1 # OSSEC Linux Audit - (C) 2018
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
7 # [Application name] [any or all] [reference]
11 # - f (for file or directory)
12 # - r (registry entry)
13 # - p (process running)
16 # For the registry and for directories, use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # Also, use " -> r:^\. -> ..." to search all files in a directory
19 # For files, use "->" to look for a specific value in the file.
21 # Values can be preceeded by: =: (for equal) - default
22 # r: (for ossec regexes)
23 # >: (for strcmp greater)
24 # <: (for strcmp lower)
25 # Multiple patterns can be specified by using " && " between them.
26 # (All of them must match for it to return true).
28 # Level 1 CIS Checks for Debian Linux 7 and Debian Linux 8
29 # Based on Center for Internet Security Benchmark v1.0.0 for Debian Linux 7 (https://workbench.cisecurity.org/benchmarks/80) and Benchmark v1.0.0 for Debian Linux 8 (https://workbench.cisecurity.org/benchmarks/81)
31 $rc_dirs=/etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d;
32 $rsyslog_files=/etc/rsyslog.conf,/etc/rsyslog.d/*;
33 $profiledfiles=/etc/profile.d/*;
34 $home_dirs=/usr2/home/*,/home/*,/home,/*/home/*,/*/home,/;
37 #2.1 Create Separate Partition for /tmp
38 [CIS - Debian Linux 7/8 - 2.1 Create Separate Partition for /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
39 f:/etc/fstab -> !r:/tmp;
42 #2.2 Set nodev option for /tmp Partition
43 [CIS - Debian Linux 7/8 - 2.2 Set nodev option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
44 f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nodev;
47 #2.3 Set nosuid option for /tmp Partition
48 [CIS - Debian Linux 7/8 - 2.3 Set nosuid option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
49 f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nosuid;
52 #2.4 Set noexec option for /tmp Partition
53 [CIS - Debian Linux 7/8 - 2.4 Set noexec option for /tmp Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
54 f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*noexec;
57 #2.5 Create Separate Partition for /var
58 [CIS - Debian Linux 7/8 - 2.5 Create Separate Partition for /var] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
59 f:/etc/fstab -> !r:/var;
62 #2.6 Bind Mount the /var/tmp directory to /tmp
63 [CIS - Debian Linux 7/8 - 2.6 Bind Mount the /var/tmp directory to /tmp] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
64 f:/etc/fstab -> !r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0;
67 #2.7 Create Separate Partition for /var/log
68 [CIS - Debian Linux 7/8 - 2.7 Create Separate Partition for /var/log] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
69 f:/etc/fstab -> !r:/var/log;
72 #2.8 Create Separate Partition for /var/log/audit
73 [CIS - Debian Linux 7/8 - 2.8 Create Separate Partition for /var/log/audit] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
74 f:/etc/fstab -> !r:/var/log/audit;
77 #2.9 Create Separate Partition for /home
78 [CIS - Debian Linux 7/8 - 2.9 Create Separate Partition for /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
79 f:/etc/fstab -> !r:/home;
82 #2.10 Add nodev Option to /home
83 [CIS - Debian Linux 7/8 - 2.10 Add nodev Option to /home] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
84 f:/etc/fstab -> !r:/home\s+\w+\s+\.*nodev;
87 #2.11 Add nodev Option to Removable Media Partitions
88 [CIS - Debian Linux 7/8 - 2.11 Add nodev Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
89 f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nodev;
92 #2.12 Add noexec Option to Removable Media Partitions
93 [CIS - Debian Linux 7/8 - 2.12 Add noexec Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
94 f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*noexec;
97 #2.13 Add nosuid Option to Removable Media Partitions
98 [CIS - Debian Linux 7/8 - 2.13 Add nosuid Option to Removable Media Partitions] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
99 f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nosuid;
102 #2.14 Add nodev Option to /run/shm Partition
103 [CIS - Debian Linux 7/8 - 2.14 Add nodev Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
104 f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nodev;
107 #2.15 Add nosuid Option to /run/shm Partition
108 [CIS - Debian Linux 7/8 - 2.15 Add nosuid Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
109 f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nosuid;
112 #2.16 Add noexec Option to /run/shm Partition
113 [CIS - Debian Linux 7/8 - 2.16 Add noexec Option to /run/shm Partition] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
114 f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*noexec;
117 #2.25 Disable Automounting
118 [CIS - Debian Linux 7/8 - 2.25 Disable Automounting] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
119 d:$rc_dirs -> S -> r:autofsc;
122 #3.3 Set Boot Loader Password
123 [CIS - Debian Linux 7/8 - 3.3 Set Boot Loader Password] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
124 f:/boot/grub/grub.cfg -> !r:^set superusers;
125 f:/boot/grub/grub.cfg -> !r:^password;
126 f:/etc/grub.d -> !r:^set superusers;
127 f:/etc/grub.d -> !r:^password;
130 #3.4 Require Authentication for Single-User Mode
131 [CIS - Debian Linux 7/8 - 3.4 Require Authentication for Single-User Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
132 f:/etc/shadow -> r:^root:!:;
133 f:/etc/shadow -> r:^root:*:;
134 f:/etc/shadow -> r:^root:*!:;
135 f:/etc/shadow -> r:^root:!*:;
138 #4.1 Restrict Core Dumps
139 [CIS - Debian Linux 7/8 - 4.1 Restrict Core Dumps] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
140 f:/etc/security/limits.conf -> !r:^* hard core 0;
141 f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0;
144 #4.3 Enable Randomized Virtual Memory Region Placement
145 [CIS - Debian Linux 7/8 - 4.3 Enable Randomized Virtual Memory Region Placement] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
146 f:/etc/sysctl.conf -> !r:^kernel.randomize_va_space = 2;
149 #5.1.1 Ensure NIS is not installed
150 [CIS - Debian Linux 7/8 - 5.1.1 Ensure NIS is not installed] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
154 #5.1.2 Ensure rsh server is not enabled
155 [CIS - Debian Linux 7/8 - 5.1.2 Ensure rsh server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
156 f:/etc/inetd.conf -> !r:^# && r:shell|login|exec;
159 #5.1.4 Ensure talk server is not enabled
160 [CIS - Debian Linux 7/8 - 5.1.4 Ensure talk server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
161 f:/etc/inetd.conf -> !r:^# && r:talk|ntalk;
164 #5.1.6 Ensure telnet server is not enabled
165 [CIS - Debian Linux 7/8 - 5.1.6 Ensure telnet server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
166 f:/etc/inetd.conf -> !r:^# && r:telnet;
169 #5.1.7 Ensure tftp-server is not enabled
170 [CIS - Debian Linux 7/8 - 5.1.7 Ensure tftp-server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
171 f:/etc/inetd.conf -> !r:^# && r:tftp;
174 #5.1.8 Ensure xinetd is not enabled
175 [CIS - Debian Linux 7/8 - 5.1.8 Ensure xinetd is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
176 d:$rc_dirs -> S -> r:xinetd;
179 #5.2 Ensure chargen is not enabled
180 [CIS - Debian Linux 7/8 - 5.2 Ensure chargen is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
181 f:/etc/inetd.conf -> !r:^# && r:chargen;
184 #5.3 Ensure daytime is not enabled
185 [CIS - Debian Linux 7/8 - 5.3 Ensure daytime is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
186 f:/etc/inetd.conf -> !r:^# && r:daytime;
189 #5.4 Ensure echo is not enabled
190 [CIS - Debian Linux 7/8 - 5.4 Ensure echo is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
191 f:/etc/inetd.conf -> !r:^# && r:echo;
194 #5.5 Ensure discard is not enabled
195 [CIS - Debian Linux 7/8 - 5.5 Ensure discard is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
196 f:/etc/inetd.conf -> !r:^# && r:discard;
199 #5.6 Ensure time is not enabled
200 [CIS - Debian Linux 7/8 - 5.6 Ensure time is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
201 f:/etc/inetd.conf -> !r:^# && r:time;
204 #6.2 Ensure Avahi Server is not enabled
205 [CIS - Debian Linux 7/8 - 6.2 Ensure Avahi Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
206 d:$rc_dirs -> S -> r:avahi-daemon;
209 #6.3 Ensure print server is not enabled
210 [CIS - Debian Linux 7/8 - 6.3 Ensure print server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
211 d:$rc_dirs -> S -> r:cups;
212 d:$rc_dirs -> S -> r:cups-browsed;
215 #6.4 Ensure DHCP Server is not enabled
216 [CIS - Debian Linux 7/8 - 6.4 Ensure DHCP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
217 d:$rc_dirs -> S -> r:disc-dhcp-server;
220 #6.5 Configure Network Time Protocol (NTP)
221 [CIS - Debian Linux 7/8 - 6.5 Configure Network Time Protocol (NTP)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
222 f:/etc/ntp.conf -> !r:^restrict -4 default kod nomodify notrap nopeer noquery;
223 f:/etc/ntp.conf -> !r:^restrict -6 default kod nomodify notrap nopeer noquery;
224 f:/etc/ntp.conf -> !r:^server\s\.+;
227 #6.6 Ensure LDAP is not ennabled
228 [CIS - Debian Linux 7/8 - 6.6 Ensure LDAP is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
229 d:/etc/init.d -> r:ldap;
232 #6.7 Ensure NFS and RPC are not enabled
233 [CIS - Debian Linux 7/8 - 6.7 Ensure NFS and RPC are not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
234 d:$rc_dirs -> S -> r:rpcbind;
235 d:$rc_dirs -> S -> r:nfs-kernel-server;
238 #6.8 Ensure DNS Server is not enabled
239 [CIS - Debian Linux 7/8 - 6.8 Ensure DNS Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
240 d:$rc_dirs -> S -> r:bind9;
243 #6.9 Ensure FTP Server is not enabled
244 [CIS - Debian Linux 7/8 - 6.9 Ensure FTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
245 d:$rc_dirs -> S -> r:vsftpd;
248 #6.10 Ensure HTTP Server is not enabled
249 [CIS - Debian Linux 7/8 - 6.10 Ensure HTTP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
250 d:$rc_dirs -> S -> r:apache2;
253 #6.11 Ensure IMAP and POP server is not enabled
254 [CIS - Debian Linux 7/8 - 6.11 Ensure IMAP and POP server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
255 d:$rc_dirs -> S -> r:dovecot;
258 #6.12 Ensure Samba is not enabled
259 [CIS - Debian Linux 7/8 - 6.12 Ensure Samba is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
260 d:$rc_dirs -> S -> r:samba;
263 #6.13 Ensure HTTP Proxy Server is not enabled
264 [CIS - Debian Linux 7/8 - 6.13 Ensure HTTP Proxy Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
265 d:$rc_dirs -> S -> r:squid3;
268 #6.14 Ensure SNMP Server is not enabled
269 [CIS - Debian Linux 7/8 - 6.14 Ensure SNMP Server is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
270 d:$rc_dirs -> S -> r:snmpd;
273 #6.15 Configure Mail Transfer Agent for Local-Only Mode
274 [CIS - Debian Linux 7/8 - 6.15 Configure Mail Transfer Agent for Local Only Mode] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
275 f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && !r:'127.0.0.1\s*\p\s*::1'$|'::1\s*\p\s*127.0.0.1'$|'127.0.0.1'$|'::1'$;
278 #6.16 Ensure rsync service is not enabled
279 [CIS - Debian Linux 7/8 - 6.16 Ensure rsync service is not enabled] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
280 f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE=true|inetd;
281 f:/etc/default/rsync -> !r:^RSYNC_ENABLE=false;
284 #7.1.1 Disable IP Forwarding
285 [CIS - Debian Linux 7/8 - 7.1.1 Disable IP Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
286 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.ip_forward=1;
287 f:/etc/sysctl.conf -> !r:^net.ipv4.ip_forward=0;
290 #7.1.2 Disable Send Packet Redirects
291 [CIS - Debian Linux 7/8 - 7.1.2 Disable Send Packet Redirects] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
292 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects=1;
293 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.send_redirects=0;
294 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects=1;
295 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.send_redirects=0;
298 #7.2.1 Disable Source Routed Packet Acceptance
299 [CIS - Debian Linux 7/8 - 7.2.1 Disable Source Routed Packet Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
300 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_source_route=1;
301 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_source_route=0;
302 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_source_route=1;
303 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_source_route=0;
306 #7.2.2 Disable ICMP Redirect Acceptance
307 [CIS - Debian Linux 7/8 - 7.2.2 Disable ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
308 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.accept_redirects=1;
309 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_redirects=0;
310 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.accept_redirects=1;
311 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_redirects=0;
314 #7.2.3 Disable Secure ICMP Redirect Acceptance
315 [CIS - Debian Linux 7/8 - 7.2.3 Disable Secure ICMP Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
316 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.secure_redirects=1;
317 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.secure_redirects=0;
318 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.secure_redirects=1;
319 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.secure_redirects=0;
322 #7.2.4 Log Suspicious Packets
323 [CIS - Debian Linux 7/8 - 7.2.4 Log Suspicious Packets] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
324 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.log_martians=0;
325 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.log_martians=1;
326 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.log_martians=0;
327 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.log_martians=1;
330 #7.2.5 Enable Ignore Broadcast Requests
331 [CIS - Debian Linux 7/8 - 7.2.5 Enable Ignore Broadcast Requests] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
332 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_echo_ignore_broadcasts=0;
333 f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_echo_ignore_broadcasts=1;
336 #7.2.6 Enable Bad Error Message Protection
337 [CIS - Debian Linux 7/8 - 7.2.6 Enable Bad Error Message Protection] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
338 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.icmp_ignore_bogus_error_responses=0;
339 f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_ignore_bogus_error_responses=1;
342 #7.2.7 Enable RFC-recommended Source Route Validation
343 [CIS - Debian Linux 7/8 - 7.2.7 Enable RFC-recommended Source Route Validation] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
344 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.rp_filter=0;
345 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.rp_filter=1;
346 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.rp_filter=0;
347 f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.rp_filter=1;
350 #7.2.8 Enable TCP SYN Cookies
351 [CIS - Debian Linux 7/8 - 7.2.8 Enable TCP SYN Cookies] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
352 f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.tcp_syncookies=0;
353 f:/etc/sysctl.conf -> !r:^net.ipv4.tcp_syncookies=1;
356 #7.3.1 Disable IPv6 Router Advertisements
357 [CIS - Debian Linux 7/8 - 7.3.1 Disable IPv6 Router Advertisements] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
358 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_ra=1;
359 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_ra=0;
360 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_ra=1;
361 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_ra=0;
364 #7.3.2 Disable IPv6 Redirect Acceptance
365 [CIS - Debian Linux 7/8 - 7.3.2 Disable IPv6 Redirect Acceptance] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
366 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.accept_redirects=1;
367 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_redirects=0;
368 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.accept_redirects=1;
369 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_redirects=0;
373 [CIS - Debian Linux 7/8 - 7.3.3 Disable IPv6] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
374 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.all.disable_ipv6=0;
375 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.disable_ipv6=1;
376 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.default.disable_ipv6=0;
377 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.disable_ipv6=1;
378 f:/etc/sysctl.conf -> !r:^# && r:net.ipv6.conf.lo.disable_ipv6=0;
379 f:/etc/sysctl.conf -> !r:^net.ipv6.conf.lo.disable_ipv6=1;
382 #7.4.2 Create /etc/hosts.allow
383 [CIS - Debian Linux 7/8 - 7.4.2 Create /etc/hosts.allow] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
385 f:/etc/hosts.allow -> !r:^ALL:\.*;
388 #7.4.4 Create /etc/hosts.deny
389 [CIS - Debian Linux 7/8 - 7.4.4 Create /etc/hosts.deny] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
391 f:/etc/hosts.deny -> !r:^ALL:\s*ALL;
395 [CIS - Debian Linux 7/8 - 7.5.1 Disable DCCP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
396 f:!/etc/modprobe.d/CIS.conf;
397 f:/etc/modprobe.d/CIS.conf -> !r:^install dccp /bin/true;
401 [CIS - Debian Linux 7/8 - 7.5.2 Disable SCTP] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
402 f:!/etc/modprobe.d/CIS.conf;
403 f:/etc/modprobe.d/CIS.conf -> !r:^install sctp /bin/true;
407 [CIS - Debian Linux 7/8 - 7.5.3 Disable RDS] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
408 f:!/etc/modprobe.d/CIS.conf;
409 f:/etc/modprobe.d/CIS.conf -> !r:^install rds /bin/true;
413 [CIS - Debian Linux 7/8 - 7.5.4 Disable TIPC] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
414 f:!/etc/modprobe.d/CIS.conf;
415 f:/etc/modprobe.d/CIS.conf -> !r:^install tipc /bin/true;
418 #7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01)
419 [CIS - Debian Linux 7/8 - 7.7 Ensure Firewall is active (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
420 f:!/etc/rc2.d/S01iptables-persistent;
421 f:!/etc/rc3.d/S01iptables-persistent;
422 f:!/etc/rc4.d/S01iptables-persistent;
423 f:!/etc/rc5.d/S01iptables-persistent;
426 #8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01)
427 [CIS - Debian Linux 7/8 - 8.2.2 Ensure the rsyslog Service is activated (RunLevel 2, 3, 4, 5; Priority 01)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
428 f:!/etc/rc2.d/S01rsyslog;
429 f:!/etc/rc3.d/S01rsyslog;
430 f:!/etc/rc4.d/S01rsyslog;
431 f:!/etc/rc5.d/S01rsyslog;
434 #8.2.3 Configure /etc/rsyslog.conf
435 [CIS - Debian Linux 7/8 - 8.2.3 Configure /etc/rsyslog.conf] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
436 f:$rsyslog_files -> !r:^*.emerg\s*\t*\s*\S;
437 f:$rsyslog_files -> !r:^mail.*\s*\t*\s*\S;
438 f:$rsyslog_files -> !r:^mail.info\s*\t*\s*\S;
439 f:$rsyslog_files -> !r:^mail.warning\s*\t*\s*\S;
440 f:$rsyslog_files -> !r:^mail.err\s*\t*\s*\S;
441 f:$rsyslog_files -> !r:^news.crit\s*\t*\s*\S;
442 f:$rsyslog_files -> !r:^news.err\s*\t*\s*\S;
443 f:$rsyslog_files -> !r:^news.notice\s*\t*\s*\S;
444 f:$rsyslog_files -> !r:^*.=warning;*.=err\s*\t*\s*\S;
445 f:$rsyslog_files -> !r:^*.crit\s*\t*\s*\S;
446 f:$rsyslog_files -> !r:^*.*;mail.none;news.none\s*\t*\s*\S;
447 f:$rsyslog_files -> !r:^local0,local1.*\s*\t*\s*\S;
448 f:$rsyslog_files -> !r:^local2,local3.*\s*\t*\s*\S;
449 f:$rsyslog_files -> !r:^local4,local5.*\s*\t*\s*\S;
450 f:$rsyslog_files -> !r:^local6,local7.*\s*\t*\s*\S;
453 #8.2.5 Configure rsyslog to Send Logs to a Remote Log Host
454 [CIS - Debian Linux 7/8 - 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
455 f:/etc/rsyslog.conf -> !r:^*.* @@\w+.\w+.\w+;
458 #8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts
459 [CIS - Debian Linux 7/8 - 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
460 f:$rsyslog_files -> !r:^\$ModLoad imtcp.so;
461 f:$rsyslog_files -> !r:^\$InputTCPServerRun 514;
464 #8.4 Configure logrotate
465 [CIS - Debian Linux 7/8 - 8.4 Configure logrotate] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
466 f:!/etc/logrotate.d/rsyslog;
467 f:/etc/logrotate.d/rsyslog -> !r:\S+;
470 #9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15)
471 [CIS - Debian Linux 7/8 - 9.1.1 Enable cron Daemon (RunLevel 2, 3, 4, 5; Priority 15)] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
472 f:!/etc/rc2.d/S15anacron;
473 f:!/etc/rc2.d/S15cron;
474 f:!/etc/rc3.d/S15anacron;
475 f:!/etc/rc3.d/S15cron;
476 f:!/etc/rc4.d/S15anacron;
477 f:!/etc/rc4.d/S15cron;
478 f:!/etc/rc5.d/S15anacron;
479 f:!/etc/rc5.d/S15cron;
482 #9.1.8 Restrict at/cron to Authorized Users
483 [CIS - Debian Linux 7/8 - 9.1.8 Restrict at/cron to Authorized Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
488 #9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib
489 [CIS - Debian Linux 7/8 - 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
490 f:/etc/pam.d/common-password -> !r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+;
493 #9.2.2 Set Lockout for Failed Password Attempts
494 [CIS - Debian Linux 7/8 - 9.2.2 Set Lockout for Failed Password Attempts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
495 f:/etc/pam.d/login -> !r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+;
498 #9.2.3 Limit Password Reuse
499 [CIS - Debian Linux 7/8 - 9.2.3 Limit Password Reuse] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
500 f:/etc/pam.d/common-password -> !r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d;
503 #9.3.1 Set SSH Protocol to 2
504 [CIS - Debian Linux 7/8 - 9.3.1 Set SSH Protocol to 2] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
505 f:/etc/ssh/sshd_config -> !r:^# && r:protocol 1;
506 f:/etc/ssh/sshd_config -> !r:^protocol 2$;
509 #9.3.2 Set LogLevel to INFO
510 [CIS - Debian Linux 7/8 - 9.3.2 Set LogLevel to INFO] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
511 f:/etc/ssh/sshd_config -> !r:^LogLevel\s+INFO;
514 #9.3.4 Disable SSH X11 Forwarding
515 [CIS - Debian Linux 7/8 - 9.3.4 Disable SSH X11 Forwarding] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
516 f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s+no;
519 #9.3.5 Set SSH MaxAuthTries to 4 or Less
520 [CIS - Debian Linux 7/8 - 9.3.5 Set SSH MaxAuthTries to 4 or Less] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
521 f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s+\d;
522 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+\d\d+;
523 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+5;
524 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+6;
525 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+7;
526 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+8;
527 f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+9;
530 #9.3.6 Set SSH IgnoreRhosts to Yes
531 [CIS - Debian Linux 7/8 - 9.3.6 Set SSH IgnoreRhosts to Yes] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
532 f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s+yes;
535 #9.3.7 Set SSH HostbasedAuthentication to No
536 [CIS - Debian Linux 7/8 - 9.3.7 Set SSH HostbasedAuthentication to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
537 f:/etc/ssh/sshd_config -> !r:^HostbasedAuthentication\s+no;
540 #9.3.8 Disable SSH Root Login
541 [CIS - Debian Linux 7/8 - 9.3.8 Disable SSH Root Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
542 f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;
543 f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;
546 #9.3.9 Set SSH PermitEmptyPasswords to No
547 [CIS - Debian Linux 7/8 - 9.3.9 Set SSH PermitEmptyPasswords to No] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
548 f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+yes;
549 f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s+no;
552 #9.3.10 Do Not Allow Users to Set Environment Options
553 [CIS - Debian Linux 7/8 - 9.3.10 Do Not Allow Users to Set Environment Options] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
554 f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+yes;
555 f:/etc/ssh/sshd_config -> !r:^PermitUserEnvironment\s+no;
558 #9.3.12 Set Idle Timeout Interval for User Login
559 [CIS - Debian Linux 7/8 - 9.3.12 Set Idle Timeout Interval for User Login] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
560 f:/etc/ssh/sshd_config -> !r:^ClientAliveInterval\s+\d+;
561 f:/etc/ssh/sshd_config -> !r:^ClientAliveCountMax\s+\d;
564 #9.3.13 Limit Access via SSH
565 [CIS - Debian Linux 7/8 - 9.3.13 Limit Access via SSH] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
566 f:/etc/ssh/sshd_config -> !r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+;
569 #9.3.14 Set SSH Banner
570 [CIS - Debian Linux 7/8 - 9.3.14 Set SSH Banner] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
571 f:/etc/ssh/sshd_config -> !r:^Banner\s+\S+;
574 #9.5 Restrict Access to the su Command
575 [CIS - Debian Linux 7/8 - 9.5 Restrict Access to the su Command] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
576 f:/etc/pam.d/su -> !r:auth required pam_wheel.so use_uid;
579 #10.1.1 Set Password Expiration Days
580 [CIS - Debian Linux 7/8 - 10.1.1 Set Password Expiration Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
581 f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s+\d+;
582 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+\d\d\d+;
583 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+91;
584 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+92;
585 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+93;
586 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+94;
587 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+95;
588 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+96;
589 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+97;
590 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+98;
591 f:/etc/login.defs -> !r:^# && r:PASS_MAX_DAYS\s+99;
594 #10.1.2 Set Password Change Minimum Number of Days
595 [CIS - Debian Linux 7/8 - 10.1.2 Set Password Change Minimum Number of Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
596 f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s+\d+;
597 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+1;
598 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+2;
599 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+3;
600 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+4;
601 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+5;
602 f:/etc/login.defs -> !r:^# && r:PASS_MIN_DAYS\s+6;
605 #10.1.3 Set Password Expiring Warning Days
606 [CIS - Debian Linux 7/8 - 10.1.3 Set Password Expiring Warning Days] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
607 f:/etc/login.defs -> !r:^PASS_WARN_DAYS\s+\d+;
608 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+1;
609 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+2;
610 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+3;
611 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+4;
612 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+5;
613 f:/etc/login.defs -> !r:^# && r:PASS_WARN_DAYS\s+6;
616 #10.3 Set Default Group for root Account
617 [CIS - Debian Linux 7/8 - 10.3 Set Default Group for root Account] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
618 f:/etc/passwd -> !r:^root:\w+:\w+:0:;
621 #10.4 Set Default umask for Users
622 [CIS - Debian Linux 7/8 - 10.4 Set Default umask for Users] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
623 f:$profiledfiles -> !r:^umask 077;
624 f:/etc/bash.bashrc -> !r:^umask 077;
627 #10.5 Lock Inactive User Accounts
628 [CIS - Debian Linux 7/8 - 10.5 Lock Inactive User Accounts] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
629 f:/etc/default/useradd -> !r:^INACTIVE=\d\d*;
632 #11.1 Set Warning Banner for Standard Login Services
633 [CIS - Debian Linux 7/8 - 11.1 Set Warning Banner for Standard Login Services] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
639 #11.2 Remove OS Information from Login Warning Banners
640 [CIS - Debian Linux 7/8 - 11.2 Remove OS Information from Login Warning Banners] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
641 f:/etc/motd -> r:debian|gnu|linux;
644 #13.1 Ensure Password Fields are Not Empty
645 [CIS - Debian Linux 7/8 - 13.1 Ensure Password Fields are Not Empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
646 f:/etc/shadow -> r:^\w+::;
649 #13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File
650 [CIS - Debian Linux 7/8 - 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
651 f:/etc/passwd -> !r:^# && r:^+:;
654 #13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File
655 [CIS - Debian Linux 7/8 - 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
656 f:/etc/shadow -> !r:^# && r:^+:;
659 #13.4 Verify No Legacy "+" Entries Exist in /etc/group File
660 [CIS - Debian Linux 7/8 - 13.4 Verify No Legacy "+" Entries Exist in /etc/group File] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
661 f:/etc/group -> !r:^# && r:^+:;
664 #13.5 Verify No UID 0 Accounts Exist Other Than root
665 [CIS - Debian Linux 7/8 - 13.5 Verify No UID 0 Accounts Exist Other Than root] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
666 f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
669 #13.10 Check for Presence of User .rhosts Files
670 [CIS - Debian Linux 7/8 - 13.10 Check for Presence of User .rhosts Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
671 d:$home_dirs -> r:^.rhosts$;
674 #13.18 Check for Presence of User .netrc Files
675 [CIS - Debian Linux 7/8 - 13.18 Check for Presence of User .netrc Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
676 d:$home_dirs -> r:^.netrc$;
679 #13.19 Check for Presence of User .forward Files
680 [CIS - Debian Linux 7/8 - 13.19 Check for Presence of User .forward Files] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
681 d:$home_dirs -> r:^.forward$;
684 #13.20 Ensure shadow group is empty
685 [CIS - Debian Linux 7/8 - 13.20 Ensure shadow group is empty] [any] [https://workbench.cisecurity.org/benchmarks/80, https://workbench.cisecurity.org/benchmarks/81]
686 f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+;