.21_disable_ssh_allow_ [ OK ] Check Passed
5.2.22_configure_ssh_max_ [INFO] Working on 5.2.22_configure_ssh_max_startups
5.2.22_configure_ssh_max_ [INFO] [DESCRIPTION] Configure SSHMaxStartups.
5.2.22_configure_ssh_max_ [INFO] Checking Configuration
5.2.22_configure_ssh_max_ [INFO] Performing audit
5.2.22_configure_ssh_max_ [ OK ] openssh-server is installed
5.2.22_configure_ssh_max_ [ OK ] ^maxstartups[[:space:]]*10:30:60 is present in /etc/ssh/sshd_config
5.2.22_configure_ssh_max_ [ OK ] Check Passed
5.2.23_limit_ssh_max_sess [INFO] Working on 5.2.23_limit_ssh_max_sessions
5.2.23_limit_ssh_max_sess [INFO] [DESCRIPTION] Limit SSH MaxSessions.
5.2.23_limit_ssh_max_sess [INFO] Checking Configuration
5.2.23_limit_ssh_max_sess [INFO] Performing audit
5.2.23_limit_ssh_max_sess [ OK ] openssh-server is installed
5.2.23_limit_ssh_max_sess [ OK ] ^maxsessions[[:space:]]*10 is present in /etc/ssh/sshd_config
[  564.165216] systemd-journald[264]: Data hash table of /var/log/journal/1234567800000000000002f599de2c65/system.journal has a fill level at 75.1 (1779 of 2368 items, 1363968 filee
[  564.169755] systemd-journald[264]: /var/log/journal/1234567800000000000002f599de2c65/system.journal: Journal header limits reached or header out-of-date, rotating.
5.2.23_limit_ssh_max_sess [ OK ] Check Passed
5.2.2_ssh_host_private_ke [INFO] Working on 5.2.2_ssh_host_private_keys_perm_ownership
5.2.2_ssh_host_private_ke [INFO] [DESCRIPTION] Checking permissions and ownership to root 600 for ssh private keys. 
5.2.2_ssh_host_private_ke [INFO] Checking Configuration
5.2.2_ssh_host_private_ke [INFO] Performing audit
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_ed25519_key permissions were set to 600
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_dsa_key permissions were set to 600
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_ecdsa_key permissions were set to 600
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_rsa_key permissions were set to 600
5.2.2_ssh_host_private_ke [ OK ] SSH private keys in /etc/ssh have correct permissions
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_ed25519_key ownership was set to root:root
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_dsa_key ownership was set to root:root
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_ecdsa_key ownership was set to root:root
5.2.2_ssh_host_private_ke [ OK ] /etc/ssh/ssh_host_rsa_key ownership was set to root:root
5.2.2_ssh_host_private_ke [ OK ] SSH private keys in /etc/ssh have correct ownership
5.2.2_ssh_host_private_ke [ OK ] Check Passed
5.2.3_ssh_host_public_key [INFO] Working on 5.2.3_ssh_host_public_keys_perm_ownership
5.2.3_ssh_host_public_key [INFO] [DESCRIPTION] Checking permissions and ownership to root 644 for ssh public keys. 
5.2.3_ssh_host_public_key [INFO] Checking Configuration
5.2.3_ssh_host_public_key [INFO] Performing audit
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_ecdsa_key.pub permissions were set to 644
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_dsa_key.pub permissions were set to 644
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_ed25519_key.pub permissions were set to 644
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_rsa_key.pub permissions were set to 644
5.2.3_ssh_host_public_key [ OK ] SSH public keys in /etc/ssh have correct permissions
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_ecdsa_key.pub ownership was set to root:root
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_dsa_key.pub ownership was set to root:root
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_ed25519_key.pub ownership was set to root:root
5.2.3_ssh_host_public_key [ OK ] /etc/ssh/ssh_host_rsa_key.pub ownership was set to root:root
5.2.3_ssh_host_public_key [ OK ] SSH public keys in /etc/ssh have correct ownership
5.2.3_ssh_host_public_key [ OK ] Check Passed
5.2.4_sshd_protocol       [INFO] Working on 5.2.4_sshd_protocol
5.2.4_sshd_protocol       [INFO] [DESCRIPTION] Set secure shell (SSH) protocol to 2.
5.2.4_sshd_protocol       [INFO] Checking Configuration
5.2.4_sshd_protocol       [INFO] Performing audit
5.2.4_sshd_protocol       [ OK ] openssh-server is installed
5.2.4_sshd_protocol       [ OK ] ^Protocol[[:space:]]*2 is present in /etc/ssh/sshd_config
5.2.4_sshd_protocol       [ OK ] Check Passed
5.2.5_sshd_loglevel       [INFO] Working on 5.2.5_sshd_loglevel
5.2.5_sshd_loglevel       [INFO] [DESCRIPTION] Set LogLevel to INFO for SSH.
5.2.5_sshd_loglevel       [INFO] Checking Configuration
5.2.5_sshd_loglevel       [INFO] Performing audit
5.2.5_sshd_loglevel       [ OK ] openssh-server is installed
5.2.5_sshd_loglevel       [ OK ] ^LogLevel[[:space:]]*(INFO|VERBOSE) is present in /etc/ssh/sshd_config
5.2.5_sshd_loglevel       [ OK ] Check Passed
5.2.6_disable_x11_forward [INFO] Working on 5.2.6_disable_x11_forwarding
5.2.6_disable_x11_forward [INFO] [DESCRIPTION] Disable SSH X11 forwarding.
5.2.6_disable_x11_forward [INFO] Checking Configuration
5.2.6_disable_x11_forward [INFO] Performing audit
5.2.6_disable_x11_forward [ OK ] openssh-server is installed
5.2.6_disable_x11_forward [ OK ] ^X11Forwarding[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.6_disable_x11_forward [ OK ] Check Passed
5.2.7_sshd_maxauthtries   [INFO] Working on 5.2.7_sshd_maxauthtries
5.2.7_sshd_maxauthtries   [INFO] [DESCRIPTION] Set SSH MaxAuthTries to 4.
5.2.7_sshd_maxauthtries   [INFO] Checking Configuration
5.2.7_sshd_maxauthtries   [INFO] Performing audit
5.2.7_sshd_maxauthtries   [ OK ] openssh-server is installed
5.2.7_sshd_maxauthtries   [ OK ] ^MaxAuthTries[[:space:]]*4 is present in /etc/ssh/sshd_config
5.2.7_sshd_maxauthtries   [ OK ] Check Passed
5.2.8_enable_sshd_ignorer [INFO] Working on 5.2.8_enable_sshd_ignorerhosts
5.2.8_enable_sshd_ignorer [INFO] [DESCRIPTION] Set SSH IgnoreRhosts to Yes.
5.2.8_enable_sshd_ignorer [INFO] Checking Configuration
5.2.8_enable_sshd_ignorer [INFO] Performing audit
5.2.8_enable_sshd_ignorer [ OK ] openssh-server is installed
5.2.8_enable_sshd_ignorer [ OK ] ^IgnoreRhosts[[:space:]]*yes is present in /etc/ssh/sshd_config
5.2.8_enable_sshd_ignorer [ OK ] Check Passed
5.2.9_disable_sshd_hostba [INFO] Working on 5.2.9_disable_sshd_hostbasedauthentication
5.2.9_disable_sshd_hostba [INFO] [DESCRIPTION] Set SSH HostbasedAUthentication to No.
5.2.9_disable_sshd_hostba [INFO] Checking Configuration
5.2.9_disable_sshd_hostba [INFO] Performing audit
5.2.9_disable_sshd_hostba [ OK ] openssh-server is installed
5.2.9_disable_sshd_hostba [ OK ] ^HostbasedAuthentication[[:space:]]*no is present in /etc/ssh/sshd_config
5.2.9_disable_sshd_hostba [ OK ] Check Passed
5.3.1_enable_pwquality    [INFO] Working on 5.3.1_enable_pwquality
5.3.1_enable_pwquality    [INFO] [DESCRIPTION] Set password creation requirement parameters using pam.cracklib.
5.3.1_enable_pwquality    [INFO] Checking Configuration
5.3.1_enable_pwquality    [INFO] Performing audit
5.3.1_enable_pwquality    [ OK ] libpam-pwquality is installed
5.3.1_enable_pwquality    [ OK ] pam_pwquality.so is present in /etc/pam.d/common-password
5.3.1_enable_pwquality    [ OK ] ^minlen[[:space:]]+=[[:space:]]+14 is present in /etc/security/pwquality.conf
5.3.1_enable_pwquality    [ OK ] ^dcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf
5.3.1_enable_pwquality    [ OK ] ^ucredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf
5.3.1_enable_pwquality    [ OK ] ^ocredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf
5.3.1_enable_pwquality    [ OK ] ^lcredit[[:space:]]+=[[:space:]]+-1 is present in /etc/security/pwquality.conf
5.3.1_enable_pwquality    [ OK ] Check Passed
5.3.2_enable_lockout_fail [INFO] Working on 5.3.2_enable_lockout_failed_password
5.3.2_enable_lockout_fail [INFO] [DESCRIPTION] Set lockout for failed password attemps.
5.3.2_enable_lockout_fail [INFO] Checking Configuration
5.3.2_enable_lockout_fail [INFO] Performing audit
5.3.2_enable_lockout_fail [ OK ] libpam-modules-bin is installed
5.3.2_enable_lockout_fail [ OK ] ^auth[[:space:]]*required[[:space:]]*pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-auth
5.3.2_enable_lockout_fail [ OK ] pam_((tally[2]?)|(faillock))\.so is present in /etc/pam.d/common-account
5.3.2_enable_lockout_fail [ OK ] Check Passed
5.3.3_limit_password_reus [INFO] Working on 5.3.3_limit_password_reuse
5.3.3_limit_password_reus [INFO] [DESCRIPTION] Limit password reuse.
5.3.3_limit_password_reus [INFO] Checking Configuration
5.3.3_limit_password_reus [INFO] Performing audit
5.3.3_limit_password_reus [ OK ] libpam-modules is installed
5.3.3_limit_password_reus [ OK ] ^password.*remember is present in /etc/pam.d/common-password
5.3.3_limit_password_reus [ OK ] Check Passed
5.3.4_acc_pam_sha512      [INFO] Working on 5.3.4_acc_pam_sha512
5.3.4_acc_pam_sha512      [INFO] [DESCRIPTION] Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
5.3.4_acc_pam_sha512      [INFO] 5.3.4_acc_pam_sha512 is disabled, ignoring
5.3.4_acc_pam_yescrypt    [INFO] Working on 5.3.4_acc_pam_yescrypt
5.3.4_acc_pam_yescrypt    [INFO] [DESCRIPTION] Check that any password that may exist in /etc/shadow is SHA512 (yescrypt) hashed and salted
5.3.4_acc_pam_yescrypt    [INFO] Checking Configuration
5.3.4_acc_pam_yescrypt    [INFO] Performing audit
5.3.4_acc_pam_yescrypt    [ OK ] ^\s*password\s.+\s+pam_unix\.so\s+.*yescrypt is present in /etc/pam.d/common-password
5.3.4_acc_pam_yescrypt    [ OK ] Check Passed
5.4.1.1_set_password_exp_ [INFO] Working on 5.4.1.1_set_password_exp_days
5.4.1.1_set_password_exp_ [INFO] [DESCRIPTION] Set password expiration days.
5.4.1.1_set_password_exp_ [INFO] Checking Configuration
5.4.1.1_set_password_exp_ [INFO] Performing audit
5.4.1.1_set_password_exp_ [ OK ] login is installed
5.4.1.1_set_password_exp_ [ OK ] ^PASS_MAX_DAYS[[:space:]]*90 is present in /etc/login.defs
5.4.1.1_set_password_exp_ [ OK ] Check Passed
5.4.1.2_set_password_min_ [INFO] Working on 5.4.1.2_set_password_min_days_change
5.4.1.2_set_password_min_ [INFO] [DESCRIPTION] Set password change minimum number of days.
5.4.1.2_set_password_min_ [INFO] Checking Configuration
5.4.1.2_set_password_min_ [INFO] Performing audit
5.4.1.2_set_password_min_ [ OK ] login is installed
5.4.1.2_set_password_min_ [ OK ] ^PASS_MIN_DAYS[[:space:]]*7 is present in /etc/login.defs
5.4.1.2_set_password_min_ [ OK ] Check Passed
5.4.1.3_set_password_exp_ [INFO] Working on 5.4.1.3_set_password_exp_warning_days
5.4.1.3_set_password_exp_ [INFO] [DESCRIPTION] Set password expiration warning days.
5.4.1.3_set_password_exp_ [INFO] Checking Configuration
5.4.1.3_set_password_exp_ [INFO] Performing audit
5.4.1.3_set_password_exp_ [ OK ] login is installed
5.4.1.3_set_password_exp_ [ OK ] ^PASS_WARN_AGE[[:space:]]*7 is present in /etc/login.defs
5.4.1.3_set_password_exp_ [ OK ] Check Passed
5.4.1.4_lock_inactive_use [INFO] Working on 5.4.1.4_lock_inactive_user_account
5.4.1.4_lock_inactive_use [INFO] [DESCRIPTION] Lock inactive user accounts.
5.4.1.4_lock_inactive_use [INFO] Checking Configuration
5.4.1.4_lock_inactive_use [INFO] Performing audit
5.4.1.4_lock_inactive_use [INFO] Looking at the manual of useradd, it seems that this recommendation does not fill the title
5.4.1.4_lock_inactive_use [INFO] The number of days after a password expires until the account is permanently disabled.
5.4.1.4_lock_inactive_use [INFO] Which is not inactive users per se
5.4.1.4_lock_inactive_use [ OK ] Check Passed
5.4.1.5_last_password_cha [INFO] Working on 5.4.1.5_last_password_change_past
5.4.1.5_last_password_cha [INFO] [DESCRIPTION] Check that user last paswword change date is in the past.
5.4.1.5_last_password_cha [INFO] Checking Configuration
5.4.1.5_last_password_cha [INFO] Performing audit
5.4.1.5_last_password_cha [ OK ] Check Passed
5.4.2_disable_system_acco [INFO] Working on 5.4.2_disable_system_accounts
5.4.2_disable_system_acco [INFO] [DESCRIPTION] Disable system accounts, preventing them from interactive login.
5.4.2_disable_system_acco [INFO] Checking Configuration
5.4.2_disable_system_acco [INFO] Performing audit
5.4.2_disable_system_acco [INFO] Checking if admin accounts have a login shell different than /bin/false /usr/sbin/nologin /sbin/nologin
5.4.2_disable_system_acco [ OK ] All admin accounts deactivated
5.4.2_disable_system_acco [ OK ] Check Passed
5.4.3_default_root_group  [INFO] Working on 5.4.3_default_root_group
5.4.3_default_root_group  [INFO] [DESCRIPTION] Set default group for root account to 0.
5.4.3_default_root_group  [INFO] Checking Configuration
5.4.3_default_root_group  [INFO] Performing audit
5.4.3_default_root_group  [ OK ] Root group has GID 0
5.4.3_default_root_group  [ OK ] Check Passed
5.4.4_default_umask       [INFO] Working on 5.4.4_default_umask
5.4.4_default_umask       [INFO] [DESCRIPTION] Set default mask for users to 077.
5.4.4_default_umask       [INFO] Checking Configuration
5.4.4_default_umask       [INFO] Performing audit
5.4.4_default_umask       [ OK ] umask 077 is present in /etc/bash.bashrc /etc/profile.d /etc/profile
5.4.4_default_umask       [ OK ] Check Passed
5.4.5_default_timeout     [INFO] Working on 5.4.5_default_timeout
5.4.5_default_timeout     [INFO] [DESCRIPTION] Timeout 600 seconds on tty.
5.4.5_default_timeout     [INFO] Checking Configuration
5.4.5_default_timeout     [INFO] Performing audit
5.4.5_default_timeout     [ OK ] TMOUT= is present in /etc/profile.d//etc/profile.d/50-autologout.sh
5.4.5_default_timeout     [ OK ] Check Passed
5.5_secure_tty            [INFO] Working on 5.5_secure_tty
5.5_secure_tty            [INFO] [DESCRIPTION] Restrict root login to system console.
5.5_secure_tty            [INFO] Checking Configuration
5.5_secure_tty            [INFO] Performing audit
5.5_secure_tty            [INFO] Remove terminal entries in /etc/securetty for any consoles that are not in a physically secure location.
5.5_secure_tty            [INFO] No measure here, please review the file by yourself
5.5_secure_tty            [ OK ] Check Passed
5.6_restrict_su           [INFO] Working on 5.6_restrict_su
5.6_restrict_su           [INFO] [DESCRIPTION] Restrict access to su command.
5.6_restrict_su           [INFO] Checking Configuration
5.6_restrict_su           [INFO] Performing audit
5.6_restrict_su           [ OK ] login is installed
5.6_restrict_su           [ OK ] ^auth[[:space:]]*required[[:space:]]*pam_wheel.so is present in /etc/pam.d/su
5.6_restrict_su           [ OK ] Check Passed
6.1.10_find_world_writabl [INFO] Working on 6.1.10_find_world_writable_file
6.1.10_find_world_writabl [INFO] [DESCRIPTION] Ensure no world writable files exist
6.1.10_find_world_writabl [INFO] Checking Configuration
6.1.10_find_world_writabl [INFO] Performing audit
6.1.10_find_world_writabl [INFO] Checking if there are world writable files
6.1.10_find_world_writabl [ OK ] No world writable files found
6.1.10_find_world_writabl [ OK ] Check Passed
6.1.11_find_unowned_files [INFO] Working on 6.1.11_find_unowned_files
6.1.11_find_unowned_files [INFO] [DESCRIPTION] Ensure no unowned files or directories exist.
6.1.11_find_unowned_files [INFO] Checking Configuration
6.1.11_find_unowned_files [INFO] Performing audit
6.1.11_find_unowned_files [INFO] Checking if there are unowned files
6.1.11_find_unowned_files [ OK ] No unowned files found
6.1.11_find_unowned_files [ OK ] Check Passed
6.1.12_find_ungrouped_fil [INFO] Working on 6.1.12_find_ungrouped_files
6.1.12_find_ungrouped_fil [INFO] [DESCRIPTION] Ensure no ungrouped files or directories exist
6.1.12_find_ungrouped_fil [INFO] Checking Configuration
6.1.12_find_ungrouped_fil [INFO] Performing audit
6.1.12_find_ungrouped_fil [INFO] Checking if there are ungrouped files
6.1.12_find_ungrouped_fil [ OK ] No ungrouped files found
6.1.12_find_ungrouped_fil [ OK ] Check Passed
6.1.13_find_suid_files    [INFO] Working on 6.1.13_find_suid_files
6.1.13_find_suid_files    [INFO] [DESCRIPTION] Find SUID system executables.
6.1.13_find_suid_files    [INFO] Checking Configuration
6.1.13_find_suid_files    [INFO] Performing audit
6.1.13_find_suid_files    [INFO] Checking if there are suid files
6.1.13_find_suid_files    [ OK ] No unknown suid files found
6.1.13_find_suid_files    [ OK ] Check Passed
6.1.14_find_sgid_files    [INFO] Working on 6.1.14_find_sgid_files
6.1.14_find_sgid_files    [INFO] [DESCRIPTION] Find SGID system executables.
6.1.14_find_sgid_files    [INFO] Checking Configuration
6.1.14_find_sgid_files    [INFO] Performing audit
6.1.14_find_sgid_files    [INFO] Checking if there are sgid files
6.1.14_find_sgid_files    [ OK ] No unknown sgid files found
6.1.14_find_sgid_files    [ OK ] Check Passed
6.1.2_etc_passwd_permissi [INFO] Working on 6.1.2_etc_passwd_permissions
6.1.2_etc_passwd_permissi [INFO] [DESCRIPTION] Check 644 permissions and root:root ownership on /etc/passwd
6.1.2_etc_passwd_permissi [INFO] Checking Configuration
6.1.2_etc_passwd_permissi [INFO] Performing audit
6.1.2_etc_passwd_permissi [ OK ] /etc/passwd has correct permissions
6.1.2_etc_passwd_permissi [ OK ] /etc/passwd has correct ownership
6.1.2_etc_passwd_permissi [ OK ] Check Passed
6.1.3_etc_gshadow-_permis [INFO] Working on 6.1.3_etc_gshadow-_permissions
6.1.3_etc_gshadow-_permis [INFO] [DESCRIPTION] Check 640 permissions and root:root ownership on /etc/gshadow-
6.1.3_etc_gshadow-_permis [INFO] Checking Configuration
6.1.3_etc_gshadow-_permis [INFO] Performing audit
6.1.3_etc_gshadow-_permis [ OK ] /etc/gshadow- does not exist
6.1.3_etc_gshadow-_permis [ OK ] Check Passed
6.1.4_etc_shadow_permissi [INFO] Working on 6.1.4_etc_shadow_permissions
6.1.4_etc_shadow_permissi [INFO] [DESCRIPTION] Check 640 permissions and root:root ownership on /etc/shadow
6.1.4_etc_shadow_permissi [INFO] Checking Configuration
6.1.4_etc_shadow_permissi [INFO] Performing audit
6.1.4_etc_shadow_permissi [ OK ] /etc/shadow has correct permissions
6.1.4_etc_shadow_permissi [ OK ] /etc/shadow has correct ownership
6.1.4_etc_shadow_permissi [ OK ] Check Passed
6.1.5_etc_group_permissio [INFO] Working on 6.1.5_etc_group_permissions
6.1.5_etc_group_permissio [INFO] [DESCRIPTION] Check 644 permissions and root:root ownership on /etc/group
6.1.5_etc_group_permissio [INFO] Checking Configuration
6.1.5_etc_group_permissio [INFO] Performing audit
6.1.5_etc_group_permissio [ OK ] /etc/group has correct permissions
6.1.5_etc_group_permissio [ OK ] /etc/group has correct ownership
6.1.5_etc_group_permissio [ OK ] Check Passed
6.1.6_etc_passwd-_permiss [INFO] Working on 6.1.6_etc_passwd-_permissions
6.1.6_etc_passwd-_permiss [INFO] [DESCRIPTION] Check 600 permissions and root:root ownership on /etc/passwd-
6.1.6_etc_passwd-_permiss [INFO] Checking Configuration
6.1.6_etc_passwd-_permiss [INFO] Performing audit
6.1.6_etc_passwd-_permiss [ OK ] /etc/passwd- does not exist
6.1.6_etc_passwd-_permiss [ OK ] Check Passed
6.1.7_etc_shadow-_permiss [INFO] Working on 6.1.7_etc_shadow-_permissions
6.1.7_etc_shadow-_permiss [INFO] [DESCRIPTION] Check 600 permissions and root:shadow ownership on /etc/shadow-
6.1.7_etc_shadow-_permiss [INFO] Checking Configuration
6.1.7_etc_shadow-_permiss [INFO] Performing audit
6.1.7_etc_shadow-_permiss [ OK ] /etc/shadow- does not exist
6.1.7_etc_shadow-_permiss [ OK ] Check Passed
6.1.8_etc_group-_permissi [INFO] Working on 6.1.8_etc_group-_permissions
6.1.8_etc_group-_permissi [INFO] [DESCRIPTION] Check 600 permissions and root:root ownership on /etc/group-
6.1.8_etc_group-_permissi [INFO] Checking Configuration
6.1.8_etc_group-_permissi [INFO] Performing audit
6.1.8_etc_group-_permissi [ OK ] /etc/group- does not exist
6.1.8_etc_group-_permissi [ OK ] Check Passed
6.1.9_etc_gshadow_permiss [INFO] Working on 6.1.9_etc_gshadow_permissions
6.1.9_etc_gshadow_permiss [INFO] [DESCRIPTION] Check 640 permissions and root:root ownership on /etc/gshadow
6.1.9_etc_gshadow_permiss [INFO] Checking Configuration
6.1.9_etc_gshadow_permiss [INFO] Performing audit
6.1.9_etc_gshadow_permiss [ OK ] /etc/gshadow has correct permissions
6.1.9_etc_gshadow_permiss [ OK ] /etc/gshadow has correct ownership
6.1.9_etc_gshadow_permiss [ OK ] Check Passed
6.2.10_check_user_dot_fil [INFO] Working on 6.2.10_check_user_dot_file_perm
6.2.10_check_user_dot_fil [INFO] [DESCRIPTION] Check user dot file permissions.
6.2.10_check_user_dot_fil [INFO] Checking Configuration
6.2.10_check_user_dot_fil [INFO] Performing audit
6.2.10_check_user_dot_fil [ OK ] Dot file permission in users directories are correct
6.2.10_check_user_dot_fil [ OK ] Check Passed
6.2.11_find_user_forward_ [INFO] Working on 6.2.11_find_user_forward_files
6.2.11_find_user_forward_ [INFO] [DESCRIPTION] There is no user .forward files.
6.2.11_find_user_forward_ [INFO] Checking Configuration
6.2.11_find_user_forward_ [INFO] Performing audit
6.2.11_find_user_forward_ [ OK ] No .forward present in users home directory
6.2.11_find_user_forward_ [ OK ] Check Passed
6.2.12_find_user_netrc_fi [INFO] Working on 6.2.12_find_user_netrc_files
6.2.12_find_user_netrc_fi [INFO] [DESCRIPTION] There is no user .netrc files.
6.2.12_find_user_netrc_fi [INFO] Checking Configuration
6.2.12_find_user_netrc_fi [INFO] Performing audit
6.2.12_find_user_netrc_fi [ OK ] No .netrc present in users home directory
6.2.12_find_user_netrc_fi [ OK ] Check Passed
6.2.13_set_perm_on_user_n [INFO] Working on 6.2.13_set_perm_on_user_netrc
6.2.13_set_perm_on_user_n [INFO] [DESCRIPTION] Ensure users' .netrc Files are not group or world accessible
6.2.13_set_perm_on_user_n [INFO] Checking Configuration
6.2.13_set_perm_on_user_n [INFO] Performing audit
6.2.13_set_perm_on_user_n [ OK ] permission 600 set on .netrc users files
6.2.13_set_perm_on_user_n [ OK ] Check Passed
6.2.14_find_user_rhosts_f [INFO] Working on 6.2.14_find_user_rhosts_files
6.2.14_find_user_rhosts_f [INFO] [DESCRIPTION] No user's .rhosts file.
6.2.14_find_user_rhosts_f [INFO] Checking Configuration
6.2.14_find_user_rhosts_f [INFO] Performing audit
6.2.14_find_user_rhosts_f [ OK ] No .rhosts present in users home directory
6.2.14_find_user_rhosts_f [ OK ] Check Passed
6.2.15_find_passwd_group_ [INFO] Working on 6.2.15_find_passwd_group_inconsistencies
6.2.15_find_passwd_group_ [INFO] [DESCRIPTION] There is no group in /etc/passwd that is not in /etc/group.
6.2.15_find_passwd_group_ [INFO] Checking Configuration
6.2.15_find_passwd_group_ [INFO] Performing audit
6.2.15_find_passwd_group_ [ OK ] passwd and group Groups are consistent
6.2.15_find_passwd_group_ [ OK ] Check Passed
6.2.16_check_duplicate_ui [INFO] Working on 6.2.16_check_duplicate_uid
6.2.16_check_duplicate_ui [INFO] [DESCRIPTION] Ensure no duplicate UIDs exist
6.2.16_check_duplicate_ui [INFO] Checking Configuration
6.2.16_check_duplicate_ui [INFO] Performing audit
6.2.16_check_duplicate_ui [ OK ] No duplicate UIDs
6.2.16_check_duplicate_ui [ OK ] Check Passed
6.2.17_check_duplicate_gi [INFO] Working on 6.2.17_check_duplicate_gid
6.2.17_check_duplicate_gi [INFO] [DESCRIPTION] Ensure no duplicate GIDs exist
6.2.17_check_duplicate_gi [INFO] Checking Configuration
6.2.17_check_duplicate_gi [INFO] Performing audit
6.2.17_check_duplicate_gi [ OK ] No duplicate GIDs
6.2.17_check_duplicate_gi [ OK ] Check Passed
6.2.18_check_duplicate_us [INFO] Working on 6.2.18_check_duplicate_username
6.2.18_check_duplicate_us [INFO] [DESCRIPTION] There is no duplicate usernames.
6.2.18_check_duplicate_us [INFO] Checking Configuration
6.2.18_check_duplicate_us [INFO] Performing audit
6.2.18_check_duplicate_us [ OK ] No duplicate usernames
6.2.18_check_duplicate_us [ OK ] Check Passed
6.2.19_check_duplicate_gr [INFO] Working on 6.2.19_check_duplicate_groupname
6.2.19_check_duplicate_gr [INFO] [DESCRIPTION] There is no duplicate group names.
6.2.19_check_duplicate_gr [INFO] Checking Configuration
6.2.19_check_duplicate_gr [INFO] Performing audit
6.2.19_check_duplicate_gr [ OK ] No duplicate groupnames
6.2.19_check_duplicate_gr [ OK ] Check Passed
6.2.1_remove_empty_passwo [INFO] Working on 6.2.1_remove_empty_password_field
6.2.1_remove_empty_passwo [INFO] [DESCRIPTION] Ensure password fields are not empty in /etc/shadow.
6.2.1_remove_empty_passwo [INFO] Checking Configuration
6.2.1_remove_empty_passwo [INFO] Performing audit
6.2.1_remove_empty_passwo [INFO] Checking if accounts have an empty password
6.2.1_remove_empty_passwo [ OK ] All accounts have a password
6.2.1_remove_empty_passwo [ OK ] Check Passed
6.2.20_shadow_group_empty [INFO] Working on 6.2.20_shadow_group_empty
6.2.20_shadow_group_empty [INFO] [DESCRIPTION] There is no user in shadow group (that can read /etc/shadow file).
6.2.20_shadow_group_empty [INFO] Checking Configuration
6.2.20_shadow_group_empty [INFO] Performing audit
6.2.20_shadow_group_empty [INFO] shadow group exists
6.2.20_shadow_group_empty [ OK ] No user belongs to shadow group
6.2.20_shadow_group_empty [INFO] Checking if a user has 42 as primary group
6.2.20_shadow_group_empty [ OK ] No user has shadow id as their primary group
6.2.20_shadow_group_empty [ OK ] Check Passed
6.2.2_remove_legacy_passw [INFO] Working on 6.2.2_remove_legacy_passwd_entries
6.2.2_remove_legacy_passw [INFO] [DESCRIPTION] Verify no legacy + entries exist in /etc/password file.
6.2.2_remove_legacy_passw [INFO] Checking Configuration
6.2.2_remove_legacy_passw [INFO] Performing audit
6.2.2_remove_legacy_passw [INFO] Checking if accounts have a legacy password entry
6.2.2_remove_legacy_passw [ OK ] All accounts have a valid password entry format
6.2.2_remove_legacy_passw [ OK ] Check Passed
6.2.3_users_valid_homedir [INFO] Working on 6.2.3_users_valid_homedir
6.2.3_users_valid_homedir [INFO] [DESCRIPTION] Users are assigned valid home directories.
6.2.3_users_valid_homedir [INFO] Checking Configuration
6.2.3_users_valid_homedir [INFO] Performing audit
[  656.545414] hrtimer: interrupt took 18293850 ns
6.2.3_users_valid_homedir [ OK ] All home directories exists
6.2.3_users_valid_homedir [ OK ] Check Passed
6.2.4_remove_legacy_shado [INFO] Working on 6.2.4_remove_legacy_shadow_entries
6.2.4_remove_legacy_shado [INFO] [DESCRIPTION] Verify no legacy + entries exist in /etc/shadow file.
6.2.4_remove_legacy_shado [INFO] Checking Configuration
6.2.4_remove_legacy_shado [INFO] Performing audit
6.2.4_remove_legacy_shado [INFO] Checking if accounts have a legacy password entry
6.2.4_remove_legacy_shado [ OK ] All accounts have a valid password entry format
6.2.4_remove_legacy_shado [ OK ] Check Passed
6.2.5_remove_legacy_group [INFO] Working on 6.2.5_remove_legacy_group_entries
6.2.5_remove_legacy_group [INFO] [DESCRIPTION] Verify no legacy + entries exist in /etc/group file.
6.2.5_remove_legacy_group [INFO] Checking Configuration
6.2.5_remove_legacy_group [INFO] Performing audit
6.2.5_remove_legacy_group [INFO] Checking if accounts have a legacy group entry
6.2.5_remove_legacy_group [ OK ] All accounts have a valid group entry format
6.2.5_remove_legacy_group [ OK ] Check Passed
6.2.6_find_0_uid_non_root [INFO] Working on 6.2.6_find_0_uid_non_root_account
6.2.6_find_0_uid_non_root [INFO] [DESCRIPTION] Verify root is the only UID 0 account.
6.2.6_find_0_uid_non_root [INFO] Checking Configuration
6.2.6_find_0_uid_non_root [INFO] Performing audit
6.2.6_find_0_uid_non_root [INFO] Checking if accounts have uid 0
6.2.6_find_0_uid_non_root [ OK ] No account with uid 0 appart from root 
6.2.6_find_0_uid_non_root [ OK ] Check Passed
6.2.7_sanitize_root_path  [INFO] Working on 6.2.7_sanitize_root_path
6.2.7_sanitize_root_path  [INFO] [DESCRIPTION] Ensure root path integrity.
6.2.7_sanitize_root_path  [INFO] Checking Configuration
6.2.7_sanitize_root_path  [INFO] Performing audit
6.2.7_sanitize_root_path  [ OK ] root PATH is secure
6.2.7_sanitize_root_path  [ OK ] Check Passed
6.2.8_check_user_dir_perm [INFO] Working on 6.2.8_check_user_dir_perm
6.2.8_check_user_dir_perm [INFO] [DESCRIPTION] Check permissions on user home directories.
6.2.8_check_user_dir_perm [INFO] Checking Configuration
6.2.8_check_user_dir_perm [INFO] Performing audit
6.2.8_check_user_dir_perm [ OK ] No incorrect permissions on home directories
6.2.8_check_user_dir_perm [ OK ] Check Passed
6.2.9_users_valid_homedir [INFO] Working on 6.2.9_users_valid_homedir
[  666.624686] systemd-journald[264]: Data hash table of /var/log/journal/1234567800000000000002f599de2c65/system.journal has a fill level at 75.2 (1780 of 2368 items, 1363968 file 
[  666.626147] systemd-journald[264]: /var/log/journal/1234567800000000000002f599de2c65/system.journal: Journal header limits reached or header out-of-date, rotating.
6.2.9_users_valid_homedir [INFO] [DESCRIPTION] Ensure users own their home directories
6.2.9_users_valid_homedir [INFO] Checking Configuration
6.2.9_users_valid_homedir [INFO] Performing audit
6.2.9_users_valid_homedir [ OK ] All home directories exists
6.2.9_users_valid_homedir [ OK ] All home directories have correct ownership
6.2.9_users_valid_homedir [ OK ] Check Passed
99.1.1.1_disable_cramfs   [INFO] Working on 99.1.1.1_disable_cramfs
99.1.1.1_disable_cramfs   [INFO] [DESCRIPTION] Disable mounting of cramfs filesystems.
99.1.1.1_disable_cramfs   [INFO] Checking Configuration
99.1.1.1_disable_cramfs   [INFO] Performing audit
99.1.1.1_disable_cramfs   [ OK ] CONFIG_CRAMFS is disabled
99.1.1.1_disable_cramfs   [ OK ] Check Passed
99.1.1.23_disable_usb_dev [INFO] Working on 99.1.1.23_disable_usb_devices
99.1.1.23_disable_usb_dev [INFO] [DESCRIPTION] USB devices are disabled.
99.1.1.23_disable_usb_dev [INFO] Checking Configuration
99.1.1.23_disable_usb_dev [INFO] Performing audit
99.1.1.23_disable_usb_dev [ OK ] ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" is present in /etc/udev/rules.d/10-CIS_99.2_usb_devices.s
99.1.1.23_disable_usb_dev [ OK ] Check Passed
99.1.3_acc_sudoers_no_all [INFO] Working on 99.1.3_acc_sudoers_no_all
99.1.3_acc_sudoers_no_all [INFO] [DESCRIPTION] Checks there are no carte-blanche authorization in sudoers file(s).
99.1.3_acc_sudoers_no_all [INFO] Checking Configuration
99.1.3_acc_sudoers_no_all [INFO] Performing audit
99.1.3_acc_sudoers_no_all [ OK ] root ALL=(ALL:ALL) ALL is present in /etc/sudoers but was EXCUSED because root is part of exceptions.
99.1.3_acc_sudoers_no_all [ OK ] %sudo ALL=(ALL:ALL) ALL is present in /etc/sudoers but was EXCUSED because %sudo is part of exceptions.
99.1.3_acc_sudoers_no_all [ OK ] There is no carte-blanche sudo permission in /etc/sudoers.d/README
99.1.3_acc_sudoers_no_all [ OK ] There is no carte-blanche sudo permission in /etc/sudoers.d/keepssh
99.1.3_acc_sudoers_no_all [ OK ] %wheel  ALL=(ALL:ALL) NOPASSWD: ALL is present in /etc/sudoers.d/wheel but was EXCUSED because %wheel is part of exceptions.
99.1.3_acc_sudoers_no_all [ OK ] Check Passed
99.2.2_disable_telnet_ser [INFO] Working on 99.2.2_disable_telnet_server
99.2.2_disable_telnet_ser [INFO] [DESCRIPTION] Ensure telnet server is not enabled. Recommended alternative : sshd (OpenSSH-server).
99.2.2_disable_telnet_ser [INFO] Checking Configuration
99.2.2_disable_telnet_ser [INFO] Performing audit
99.2.2_disable_telnet_ser [ OK ] telnetd is absent
99.2.2_disable_telnet_ser [ OK ] inetutils-telnetd is absent
99.2.2_disable_telnet_ser [ OK ] telnetd-ssl is absent
99.2.2_disable_telnet_ser [ OK ] krb5-telnetd is absent
99.2.2_disable_telnet_ser [ OK ] heimdal-servers is absent
99.2.2_disable_telnet_ser [ OK ] Check Passed
99.3.3.1_install_tcp_wrap [INFO] Working on 99.3.3.1_install_tcp_wrapper
99.3.3.1_install_tcp_wrap [INFO] [DESCRIPTION] Install TCP wrappers for simple access list management and standardized logging method for services.
99.3.3.1_install_tcp_wrap [INFO] Checking Configuration
99.3.3.1_install_tcp_wrap [INFO] Performing audit
99.3.3.1_install_tcp_wrap [ OK ] tcpd is installed
99.3.3.1_install_tcp_wrap [ OK ] Check Passed
99.3.3.2_hosts_allow      [INFO] Working on 99.3.3.2_hosts_allow
99.3.3.2_hosts_allow      [INFO] [DESCRIPTION] Create /etc/hosts.allow .
99.3.3.2_hosts_allow      [INFO] Checking Configuration
99.3.3.2_hosts_allow      [INFO] Performing audit
99.3.3.2_hosts_allow      [ OK ] /etc/hosts.allow exist
99.3.3.2_hosts_allow      [ OK ] Check Passed
99.3.3.3_hosts_deny       [INFO] Working on 99.3.3.3_hosts_deny
99.3.3.3_hosts_deny       [INFO] [DESCRIPTION] Create /etc/hosts.deny .
99.3.3.3_hosts_deny       [INFO] Checking Configuration
99.3.3.3_hosts_deny       [INFO] Performing audit
99.3.3.3_hosts_deny       [ OK ] /etc/hosts.deny exists, checking configuration
99.3.3.3_hosts_deny       [ OK ] ALL: ALL is present in /etc/hosts.deny
99.3.3.3_hosts_deny       [ OK ] Check Passed
99.3.3.4_hosts_allow_perm [INFO] Working on 99.3.3.4_hosts_allow_permissions
99.3.3.4_hosts_allow_perm [INFO] [DESCRIPTION] Check 644 permissions and root:root ownership on /hosts.allow .
99.3.3.4_hosts_allow_perm [INFO] Checking Configuration
99.3.3.4_hosts_allow_perm [INFO] Performing audit
99.3.3.4_hosts_allow_perm [ OK ] /etc/hosts.allow exist
99.3.3.4_hosts_allow_perm [ OK ] /etc/hosts.allow has correct permissions
99.3.3.4_hosts_allow_perm [ OK ] /etc/hosts.allow has correct ownership
99.3.3.4_hosts_allow_perm [ OK ] Check Passed
99.3.3.5_hosts_deny_permi [INFO] Working on 99.3.3.5_hosts_deny_permissions
99.3.3.5_hosts_deny_permi [INFO] [DESCRIPTION] Check 644 permissions and root:root ownership on /etc/hosts.deny .
99.3.3.5_hosts_deny_permi [INFO] Checking Configuration
99.3.3.5_hosts_deny_permi [INFO] Performing audit
99.3.3.5_hosts_deny_permi [ OK ] /etc/hosts.deny exist
99.3.3.5_hosts_deny_permi [ OK ] /etc/hosts.deny has correct permissions
99.3.3.5_hosts_deny_permi [ OK ] /etc/hosts.deny has correct ownership
99.3.3.5_hosts_deny_permi [ OK ] Check Passed
99.4.0_enable_auditd_kern [INFO] Working on 99.4.0_enable_auditd_kernel
99.4.0_enable_auditd_kern [INFO] [DESCRIPTION] Ensure CONFIG_AUDIT is enabled in your running kernel.
99.4.0_enable_auditd_kern [INFO] Checking Configuration
99.4.0_enable_auditd_kern [INFO] Performing audit
99.4.0_enable_auditd_kern [ OK ] CONFIG_AUDIT is enabled
99.4.0_enable_auditd_kern [ OK ] Check Passed
99.5.2.1_ssh_auth_pubk_on [INFO] Working on 99.5.2.1_ssh_auth_pubk_only
99.5.2.1_ssh_auth_pubk_on [INFO] [DESCRIPTION] Ensure that sshd only allows authentication through public key.
99.5.2.1_ssh_auth_pubk_on [INFO] Checking Configuration
99.5.2.1_ssh_auth_pubk_on [INFO] Performing audit
99.5.2.1_ssh_auth_pubk_on [ OK ] openssh-server is installed
99.5.2.1_ssh_auth_pubk_on [ OK ] ^PubkeyAuthentication[[:space:]]+yes is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^PasswordAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^KbdInteractiveAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^KerberosAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^ChallengeResponseAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^HostbasedAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^GSSAPIAuthentication[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] ^GSSAPIKeyExchange[[:space:]]+no is present in /etc/ssh/sshd_config
99.5.2.1_ssh_auth_pubk_on [ OK ] Check Passed
99.5.2.2_ssh_cry_rekey    [INFO] Working on 99.5.2.2_ssh_cry_rekey
99.5.2.2_ssh_cry_rekey    [INFO] [DESCRIPTION] Checking rekey limit for time (6 hours) or volume (512Mio) whichever comes first.
99.5.2.2_ssh_cry_rekey    [INFO] Checking Configuration
99.5.2.2_ssh_cry_rekey    [INFO] Performing audit
99.5.2.2_ssh_cry_rekey    [ OK ] openssh-server is installed
99.5.2.2_ssh_cry_rekey    [ OK ] ^RekeyLimit[[:space:]]*512M\s+6h is present in /etc/ssh/sshd_config
99.5.2.2_ssh_cry_rekey    [ OK ] Check Passed
99.5.2.3_ssh_disable_feat [INFO] Working on 99.5.2.3_ssh_disable_features
99.5.2.3_ssh_disable_feat [INFO] [DESCRIPTION] Check all special features in sshd_config are disabled
99.5.2.3_ssh_disable_feat [INFO] Checking Configuration
99.5.2.3_ssh_disable_feat [INFO] Performing audit
99.5.2.3_ssh_disable_feat [ OK ] openssh-server is installed
99.5.2.3_ssh_disable_feat [ OK ] ^AllowAgentForwarding[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] ^AllowTcpForwarding[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] ^AllowStreamLocalForwarding[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] ^PermitTunnel[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] ^PermitUserRC[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] ^GatewayPorts[[:space:]]*no is present in /etc/ssh/sshd_config
99.5.2.3_ssh_disable_feat [ OK ] Check Passed
99.5.2.4_ssh_keys_from    [INFO] Working on 99.5.2.4_ssh_keys_from
99.5.2.4_ssh_keys_from    [INFO] [DESCRIPTION] Check <from> field in ssh authorized keys files for users with login shell, and allowed IP if available.
99.5.2.4_ssh_keys_from    [INFO] Checking Configuration
99.5.2.4_ssh_keys_from    [INFO] Performing audit
99.5.2.4_ssh_keys_from    [INFO] User root has a valid shell (/bin/bash).
99.5.2.4_ssh_keys_from    [INFO] User sync has a valid shell (/bin/sync).
99.5.2.4_ssh_keys_from    [INFO] User sync has no home directory.
99.5.2.4_ssh_keys_from    [INFO] User dev has a valid shell (/bin/bash).
99.5.2.4_ssh_keys_from    [WARN] dev has a valid shell but no authorized_keys file
99.5.2.4_ssh_keys_from    [ OK ] Check Passed
99.5.2.5_ssh_strict_modes [INFO] Working on 99.5.2.5_ssh_strict_modes
99.5.2.5_ssh_strict_modes [INFO] [DESCRIPTION] Ensure home directory and ssh sensitive files are verified (not publicly readable) before connecting.
99.5.2.5_ssh_strict_modes [INFO] Checking Configuration
99.5.2.5_ssh_strict_modes [INFO] Performing audit
99.5.2.5_ssh_strict_modes [ OK ] openssh-server is installed
99.5.2.5_ssh_strict_modes [ OK ] ^StrictModes[[:space:]]*yes is present in /etc/ssh/sshd_config
99.5.2.5_ssh_strict_modes [ OK ] Check Passed
99.5.2.6_ssh_sys_accept_e [INFO] Working on 99.5.2.6_ssh_sys_accept_env
99.5.2.6_ssh_sys_accept_e [INFO] [DESCRIPTION] Restrict which user's variables are accepted by ssh daemon
99.5.2.6_ssh_sys_accept_e [INFO] Checking Configuration
99.5.2.6_ssh_sys_accept_e [INFO] Performing audit
99.5.2.6_ssh_sys_accept_e [ OK ] openssh-server is installed
99.5.2.6_ssh_sys_accept_e [ OK ] ^\s*AcceptEnv\s+LANG LC_\* is present in /etc/ssh/sshd_config
99.5.2.6_ssh_sys_accept_e [ OK ] Check Passed
99.5.2.7_ssh_sys_no_legac [INFO] Working on 99.5.2.7_ssh_sys_no_legacy
99.5.2.7_ssh_sys_no_legac [INFO] [DESCRIPTION] Ensure that legacy services rlogin, rlogind and rcp are disabled and not installed
99.5.2.7_ssh_sys_no_legac [INFO] Checking Configuration
99.5.2.7_ssh_sys_no_legac [INFO] Performing audit
99.5.2.7_ssh_sys_no_legac [INFO] Checking if rlogin is enabled and installed
99.5.2.7_ssh_sys_no_legac [ OK ] rlogin is disabled
99.5.2.7_ssh_sys_no_legac [ OK ] rlogin is not installed
99.5.2.7_ssh_sys_no_legac [INFO] Checking if rlogind is enabled and installed
99.5.2.7_ssh_sys_no_legac [ OK ] rlogind is disabled
99.5.2.7_ssh_sys_no_legac [ OK ] rlogind is not installed
99.5.2.7_ssh_sys_no_legac [INFO] Checking if rcp is enabled and installed
99.5.2.7_ssh_sys_no_legac [ OK ] rcp is disabled
99.5.2.7_ssh_sys_no_legac [ OK ] rcp is not installed
99.5.2.7_ssh_sys_no_legac [ OK ] Check Passed
99.5.2.8_ssh_sys_sandbox  [INFO] Working on 99.5.2.8_ssh_sys_sandbox
99.5.2.8_ssh_sys_sandbox  [INFO] [DESCRIPTION] Check UsePrivilegeSeparation set to sandbox.
99.5.2.8_ssh_sys_sandbox  [INFO] Checking Configuration
99.5.2.8_ssh_sys_sandbox  [INFO] Performing audit
99.5.2.8_ssh_sys_sandbox  [ OK ] openssh-server is installed
99.5.2.8_ssh_sys_sandbox  [ OK ] ^UsePrivilegeSeparation[[:space:]]*sandbox is present in /etc/ssh/sshd_config
99.5.2.8_ssh_sys_sandbox  [ OK ] Check Passed
99.5.4.5.1_acc_logindefs_ [INFO] Working on 99.5.4.5.1_acc_logindefs_sha512
99.5.4.5.1_acc_logindefs_ [INFO] [DESCRIPTION] Check that any password that will be created will be SHA512 hashed and salted
99.5.4.5.1_acc_logindefs_ [INFO] Checking Configuration
99.5.4.5.1_acc_logindefs_ [INFO] Performing audit
99.5.4.5.1_acc_logindefs_ [ OK ] ENCRYPT_METHOD SHA512 is present in /etc/login.defs
99.5.4.5.1_acc_logindefs_ [ OK ] Check Passed
99.5.4.5.2_acc_shadow_sha [INFO] Working on 99.5.4.5.2_acc_shadow_sha512
99.5.4.5.2_acc_shadow_sha [INFO] [DESCRIPTION] Check that any password that may exist in /etc/shadow is SHA512 hashed and salted
99.5.4.5.2_acc_shadow_sha [INFO] Checking Configuration
99.5.4.5.2_acc_shadow_sha [INFO] Performing audit
99.5.4.5.2_acc_shadow_sha [ OK ] User root has suitable SHA512 hashed password.
99.5.4.5.2_acc_shadow_sha [ OK ] User _cron-failure has a disabled password.
99.5.4.5.2_acc_shadow_sha [ OK ] Check Passed
99.99_check_distribution  [INFO] Working on 99.99_check_distribution
99.99_check_distribution  [INFO] [DESCRIPTION] Check the distribution and the distribution version
99.99_check_distribution  [INFO] 99.99_check_distribution is disabled, ignoring

[gyptazy]

Overview: Overview of all related tasks to finish cis:

• [x] gardenlinux/gardenlinux#782
• [x] gardenlinux/gardenlinux#783
• [x] gardenlinux/gardenlinux#784
• [x] gardenlinux/gardenlinux#785
• [x] gardenlinux/gardenlinux#786
• [x] gardenlinux/gardenlinux#787
• [x] gardenlinux/gardenlinux#823
• [x] gardenlinux/gardenlinux#838
• [x] gardenlinux/gardenlinux#842
• [x] gardenlinux/gardenlinux#912
• [x] gardenlinux/gardenlinux#913
• [x] gardenlinux/gardenlinux#937
• [x] gardenlinux/gardenlinux#939
• [x] gardenlinux/gardenlinux#943
• [x] gardenlinux/gardenlinux#946
• [x] gardenlinux/gardenlinux#996
• [x] gardenlinux/gardenlinux#997
• [x] gardenlinux/gardenlinux#998
• [x] gardenlinux/gardenlinux#999
• [x] gardenlinux/gardenlinux#1000
• [ ] gardenlinux/gardenlinux-backlog#29

[nanory]

There is one issue left, which can be found here. However, there is no task needed here anymore, therefore we are closing this issue then.