Audits

Disk

  • Adequate free blocks on local filesystems.
  • Adequate free inodes on local filesystems.
  • No change in the filesystems mount table.

File

  • All GIDs in /etc/group are unique.
  • All Group Names in /etc/group are unique.
  • All files are owned by valid users.
  • Every /etc/passwd GID is a valid group.
  • Every /etc/passwd home directory is valid.
  • Every /etc/passwd shell is an expected value.
  • Every user in /etc/group is a valid user.
  • There are 4 fields in every record in /etc/group.
  • There are 7 fields in every record in /etc/passwd.
  • There are no errors in /etc/fstab
  • There are no new huge directories.
  • There are no new large files.
  • There is nothing unusual about the content of a log.
  • Verify that certain files do exist.
  • Verify that certain files do not exist.

Network

  • All defined hosts can be pinged.
  • No change in the network port services.
  • No change in the network routing tables.
  • No user has .rhosts in their home directory.
  • No users have .netrc in their home directory.
  • Untrusted network services are disabled.

Performance

  • System load average is less than threshold.
  • All defined URLs are responding.
  • All traffic on network devices is nominal.
  • MySQL is responding.
  • No performance problems with network interface cards.
  • No problems with swap space usage.
  • The Alert Manager is working.
  • The size of the mail queue is nominal.

Process

  • All daemons are up.
  • All processes are owned by a current user.
  • There are no runaway processes.
  • There are no stalled processes.
  • There are no unwanted processes.

Security

  • All defined URLs have not changed.
  • No change to secured directories/files.
  • No one is using ssh to attack this system.
  • Clamscan reports no viruses.
  • There are no rootkits installed.
  • No sticky bit directory has lost the sticky bit.
  • There are no new SUID/SGID files.
  • There are no new world writable files.
  • There are no patterns of failed logins of concern.
  • There are no patterns of failed su attempts of concern.
  • There are no rogue device files.
  •  All NFS exported dirs are configured to be secure.

System

  • Mail is being delivered.
  • Size of each system log is nominal.
  • No recent system reboot.
  • RPMs are current.
  • System clock is reasonable.
  • The hostname has not changed.
  • There are no trash files on the system.

User

  • Every user has a password.
  • All /etc/passwd login names are unique.
  • All UIDs in /etc/passwd are unique.
  • All mailboxes are owned and permissioned correctly.
  • All passwords are shadowed.
  • All users have password aging.
  • Certain logins are not in /etc/passwd.
  • Every user has a unique home directory.
  • Root can only log in from console.
  • There are no SUID/SGID login shells.
  • There are no new users logged in. ­

­

Permanent link to this article: https://www.ossonar.com/audits/