CIS 4 Logging and Auditing

Group Summary
81 Examples
OS Description
OSubuntu
Release18.04
Archx86_64
CloudAZ
Target51.140.231.26
Filter rules by their result

Execution Date: 2019-07-05 17:23:28 +0100

# Example Duration Status
1

4.1.2 Ensure auditd service is enabled

 0.17049 passed
2

4.2.1.1 Ensure rsyslog Service is enabled

 0.18977 passed
3

4.2.1.2 Ensure logging is configured

Skipped: How to check it
0.00032 pending
4

4.2.1.3 Ensure rsyslog default file permissions configured

 0.17697 passed
5

4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host

RSpec::Expectations::ExpectationNotMetError

expected "" to match /^\s*\*\.\*\s+@/
Diff:
@@ -1,2 +1,2 @@
-/^\s*\*\.\*\s+@/
+""

Backtrace:
  1. ./spec/cis/4.Logging_auditing_spec.rb:252:in `block (2 levels) in '
251
252
253
254
255
256
			#*.*[TAB][TAB]@

--->			expect(command('grep "^\*\.\*[^I][^I]\*@" \/etc\/rsyslog.conf').stdout).to match(/^\s*\*\.\*\s+@/)
		else
			skip('rsyslog is not installed')
		end
	end
0.18140 failed
6

4.2.2.1 Ensure syslog-ng service is enabled

Skipped: syslog-ng is not installed
0.00035 pending
7

4.2.2.2 Ensure logging is configured

Skipped: syslog-ng is not installed
0.00023 pending
8

4.2.2.3 Ensure syslog-ng default file permissions configured

Skipped: syslog-ng is not installed
0.00023 pending
9

4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host

Skipped: syslog-ng is not installed
0.00027 pending
10

4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts

Skipped: syslog-ng is not installed
0.00023 pending
11

4.2.3 Ensure rsyslog or syslog-ng is installed

Skipped: syslog-ng is not installed
0.00026 pending
12

4.1.3 Ensure auditing for processes that start prior to auditd is enabled File "/boot/grub/grub.cfg" content should match /^\s*linux.*audit=1/

 0.17580 passed
13

File "/etc/audit/auditd.conf" 4.1.1.1 Ensure audit log storage size is configured content should match /^max_log_file = \d+/

 0.18032 passed
14

File "/etc/audit/auditd.conf" 4.1.1.2 Ensure system is disabled when audit logs are full content should match /^space_left_action = email/

 0.00109 passed
15

File "/etc/audit/auditd.conf" 4.1.1.2 Ensure system is disabled when audit logs are full content should match /^action_mail_acct = root/

 0.00096 passed
16

File "/etc/audit/auditd.conf" 4.1.1.2 Ensure system is disabled when audit logs are full content should match /^admin_space_left_action = halt/

RSpec::Expectations::ExpectationNotMetError

expected "#\n# This file controls the configuration of the audit daemon\n#\n\nlocal_events = yes\nwrite_logs =...b5 = no\nkrb5_principal = auditd\n##krb5_key_file = /etc/audit/audit.key\ndistribute_network = no\n" to match /^admin_space_left_action = halt/
Diff:
@@ -1,2 +1,38 @@
-/^admin_space_left_action = halt/
+#
+# This file controls the configuration of the audit daemon
+#
+
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = adm
+log_format = RAW
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file_action = ROTATE
+space_left = 7399
+space_left_action = email
+verify_email = yes
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+##tcp_listen_port = 60
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no

Backtrace:
  1. ./spec/cis/4.Logging_auditing_spec.rb:47:in `block (4 levels) in '
46
47
48
49
50
51
			its(:content) { should match /^action_mail_acct = root/ }
--->			its(:content) { should match /^admin_space_left_action = halt/ }
		end

		describe '4.1.1.3 Ensure audit logs are not automatically deleted' do
			its(:content) { should match /^max_log_file_action = keep_logs/ }
0.00209 failed
17

File "/etc/audit/auditd.conf" 4.1.1.3 Ensure audit logs are not automatically deleted content should match /^max_log_file_action = keep_logs/

RSpec::Expectations::ExpectationNotMetError

expected "#\n# This file controls the configuration of the audit daemon\n#\n\nlocal_events = yes\nwrite_logs =...b5 = no\nkrb5_principal = auditd\n##krb5_key_file = /etc/audit/audit.key\ndistribute_network = no\n" to match /^max_log_file_action = keep_logs/
Diff:
@@ -1,2 +1,38 @@
-/^max_log_file_action = keep_logs/
+#
+# This file controls the configuration of the audit daemon
+#
+
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = adm
+log_format = RAW
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file_action = ROTATE
+space_left = 7399
+space_left_action = email
+verify_email = yes
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+##tcp_listen_port = 60
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no

Backtrace:
  1. ./spec/cis/4.Logging_auditing_spec.rb:51:in `block (4 levels) in '
50
51
52
53
54
55
		describe '4.1.1.3 Ensure audit logs are not automatically deleted' do
--->			its(:content) { should match /^max_log_file_action = keep_logs/ }
		end

	end
0.00210 failed
18

File "/etc/audit/audit.rules" 4.1.12 Ensure use of privileged commands is collected

Skipped: How to check it
0.00036 pending
19

File "/etc/audit/audit.rules" 4.1.4 Ensure events that modify date and time information are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* adjtimex /

 0.16075 passed
20

File "/etc/audit/audit.rules" 4.1.4 Ensure events that modify date and time information are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* settimeofday /

 0.00147 passed
21

File "/etc/audit/audit.rules" 4.1.4 Ensure events that modify date and time information are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* clock_settime /

 0.00105 passed
22

File "/etc/audit/audit.rules" 4.1.4 Ensure events that modify date and time information are collected content should match /^-w \/etc\/localtime -p wa/

 0.00102 passed
23

File "/etc/audit/audit.rules" 4.1.5 Ensure events that modify user/group information are collected content should match /^-w \/etc\/group -p wa/

 0.00105 passed
24

File "/etc/audit/audit.rules" 4.1.5 Ensure events that modify user/group information are collected content should match /^-w \/etc\/passwd -p wa/

 0.00104 passed
25

File "/etc/audit/audit.rules" 4.1.5 Ensure events that modify user/group information are collected content should match /^-w \/etc\/gshadow -p wa/

 0.00100 passed
26

File "/etc/audit/audit.rules" 4.1.5 Ensure events that modify user/group information are collected content should match /^-w \/etc\/shadow -p wa/

 0.00101 passed
27

File "/etc/audit/audit.rules" 4.1.5 Ensure events that modify user/group information are collected content should match /^-w \/etc\/security\/opasswd -p wa/

 0.00094 passed
28

File "/etc/audit/audit.rules" 4.1.6 Ensure events that modify the system's network environment are collected content should match /^-a (always,exit|exit,always).*arch=b64.* sethostname /

 0.00106 passed
29

File "/etc/audit/audit.rules" 4.1.6 Ensure events that modify the system's network environment are collected content should match /^-a (always,exit|exit,always).*arch=b64.* setdomainname /

 0.00108 passed
30

File "/etc/audit/audit.rules" 4.1.6 Ensure events that modify the system's network environment are collected content should match /^-w \/etc\/issue -p wa/

 0.00103 passed
31

File "/etc/audit/audit.rules" 4.1.6 Ensure events that modify the system's network environment are collected content should match /^-w \/etc\/issue.net -p wa/

 0.00101 passed
32

File "/etc/audit/audit.rules" 4.1.6 Ensure events that modify the system's network environment are collected content should match /^-w \/etc\/hosts -p wa/

 0.00104 passed
33

File "/etc/audit/audit.rules" 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected content should match /^-w \/etc\/selinux\/ -p wa/

 0.00097 passed
34

File "/etc/audit/audit.rules" 4.1.8 Ensure login and logout events are collected content should match /^-w \/var\/log\/lastlog -p wa/

 0.00104 passed
35

File "/etc/audit/audit.rules" 4.1.8 Ensure login and logout events are collected content should match /^-w \/var\/run\/faillock\/ -p wa/

 0.00096 passed
36

File "/etc/audit/audit.rules" 4.1.9 Ensure session initiation information is collected content should match /^-w \/var\/run\/utmp -p wa/

 0.00100 passed
37

File "/etc/audit/audit.rules" 4.1.9 Ensure session initiation information is collected content should match /^-w \/var\/log\/wtmp -p wa/

 0.00099 passed
38

File "/etc/audit/audit.rules" 4.1.9 Ensure session initiation information is collected content should match /^-w \/var\/log\/btmp -p wa/

 0.00098 passed
39

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* fchmodat /

 0.00104 passed
40

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* fchmod /

 0.00102 passed
41

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* chmod /

 0.00102 passed
42

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* setxattr/

 0.00113 passed
43

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* lsetxattr /

 0.00105 passed
44

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* fsetxattr /

 0.00111 passed
45

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* removexattr /

 0.00106 passed
46

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* lremovexattr /

 0.00104 passed
47

File "/etc/audit/audit.rules" 4.1.10 Ensure discretionary access control permission modification events are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* fremovexattr /

 0.00109 passed
48

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* creat .* exit=-EACCES/

 0.00108 passed
49

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* open .* exit=-EACCES/

 0.00107 passed
50

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* openat .* exit=-EACCES/

 0.00109 passed
51

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* truncate .* exit=-EACCES/

 0.00108 passed
52

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* ftruncate .* exit=-EACCES/

 0.00110 passed
53

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* creat .* exit=-EPERM/

 0.00106 passed
54

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* open .* exit=-EPERM/

 0.00111 passed
55

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* openat .* exit=-EPERM/

 0.00109 passed
56

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* truncate .* exit=-EPERM/

 0.00105 passed
57

File "/etc/audit/audit.rules" 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* ftruncate .* exit=-EPERM/

 0.00111 passed
58

File "/etc/audit/audit.rules" 4.1.13 Ensure successful file system mounts are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* mount /

 0.00100 passed
59

File "/etc/audit/audit.rules" 4.1.14 Ensure file deletion events by users are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* unlink /

 0.00097 passed
60

File "/etc/audit/audit.rules" 4.1.14 Ensure file deletion events by users are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* unlinkat /

 0.00115 passed
61

File "/etc/audit/audit.rules" 4.1.14 Ensure file deletion events by users are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* rename /

 0.00102 passed
62

File "/etc/audit/audit.rules" 4.1.14 Ensure file deletion events by users are collected content should match /^-a (always,exit|exit,always) .*arch=b64.* renameat /

 0.00111 passed
63

File "/etc/audit/audit.rules" 4.1.15 Ensure changes to system administration scope (sudoers) is collected content should match /^-w \/etc\/sudoers -p wa/

 0.00098 passed
64

File "/etc/audit/audit.rules" 4.1.16 Ensure system administrator actions (sudolog) are collected content should match /^-w \/var\/log\/sudo.log -p wa/

 0.00098 passed
65

File "/etc/audit/audit.rules" 4.1.17 Ensure kernel module loading and unloading is collected content should match /^-w \/sbin\/insmod -p x/

 0.00099 passed
66

File "/etc/audit/audit.rules" 4.1.17 Ensure kernel module loading and unloading is collected content should match /^-w \/sbin\/rmmod -p x/

 0.00098 passed
67

File "/etc/audit/audit.rules" 4.1.17 Ensure kernel module loading and unloading is collected content should match /^-w \/sbin\/modprobe -p x/

 0.00097 passed
68

File "/etc/audit/audit.rules" 4.1.17 Ensure kernel module loading and unloading is collected content should match /^-a (always,exit|exit,always) .*arch=b64.* init_module /

 0.00114 passed
69

File "/etc/audit/audit.rules" 4.1.17 Ensure kernel module loading and unloading is collected content should match /^-a (always,exit|exit,always) .*arch=b64.* delete_module /

 0.00115 passed
70

File "/etc/audit/audit.rules" 4.1.18 Ensure the audit configuration is immutable content should match /^-e 2/

RSpec::Expectations::ExpectationNotMetError

expected "## This file is automatically generated from /etc/audit/rules.d\n-D\n-b 16384\n-f 1\n-A exclude,alwa...F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n-w /var/log/sudo.log -p wa -k actions\n\n" to match /^-e 2/
Diff:
@@ -1,2 +1,220 @@
-/^-e 2/
+## This file is automatically generated from /etc/audit/rules.d
+-D
+-b 16384
+-f 1
+-A exclude,always -F msgtype=CWD
+-a exit,never -F arch=b64 -S unlink -F exe=/usr/lib/systemd/systemd-udevd 
+-a exit,never -F arch=b64 -S mkdir -F subj_type=systemd_logind_t
+-a exit,never -F arch=b64 -S mkdir -F exe=/usr/lib/systemd/systemd
+-a exit,never -F arch=b64 -S rmdir -F exe=/usr/lib/systemd/systemd
+-a exit,never -F arch=b64 -S unlink -F exe=/usr/lib/systemd/systemd
+-w /etc/auditd.conf -k CFG_auditd.conf
+-w /etc/audit.rules -k CFG_audit.rules
+-a exit,always -F arch=b64 -S fchmod -S fchown -S lchown -k ownership_action
+-a exit,always -F arch=b64 -S mkdir -S rmdir -k dir_action
+-a exit,always -F arch=b64 -S unlink -S rename -S link -S symlink -k link_action
+-a exit,always -F arch=b64 -S mknod -k mknod
+-a exit,always -F arch=b64 -S mount -S umount2 -k mount_action
+-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k time_action
+-w /usr/sbin/stunnel -p x -k stunnel
+-w /var/spool/at -k LOG_at
+-w /etc/at.allow -k CFG_at.allow
+-w /etc/at.deny -k CFG_at.deny
+-w /etc/cron.allow -p wa -k CFG_cron.allow
+-w /etc/cron.deny -p wa -k CFG_cron.deny
+-w /etc/cron.d/ -p wa -k CFG_cron.d
+-w /etc/cron.daily/ -p wa -k CFG_cron.daily
+-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly
+-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly
+-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly
+-w /etc/crontab -p wa -k CFG_crontab
+-w /var/spool/cron/root -k CFG_crontab_root
+-w /etc/group -p wa -k CFG_group
+-w /etc/passwd -p wa -k CFG_passwd
+-w /etc/gshadow -p wa -k CFG_gshadow
+-w /etc/shadow -p wa -k CFG_shadow
+-w /etc/security/opasswd -p wa -k CFG_opasswd
+-w /etc/login.defs -p wa -k CFG_login.defs
+-w /etc/securetty -k CFG_securetty
+-w /var/log/faillog -k LOG_faillog
+-w /var/log/lastlog -p wa -k LOG_lastlog
+-w /var/run/faillock/ -p wa -k logins
+-w /etc/hosts -p wa -k CFG_hosts
+-w /etc/inittab -p wa -k CFG_inittab
+-w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
+-w /etc/localtime -p wa -k CFG_localtime
+-w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
+-w /etc/modprobe.conf -p wa -k CFG_modprobe.conf
+-w /etc/pam.d/ -p wa -k pam.d
+-w /etc/aliases -p wa -k CFG_aliases
+-w /etc/postfix/ -p wa -k CFG_postfix
+-w /etc/ssh/sshd_config -k CFG_sshd_config
+-w /etc/issue -p wa -k CFG_issue
+-w /etc/issue.net -p wa -k CFG_issue.net
+-w /etc/sudoers -p wa -k CFG_sudoers
+-w /etc/sudoers.d/ -p wa  -k CFG_sudoers
+-w /etc/ssh/ssh_config -k CFG_ssh
+-a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -k execute_binary
+-w /etc/grub2.cfg -p wa -k GRUB
+-w /boot/grub/grub.cfg -p wa -k GRUB
+-w /bin/su -p x -k APPS
+-w /usr/bin/sudo -p x -k APPS
+-w /usr/sbin/visudo -p x -k APPS
+-w /usr/sbin/sudoedit -p x -k APPS
+-w /bin/ping -p x -k APPS
+-w /usr/bin/ssh -p x -k APPS
+-w /usr/bin/scp -p x -k APPS
+-w /usr/bin/sftp -p x -k APPS
+-w /usr/sbin/useradd  -p x -k USERacc
+-w /usr/sbin/userdel  -p x -k USERacc
+-w /usr/sbin/usermod  -p x -k USERacc
+-w /usr/sbin/groupadd -p x -k GROUPacc
+-w /usr/sbin/groupdel -p x -k GROUPacc
+-w /usr/sbin/groupmod -p x -k GROUPacc
+-w /sbin/pwdb_chkpwd -p x -k SUID
+-w /sbin/pam_timestamp_check -p x -k SUID
+-w /sbin/unix_chkpwd -p x -k SUID
+-w /bin/mount -p x -k SUID
+-w /bin/traceroute6 -p x -k SUID
+-w /bin/umount -p x -k SUID
+-w /bin/traceroute -p x -k SUID
+-w /bin/ping6 -p x -k SUID
+-w /usr/sbin/userisdnctl -p x -k SUID
+-w /usr/sbin/usernetctl -p x -k SUID
+-w /usr/sbin/userhelper -p x -k SUID
+-w /usr/sbin/ccreds_validate -p x -k SUID
+-w /usr/bin/rcp -p x -k SUID
+-w /usr/bin/kgrantpty -p x -k SUID
+-w /usr/bin/rsh -p x -k SUID
+-w /usr/bin/chage -p x -k SUID
+-w /usr/bin/lppasswd -p x -k SUID
+-w /usr/bin/newgrp -p x -k SUID
+-w /usr/bin/gpasswd -p x -k SUID
+-w /usr/bin/kpac_dhcp_helper -p x -k SUID
+-w /usr/bin/sg -p x -k SUID
+-w /usr/bin/at -p x -k SUID
+-w /usr/bin/passwd -p x -k SUID
+-w /usr/bin/chsh -p x -k SUID
+-w /usr/bin/chfn -p x -k SUID
+-w /usr/bin/rlogin -p x -k SUID
+-w /usr/bin/crontab -p x -k SUID
+-w /sbin/netreport -p x -k GUID
+-w /usr/sbin/lockdev -p x -k GUID
+-w /usr/sbin/sendmail.sendmail -p x -k GUID
+-w /usr/bin/write -p x -k GUID
+-w /usr/bin/lockfile -p x -k GUID
+-w /usr/bin/slocate -p x -k GUID
+-w /usr/bin/ssh-agent -p x -k GUID
+-w /usr/bin/wall -p x -k GUID
+-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
+-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
+-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
+-a exit,always -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
+-w /etc/selinux/ -p wa -k MAC-policy
+-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=0 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=0 -k access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
+-a always,exit -F path=/var/log/journal -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export
+-a always,exit -F arch=b64 -S mount -F auid=0 -k export
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete
+-w /sbin/insmod -p x -k modules
+-w /usr/sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /usr/sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+-w /usr/sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
+-a always,exit -F arch=b64 -S finit_module -k modules
+-a always,exit -F arch=b64 -S create_module -k modules
+-w /bin/chmod -p x -k FOLDER
+-w /bin/chgrp -p x -k FOLDER
+-w /etc/sd_pam.conf -p r -k ACE
+-w /var/log/tallylog -p wa -k logins
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-w /var/log/sudo.log -p wa -k actions

Backtrace:
  1. ./spec/cis/4.Logging_auditing_spec.rb:213:in `block (4 levels) in '
212
213
214
215
216
217
			#expect(command('grep "^\s*[^#]" /etc/audit/audit.rules | tail -1').stdout).to match(/-e 2/)

--->			its(:content) { should match /^-e 2/ } # FIXME: no one uses this - Ensure the audit configuration is immutable

		end

	end # /etc/audit/audit.rules
0.00652 failed
71

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^\$ModLoad\s*imudp/

 0.13013 passed
72

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^\$UDPServerRun/

 0.00110 passed
73

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^\$ModLoad\s*imtcp/

 0.00095 passed
74

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^\$InputTCPServerRun/

 0.00092 passed
75

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^module\(\s*load\s*=\s*"imudp"\)/

 0.00098 passed
76

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^input\(\s*type\s*=\s*"imudp"/

 0.00096 passed
77

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^module\(\s*load\s*=\s*"imtcp"\)/

 0.00098 passed
78

4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts File "/etc/rsyslog.conf" content should not match /^input\(\s*type\s*=\s*"imtcp"/

 0.00097 passed
79

4.2.4 Ensure permissions on all logfiles are configured Command "find /var/log -type f -perm /o+rwx,g+wx -ls | egrep -v "/var/log/sa"" stdout should == ""

RSpec::Expectations::ExpectationNotMetError

expected: ""
     got: "     3426      0 -rw-r--r--   1 root     root            0 Jul  4 09:50 /var/log/unattended-upgrades...nfo.log\n     1736      4 -rw-rw-r--   1 root     utmp       292292 Jul  5 12:46 /var/log/lastlog\n" (using ==)
Diff:
@@ -1 +1,12 @@
+     3426      0 -rw-r--r--   1 root     root            0 Jul  4 09:50 /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
+     1756      4 -rw-r--r--   1 root     adm          1104 Jul  5 06:30 /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
+     1728      4 -rw-r--r--   1 root     root          833 Jul  5 06:30 /var/log/unattended-upgrades/unattended-upgrades.log
+     1741     24 -rw-r--r--   1 root     root        24068 Jul  5 06:30 /var/log/apt/eipp.log.xz
+     3499      4 -rw-r--r--   1 root     root         1129 Jul  5 06:30 /var/log/apt/history.log
+     3503     12 -rw-r--r--   1 root     root        11311 Jul  5 06:30 /var/log/dpkg.log
+     1734      8 -rw-rw-r--   1 root     utmp         4992 Jul  5 12:46 /var/log/wtmp
+     1735      8 -rw-rw----   1 root     utmp         7296 Jul  5 15:21 /var/log/btmp
+     1618      4 -rw-r--r--   1 root     root          456 Jul  4 10:49 /var/log/waagent.log
+     3493      0 -rw-r--r--   1 root     root            0 Jul  4 09:51 /var/log/landscape/sysinfo.log
+     1736      4 -rw-rw-r--   1 root     utmp       292292 Jul  5 12:46 /var/log/lastlog

Backtrace:
  1. ./spec/cis/4.Logging_auditing_spec.rb:364:in `block (4 levels) in '
363
364
365
366
367
368
		describe( command('find /var/log -type f -perm /o+rwx,g+wx -ls | egrep -v "/var/log/sa"') ) do
--->			its(:stdout) { should == ""}
		end
    end

	#
0.17347 failed
80

4.3 Ensure logrotate is configured File "/etc/cron.daily/logrotate" should exist

 0.15102 passed
81

4.3 Ensure logrotate is configured File "/etc/logrotate.d/rsyslog" should exist

 0.17788 passed
Rspec HTML Reports This version by: Nicholas Cross @mohclips - originally @vbanthia and before that @kingsleyh