Audits

Disk

• Adequate free blocks on local filesystems.
• Adequate free inodes on local filesystems.
• No change in the filesystems mount table.

File

• All GIDs in /etc/group are unique.
• All Group Names in /etc/group are unique.
• All files are owned by valid users.
• Every /etc/passwd GID is a valid group.
• Every /etc/passwd home directory is valid.
• Every /etc/passwd shell is an expected value.
• Every user in /etc/group is a valid user.
• There are 4 fields in every record in /etc/group.
• There are 7 fields in every record in /etc/passwd.
• There are no new huge directories.
• There are no new large files.
• There is nothing unusual about the content of a log.
• Verify that certain files do exist.
• Verify that certain files do not exist.

Network

• All defined hosts can be pinged.
• No change in the network port services.
• No change in the network routing tables.
• No user has .rhosts in their home directory.
• No users have .netrc in their home directory.
• Untrusted network services are disabled.

Performance

• System load average is less than threshold.
• All defined URLs are responding.
• All traffic on network devices is nominal.
• MySQL is responding.
• No performance problems with network interface cards.
• No problems with swap space usage.
• The Alert Manager is working.
• The size of the mail queue is nominal.
• There is no unusual robot activity.

Process

• All daemons are up.
• All processes are owned by a current user.
• There are no runaway processes.
• There are no stalled processes.
• There are no unwanted processes.

Security

• All defined URLs have not changed.
• No change to secured directories/files.
• No one is using ssh to attack this system.
• Clamscan reports no viruses.
• There are no rootkits installed.
  
• No sticky bit directory has lost the sticky bit.
• There are no new SUID/SGID files.
• There are no new world writable files.
• There are no patterns of failed logins of concern.
• There are no patterns of failed su attempts of concern.
• There are no rogue device files.
•  All NFS exported dirs are configured to be secure.

System

• Mail is being delivered.
• Size of each system log is nominal.
• No recent system reboot.
• RPMs are current.
• System time is reasonable.
• The hostname has not changed.
• There are no trash files on the system.

User

• Every user has a password.
• All /etc/passwd login names are unique.
• All UIDs in /etc/passwd are unique.
• All mailboxes are owned and permissioned correctly.
• All passwords are shadowed.
• All users have password aging.
• Certain logins are not in /etc/passwd.
• Every user has a unique home directory.
• Root can only log in from console.
• There are no SUID/SGID login shells.
• There are no new users logged in. ­