Below table provides the sections of CIS hardening benchmark for RedHat Enterprise Linux (RHEL) 7.x that are covered by the script and the files being created/modified to address the recommendations.
NOTE: Screenshots are included for sections where the difference can be noticed to verify the implementation of CIS script. |
CIS Sections |
File Created/Modified |
Section 1 | |
1.1.1.1 Ensure mounting of cramfs filesystems is disabled | /etc/modprobe.d/CIS.conf |
1.1.1.2 Ensure mounting of squashfs filesystems is disabled | /etc/modprobe.d/CIS.conf |
1.1.1.3 Ensure mounting of udf filesystems is disabled | /etc/modprobe.d/CIS.conf |
Pre-CIS |
Post-CIS |
1.1.3 Ensure noexec option set on /tmp partition | /etc/fstab |
1.1.4 Ensure nodev option set on /tmp partition | /etc/fstab |
1.1.5 Ensure nosuid option set on /tmp partition | /etc/fstab |
1.1.23 Disable Automounting | |
1.2.1 Ensure GPG keys are configured | Just checks the current configuration and provides results in the output. No modification. |
1.4.3 Ensure authentication required for single user mode | /etc/sysconfig/init |
1.5.1 Ensure core dumps are restricted | /etc/sysconfig/init |
Pre-CIS |
Post-CIS |
1.5.4 Ensure prelink is not installed | Remove prelink package (if installed) using ‘yum’ command. |
1.7.1 Ensure message of the day is | /etc/motd |
1.7.2 Ensure local login warning banner is configured properly | /etc/issue |
1.7.3 Ensure remote login warning banner is /etc/issue.net configured properly | /etc/issue.net |
1.7.4 Ensure permissions on /etc/motd are configured | /etc/motd |
1.7.6 Ensure permissions on /etc/issue.net are configured | /etc/issue |
Section 2 | |
2.2.2 Ensure X11 Server components are not Remove xorg-x11 packages using ‘yum’ installed | Remove xorg-x11 packages using ‘yum’ command. |
Pre-CIS |
Post-CIS |
2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked | Disable rpmcbind service. |
2.3.1 Ensure NIS Client is not installed | Remove ypbind package using ‘yum’ command. |
Section 3 | |
3.2.1 Ensure IP forwarding is disabled | /etc/sysctl.conf |
3.2.2 Ensure packet redirect sending is disabled | /etc/sysctl.conf |
Pre-CIS |
Post-CIS |
3.3.1 Ensure source routed packets are not accepted | /etc/sysctl.conf |
3.3.2 Ensure ICMP redirects are not accepted | /etc/sysctl.conf |
Pre-CIS |
Post-CIS |
3.3.3 Ensure secure ICMP redirects are not accepted | /etc/sysctl.conf |
3.3.4 Ensure suspicious packets are logged | /etc/sysctl.conf |
3.3.5 Ensure broadcast ICMP requests are ignored | /etc/sysctl.conf |
3.3.6 Ensure bogus ICMP responses are ignored | /etc/sysctl.conf |
3.3.7 Ensure Reverse Path Filtering is enabled | /etc/sysctl.conf |
3.3.8 Ensure TCP SYN Cookies is enabled | /etc/sysctl.conf |
3.3.9 Ensure IPv6 router advertisements are not accepted | /etc/sysctl.conf |
3.4.1 Ensure DCCP is disabled | /etc/modprobe.d/CIS.conf |
3.4.2 Ensure SCTP is disabled | /etc/modprobe.d/CIS.conf |
Pre-CIS |
Post-CIS |
Section 4 |
|
4.1.1.2 Ensure auditd service is enabled and running | Enable auditd service. |
4.1.2.1 Ensure audit log storage size is configured | /etc/audit/auditd.conf |
4.1.2.2 Ensure audit logs are not automatically deleted | /etc/audit/auditd.conf |
Pre-CIS |
Post-CIS |
4.1.2.3 Ensure system is disabled when audit /etc/audit/auditd.conf logs are full | /etc/audit/auditd.conf |
Pre-CIS |
Post-CIS |
4.1.2.4 Ensure audit_backlog_limit is sufficient | /etc/default/grub |
4.1.3 Ensure events that modify date and time information are collected | /etc/audit/audit.rules |
4.1.4 Ensure events that modify user/group information are collected | /etc/audit/audit.rules |
4.1.5 Ensure events that modify the system's /etc/audit/audit.rules network environment are collected | /etc/audit/audit.rules |
4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected | /etc/audit/audit.rules |
4.1.7 Ensure login and logout events are collected | /etc/audit/audit.rules |
4.1.8 Ensure session initiation information is collected | /etc/audit/audit.rules |
4.1.9 Ensure discretionary access control permission modification events are collected | /etc/audit/audit.rules |
4.1.10 Ensure unsuccessful unauthorized file access attempts are collected | /etc/audit/audit.rules |
4.1.11 Ensure use of privileged commands is collected | /etc/audit/audit.rules |
4.1.12 Ensure successful file system mounts are collected | /etc/audit/audit.rules |
4.1.13 Ensure file deletion events by users are collected | /etc/audit/audit.rules |
4.1.14 Ensure changes to system command executions (sudo) are collected | /etc/audit/audit.rules |
4.1.15 Ensure system administrator command executions (sudo) are collected | /etc/audit/audit.rules |
4.1.16 Ensure kernel module loading and unloading is collected | /etc/audit/audit.rules |
4.1.17 Ensure the audit configuration is immutable | /etc/audit/audit.rules |
4.2.1.2 Ensure rsyslog Service is enabled and running | Enable rsyslog service. |
4.2.1.4 Ensure logging is configured | /etc/rsyslog.conf |
4.2.1.3 Ensure rsyslog default file permissions configured | /etc/rsyslog.conf |
4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host | /etc/rsyslog.conf |
4.2.1.6 Ensure remote rsyslog messages are /etc/rsyslog.conf only accepted on designated log hosts | /etc/rsyslog.conf |
4.2.3 Ensure permissions on all logfiles are configured | /var/log |
4.2.4 Ensure logrotate is configured | /etc/logrotate.conf and /etc/logrotate.d/ NOTE: Not modified by script. The script points out that customer should make necessary changes as per internal policy. |
Section 5 |
|
5.1.1 Ensure cron daemon is enabled and running | Enable crond service. |
5.1.2 Ensure permissions on /etc/crontab are configured | /etc/crontab |
5.1.3 Ensure permissions on /etc/cron.hourly are configured | /etc/cron.hourly |
5.1.4 Ensure permissions on /etc/cron.daily are configured | /etc/cron.daily |
Pre-CIS |
Post-CIS |
5.1.5 Ensure permissions on /etc/cron.weekly are configured | /etc/cron.weekly |
5.1.6 Ensure permissions on /etc/cron.monthly are configured | /etc/cron.monthly |
5.1.7 Ensure permissions on /etc/cron.d are configured | /etc/cron.d |
Pre-CIS |
Post-CIS |
5.1.8 Ensure cron is restricted to authorized users | /etc/cron.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy. |
5.1.9 Ensure at is restricted to authorized users | /etc/at.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy. |
5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured | /etc/ssh/sshd_config |
5.3.4 Ensure SSH access is limited | /etc/ssh/sshd_config NOTE: As per the script message, make necessary changes to allow-deny users. |
5.3.5 Ensure SSH LogLevel is appropriate | /etc/ssh/sshd_config |
5.3.6 Ensure SSH X11 forwarding is disabled | /etc/ssh/sshd_config |
5.3.7 Ensure SSH MaxAuthTries is set to 4 or less | /etc/ssh/sshd_config |
5.3.8 Ensure SSH IgnoreRhosts is enabled | /etc/ssh/sshd_config |
5.3.9 Ensure SSH HostbasedAuthentication is disabled | /etc/ssh/sshd_config |
5.3.11 Ensure SSH PermitEmptyPasswords is disabled | /etc/ssh/sshd_config |
5.3.12 Ensure SSH PermitUserEnvironment is disabled | /etc/ssh/sshd_config |
5.3.13 Ensure only strong Ciphers are used | /etc/ssh/sshd_config |
5.3.14 Ensure only strong MAC algorithms are used | /etc/ssh/sshd_config |
5.3.16 Ensure SSH Idle Timeout Interval is configured | /etc/ssh/sshd_config |
Pre-CIS |
Post-CIS |
5.3.17 Ensure SSH LoginGraceTime is set to one minute or less | /etc/ssh/sshd_config |
5.3.18 Ensure SSH warning banner is configured | /etc/issue.net NOTE: As per the script message, make necessary changes to file for appropriate login message. |
5.4.1 Ensure password creation requirements are configured | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
5.4.2 Ensure lockout for failed password attempts is configured | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
5.4.4 Ensure password reuse is limited | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
Pre-CIS |
Post-CIS |
5.4.3 Ensure password hashing algorithm is SHA-512 | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
5.5.1.1 Ensure password expiration is 365 days or less | /etc/login.defs |
5.5.1.2 Ensure minimum days between password changes is configured | /etc/login.defs |
5.5.1.3 Ensure password expiration warning days is 7 or more | /etc/login.defs |
Pre-CIS |
Post-CIS |
5.5.1.4 Ensure inactive password lock is 30 days or less | Set the default password inactivity period to 30 days and inactivate the users with passwords older than 30 days. |
5.5.2 Ensure system accounts are secured | Set the shell for any accounts returned by the audit to nologin and lock any non root accounts returned by the audit. |
5.5.3 Ensure default group for the root account is GID 0 | Run usermod command: usermod -g 0 root |
5.5.5 Ensure default user umask is configured | /etc/bashrc and /etc/profile |
5.6 Ensure root login is restricted to system console | Script message: Please edit the /etc/securetty file after this script and remove any consoles that are not allowed by company policy. |
5.7 Ensure access to the su command is restricted | /etc/pam.d/su Script message: Please remember to put the appropriate users into /etc/group under the wheel entry to give them su access after this script completes. |
Section 6 |
|
6.1.2 Ensure permissions on /etc/passwd are configured | /etc/passwd |
6.1.3 Ensure permissions on /etc/passwd- are configured | /etc/passwd- |
6.1.8 Ensure permissions on /etc/group are configured | /etc/group |
6.1.9 Ensure permissions on /etc/group- are configured | /etc/group- |
6.1.4 Ensure permissions on /etc/shadow are configured | /etc/shadow |
6.1.5 Ensure permissions on /etc/shadow- are configured | /etc/shadow- |
6.1.7 Ensure permissions on /etc/gshadow are configured | /etc/gshadow |
6.1.8 Ensure permissions on /etc/gshadow- are configured | /etc/gshadow- |
6.1.10 Ensure no world writable files exist | Writable files are listed in root.wfiles, boot.wfiles, usrlocal.wfiles files. Script message: There are world writable files on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes. |
6.1.11 Ensure no unowned files or directories exist | Unknown files are listed in root.unowned, boot.unowned, and usrlocal.unowned files. Script message: There are unowned files/directories on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes. |
6.1.12 Ensure no ungrouped files or directories exist | Ungrouped files are listed in root.nogroup, boot.nogroup, and usrlocal.nogroup files. Script message: There are ungrouped files/directories on the *** partition. Please check the *** for a list of files/directories found and take the appropriate permission changes. |
6.1.13 Audit SUID executables | SUID files are listed in root.suid, boot.suid, and usrlocal.suid files. Script message: There are SUID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any). |
6.1.14 Audit SGID executables | SGID files are listed in root.sgid, boot.sgid, and usrlocal.sgid files. Script message: There are SGID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any). |
6.2.2 Ensure /etc/shadow password fields are not empty | Lock user which does not have a password using passwd command. |
6.2.9 Ensure root is the only UID 0 account | Verify root has UID 0. |
6.2.11 Ensure all users' home directories exist | Find and list if any of the user on the system whose home directory does not exist. |
6.2.12 Ensure users own their home directories | Update home directories are owned by user. |
6.2.13 Ensure users' home directories permissions are 750 or more restrictive | chmod 700 /usr/local/strongauth Script message: The directory /usr/local/strongauth/batchrequests/domain1 must have group write permissions for the batch function to work correctly. |