Product Documentation

Below table provides the sections of CIS hardening benchmark for Rocky Linux 9.x that are covered by the script and the files being created/modified to address the recommendations.

https://demo4.strongkey.com/getstarted/assets/documents/HTML/images/key_strong_cyan.pngNOTE: Screenshots are included for sections where the difference can be noticed to verify the implementation of CIS script.

 

CIS Sections

File Created/Modified

Section 1
1.1.1.1 Ensure mounting of squashfs filesystems is disabled /etc/modprobe.d/CIS.conf
1.1.1.2 Ensure mounting of udf filesystems is disabled /etc/modprobe.d/CIS.conf
Pre-CIS
Post-CIS
1.1.2.2 Ensure nodev option set on /tmp partition /etc/fstab
1.1.2.3 Ensure noexec option set on /tmp partition /etc/fstab
1.1.2.4 Ensure nosuid option set on /tmp partition /etc/fstab
1.2.1 Ensure GPG keys are configured Just checks the current configuration and provides results in the output. No modification.
1.7.1 Ensure message of the day is configured properly /etc/motd
1.7.2 Ensure local login warning banner is configured properly /etc/issue
1.7.3 Ensure remote login warning banner is /etc/issue.net configured properly /etc/issue.net
1.7.4 Ensure permissions on /etc/motd are configured /etc/motd
1.7.5 Ensure permissions on /etc/issue are configured /etc/issue
1.7.6 Ensure permissions on /etc/issue.net are configured /etc/issue.net

 

Section 2
2.2.1 Ensure X11 Server components are not installed Remove xorg-x11 packages using ‘yum’ command.
Pre-CIS
Post-CIS
2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked Disable rpmcbind service.

 

Section 3
3.2.1 Ensure IP forwarding is disabled /etc/sysctl.conf
3.2.2 Ensure packet redirect sending is disabled /etc/sysctl.conf
3.3.1 Ensure source routed packets are not accepted /etc/sysctl.conf
3.3.2 Ensure ICMP redirects are not accepted /etc/sysctl.conf
3.3.3 Ensure secure ICMP redirects are not accepted /etc/sysctl.conf
3.3.4 Ensure suspicious packets are logged /etc/sysctl.conf
3.3.5 Ensure broadcast ICMP requests are ignored /etc/sysctl.conf
3.3.6 Ensure bogus ICMP responses are ignored /etc/sysctl.conf
3.3.7 Ensure Reverse Path Filtering is enabled /etc/sysctl.conf
3.3.8 Ensure TCP SYN Cookies is enabled /etc/sysctl.conf
3.3.9 Ensure IPv6 router advertisements are /etc/sysctl.conf not accepted /etc/sysctl.conf

 

Section 4
4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled /etc/default/grub
4.1.1.4 Ensure auditd service is enabled Enable auditd service.
4.1.2.1 Ensure audit log storage size is configured /etc/audit/auditd.conf
4.1.2.2 Ensure audit logs are not automatically deleted /etc/audit/auditd.conf
Pre-CIS

Post-CIS

4.1.2.3 Ensure system is disabled when audit logs are full /etc/audit/auditd.conf
Pre-CIS

Post-CIS

4.1.3.1 Ensure changes to system administration scope (sudoers) is collected /etc/audit/audit.rules
4.1.3.4 Ensure events that modify date and time information are collected /etc/audit/audit.rules
4.1.3.5 Ensure events that modify the system's network environment are collected /etc/audit/audit.rules
4.1.3.7 Ensure unsuccessful unauthorized file access attempts are collected /etc/audit/audit.rules
4.1.3.8 Ensure events that modify user/group /etc/audit/audit.rules information are collected /etc/audit/audit.rules
4.1.3.9 Ensure discretionary access control permission modification events are collected /etc/audit/audit.rules
4.1.3.10 Ensure successful file system mounts are collected /etc/audit/audit.rules
4.1.3.11 Ensure session initiation information is collected /etc/audit/audit.rules
4.1.3.12 Ensure login and logout events are collected /etc/audit/audit.rules
4.1.3.13 Ensure file deletion events by users are collected /etc/audit/audit.rules
4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected /etc/audit/audit.rules
4.1.3.19 Ensure kernel module loading and unloading is collected /etc/audit/audit.rules
4.1.3.20 Ensure the audit configuration is immutable /etc/audit/audit.rules
4.2.1.1 Ensure rsyslog is installed Script checks whether rsyslog package is installed or not. If not, prints message requesting user to install the package.
4.2.1.2 Ensure rsyslog Service is enabled and running Enable rsyslog service.
4.2.1.4 Ensure rsyslog default file permissions configured /etc/rsyslog.conf
4.2.1.5 Ensure logging is configured /etc/rsyslog.conf
4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host /etc/rsyslog.conf
4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client /etc/rsyslog.conf
4.3 Ensure logrotate is configured /etc/logrotate.conf and /etc/logrotate.d/
NOTE: Not modified by script. The script points out that customer should make necessary changes as per internal policy.

 

Section 5
5.1.1 Ensure cron daemon is enabled Enable crond service.
5.1.2 Ensure permissions on /etc/crontab are configured /etc/crontab
5.1.3 Ensure permissions on /etc/cron.hourly are configured /etc/cron.hourly
5.1.4 Ensure permissions on /etc/cron.daily are configured /etc/cron.daily
Pre-CIS

Post-CIS

5.1.5 Ensure permissions on /etc/cron.weekly are configured /etc/cron.weekly
5.1.6 Ensure permissions on /etc/cron.monthly are configured /etc/cron.monthly
5.1.7 Ensure permissions on /etc/cron.d are configured /etc/cron.d
Pre-CIS

Post-CIS

5.1.8 Ensure cron is restricted to authorized users /etc/cron.allow
NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy.
5.1.9 Ensure at is restricted to authorized users /etc/at.allow
NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy.
5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured /etc/ssh/sshd_config
5.2.4 Ensure SSH access is limited /etc/ssh/sshd_config
NOTE: As per the script message, make necessary changes to allow-deny users.
5.2.5 Ensure SSH LogLevel is appropriate /etc/ssh/sshd_config
5.2.6 Ensure SSH PAM is enabled /etc/ssh/sshd_config
5.2.8 Ensure SSH HostbasedAuthentication is disabled /etc/ssh/sshd_config
5.2.9 Ensure SSH PermitEmptyPasswords is disabled /etc/ssh/sshd_config
5.2.10 Ensure SSH PermitUserEnvironment is disabled /etc/ssh/sshd_config
5.2.11 Ensure SSH IgnoreRhosts is enabled /etc/ssh/sshd_config
5.2.12 Ensure SSH X11 forwarding is disabled /etc/ssh/sshd_config
5.2.15 Ensure SSH warning banner is configured /etc/issue.net
NOTE: As per the script message, make necessary changes to file for appropriate login message.
5.2.16 Ensure SSH MaxAuthTries is set to 4 or less /etc/ssh/sshd_config
5.2.19 Ensure SSH LoginGraceTime is set to one minute or less /etc/ssh/sshd_config
5.2.20 Ensure SSH Idle Timeout Interval is configured /etc/ssh/sshd_config
5.3.7 Ensure access to the su command is restricted /etc/pam.d/su
Script message:
Please remember to put the appropriate users into /etc/group under the wheel entry to give them su access after this script completes.
5.5.1 Ensure password creation requirements are configured /etc/pam.d/password-auth and /etc/pam.d/system-auth
5.5.2 Ensure lockout for failed password attempts is configured /etc/pam.d/password-auth and /etc/pam.d/system-auth
5.5.3 Ensure password reuse is limited /etc/pam.d/password-auth and /etc/pam.d/system-auth
5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt /etc/pam.d/password-auth and /etc/pam.d/system-auth
5.6.1.1 Ensure password expiration is 365 days or less /etc/login.defs
5.6.1.2 Ensure minimum days between password changes is configured /etc/login.defs
5.6.1.3 Ensure password expiration warning days is 7 or more /etc/login.defs
5.6.1.4 Ensure inactive password lock is 30 days or less Set the default password inactivity period to 30 days and inactivate the users with passwords older than 30 days.
Pre-CIS

Post-CIS

5.6.2 Ensure system accounts are secured Set the shell for any accounts returned by the audit to nologin and lock any non root accounts returned by the audit.
5.6.4 Ensure default group for the root account is GID 0 Run usermod command: usermod -g 0 root
5.6.5 Ensure default user umask is 027 or more restrictive /etc/bashrc and /etc/profile

 

Section 6
6.1.1 Ensure permissions on /etc/passwd are configured /etc/passwd
6.1.2 Ensure permissions on /etc/passwd- are configured /etc/passwd-
6.1.3 Ensure permissions on /etc/group are configured /etc/group
6.1.4 Ensure permissions on /etc/group- are configured /etc/group-
6.1.5 Ensure permissions on /etc/shadow are configured /etc/shadow
6.1.6 Ensure permissions on /etc/shadow- are configured /etc/shadow-
6.1.7 Ensure permissions on /etc/gshadow are configured /etc/gshadow
6.1.8 Ensure permissions on /etc/gshadow- are configured /etc/gshadow-
6.1.9 Ensure no world writable files exist Writable files are listed in root.wfiles, boot.wfiles, usrlocal.wfiles files.
Script message:
There are world writable files on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes.
6.1.10 Ensure no unowned files or directories exist Unknown files are listed in root.unowned, boot.unowned, and usrlocal.unowned files.
Script message:
There are unowned files/directories on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes.
6.1.11 Ensure no ungrouped files or directories exist Ungrouped files are listed in root.nogroup, boot.nogroup, and usrlocal.nogroup files.
Script message:
There are ungrouped files/directories on the *** partition. Please check the *** for a list of files/directories found and take the appropriate permission changes.
6.1.13 Audit SUID executables SUID files are listed in root.suid, boot.suid, and usrlocal.suid files.
Script message:
There are SUID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any).
6.1.14 Audit SGID executables SGID files are listed in root.sgid, boot.sgid, and usrlocal.sgid files.
Script message:
There are SGID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any).
6.2.2 Ensure /etc/shadow password fields are not empty Lock user which does not have a password using passwd command.
6.2.9 Ensure root is the only UID 0 account Verify root has UID 0.
6.2.10 Ensure local interactive user home directories exist Find and list if any of the user on the system whose home directory does not exist.
6.2.11 Ensure local interactive users own their home directories Update home directories are owned by user.
6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive chmod 700 /usr/local/strongauth
Script message:
The directory /usr/local/strongauth/batchrequests/domain1 must have group write permissions for the batch function to work correctly.