Product Documentation
Below table provides the sections of CIS hardening benchmark for Rocky Linux 9.x that are covered by the script and the files being created/modified to address the recommendations.
 NOTE: Screenshots are included for sections where the difference can be noticed to verify the implementation of CIS script. |
|
CIS Sections |
File Created/Modified |
| Section 1 | |
| 1.1.1.1 Ensure mounting of squashfs filesystems is disabled | /etc/modprobe.d/CIS.conf |
| 1.1.1.2 Ensure mounting of udf filesystems is disabled | /etc/modprobe.d/CIS.conf |
Pre-CIS |
Post-CIS |
| 1.1.2.2 Ensure nodev option set on /tmp partition | /etc/fstab |
| 1.1.2.3 Ensure noexec option set on /tmp partition | /etc/fstab |
| 1.1.2.4 Ensure nosuid option set on /tmp partition | /etc/fstab |
| 1.2.1 Ensure GPG keys are configured | Just checks the current configuration and provides results in the output. No modification. |
| 1.7.1 Ensure message of the day is configured properly | /etc/motd |
| 1.7.2 Ensure local login warning banner is configured properly | /etc/issue |
| 1.7.3 Ensure remote login warning banner is /etc/issue.net configured properly | /etc/issue.net |
| 1.7.4 Ensure permissions on /etc/motd are configured | /etc/motd |
| 1.7.5 Ensure permissions on /etc/issue are configured | /etc/issue |
| 1.7.6 Ensure permissions on /etc/issue.net are configured | /etc/issue.net |
| Section 2 |
|
| 2.2.1 Ensure X11 Server components are not installed | Remove xorg-x11 packages using ‘yum’ command. |
Pre-CIS |
Post-CIS |
| 2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked | Disable rpmcbind service. |
| Section 3 |
|
| 3.2.1 Ensure IP forwarding is disabled | /etc/sysctl.conf |
| 3.2.2 Ensure packet redirect sending is disabled | /etc/sysctl.conf |
| 3.3.1 Ensure source routed packets are not accepted | /etc/sysctl.conf |
| 3.3.2 Ensure ICMP redirects are not accepted | /etc/sysctl.conf |
| 3.3.3 Ensure secure ICMP redirects are not accepted | /etc/sysctl.conf |
| 3.3.4 Ensure suspicious packets are logged | /etc/sysctl.conf |
| 3.3.5 Ensure broadcast ICMP requests are ignored | /etc/sysctl.conf |
| 3.3.6 Ensure bogus ICMP responses are ignored | /etc/sysctl.conf |
| 3.3.7 Ensure Reverse Path Filtering is enabled | /etc/sysctl.conf |
| 3.3.8 Ensure TCP SYN Cookies is enabled | /etc/sysctl.conf |
| 3.3.9 Ensure IPv6 router advertisements are /etc/sysctl.conf not accepted | /etc/sysctl.conf |
| Section 4 |
|
| 4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled | /etc/default/grub |
| 4.1.1.4 Ensure auditd service is enabled | Enable auditd service. |
| 4.1.2.1 Ensure audit log storage size is configured | /etc/audit/auditd.conf |
| 4.1.2.2 Ensure audit logs are not automatically deleted | /etc/audit/auditd.conf |
Pre-CIS |
Post-CIS |
| 4.1.2.3 Ensure system is disabled when audit logs are full | /etc/audit/auditd.conf |
Pre-CIS |
Post-CIS |
| 4.1.3.1 Ensure changes to system administration scope (sudoers) is collected | /etc/audit/audit.rules |
| 4.1.3.4 Ensure events that modify date and time information are collected | /etc/audit/audit.rules |
| 4.1.3.5 Ensure events that modify the system's network environment are collected | /etc/audit/audit.rules |
| 4.1.3.7 Ensure unsuccessful unauthorized file access attempts are collected | /etc/audit/audit.rules |
| 4.1.3.8 Ensure events that modify user/group /etc/audit/audit.rules information are collected | /etc/audit/audit.rules |
| 4.1.3.9 Ensure discretionary access control permission modification events are collected | /etc/audit/audit.rules |
| 4.1.3.10 Ensure successful file system mounts are collected | /etc/audit/audit.rules |
| 4.1.3.11 Ensure session initiation information is collected | /etc/audit/audit.rules |
| 4.1.3.12 Ensure login and logout events are collected | /etc/audit/audit.rules |
| 4.1.3.13 Ensure file deletion events by users are collected | /etc/audit/audit.rules |
| 4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected | /etc/audit/audit.rules |
| 4.1.3.19 Ensure kernel module loading and unloading is collected | /etc/audit/audit.rules |
| 4.1.3.20 Ensure the audit configuration is immutable | /etc/audit/audit.rules |
| 4.2.1.1 Ensure rsyslog is installed | Script checks whether rsyslog package is installed or not. If not, prints message requesting user to install the package. |
| 4.2.1.2 Ensure rsyslog Service is enabled and running | Enable rsyslog service. |
| 4.2.1.4 Ensure rsyslog default file permissions configured | /etc/rsyslog.conf |
| 4.2.1.5 Ensure logging is configured | /etc/rsyslog.conf |
| 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host | /etc/rsyslog.conf |
| 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client | /etc/rsyslog.conf |
| 4.3 Ensure logrotate is configured | /etc/logrotate.conf and /etc/logrotate.d/ NOTE: Not modified by script. The script points out that customer should make necessary changes as per internal policy. |
| Section 5 |
|
| 5.1.1 Ensure cron daemon is enabled | Enable crond service. |
| 5.1.2 Ensure permissions on /etc/crontab are configured | /etc/crontab |
| 5.1.3 Ensure permissions on /etc/cron.hourly are configured | /etc/cron.hourly |
| 5.1.4 Ensure permissions on /etc/cron.daily are configured | /etc/cron.daily |
Pre-CIS |
Post-CIS |
| 5.1.5 Ensure permissions on /etc/cron.weekly are configured | /etc/cron.weekly |
| 5.1.6 Ensure permissions on /etc/cron.monthly are configured | /etc/cron.monthly |
| 5.1.7 Ensure permissions on /etc/cron.d are configured | /etc/cron.d |
Pre-CIS |
Post-CIS |
| 5.1.8 Ensure cron is restricted to authorized users | /etc/cron.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy. |
| 5.1.9 Ensure at is restricted to authorized users | /etc/at.allow NOTE: Only file is created by script with right permissions. Customer is requested to add necessary users as per internal policy. |
| 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured | /etc/ssh/sshd_config |
| 5.2.4 Ensure SSH access is limited | /etc/ssh/sshd_config NOTE: As per the script message, make necessary changes to allow-deny users. |
| 5.2.5 Ensure SSH LogLevel is appropriate | /etc/ssh/sshd_config |
| 5.2.6 Ensure SSH PAM is enabled | /etc/ssh/sshd_config |
| 5.2.8 Ensure SSH HostbasedAuthentication is disabled | /etc/ssh/sshd_config |
| 5.2.9 Ensure SSH PermitEmptyPasswords is disabled | /etc/ssh/sshd_config |
| 5.2.10 Ensure SSH PermitUserEnvironment is disabled | /etc/ssh/sshd_config |
| 5.2.11 Ensure SSH IgnoreRhosts is enabled | /etc/ssh/sshd_config |
| 5.2.12 Ensure SSH X11 forwarding is disabled | /etc/ssh/sshd_config |
| 5.2.15 Ensure SSH warning banner is configured | /etc/issue.net NOTE: As per the script message, make necessary changes to file for appropriate login message. |
| 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less | /etc/ssh/sshd_config |
| 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less | /etc/ssh/sshd_config |
| 5.2.20 Ensure SSH Idle Timeout Interval is configured | /etc/ssh/sshd_config |
| 5.3.7 Ensure access to the su command is restricted | /etc/pam.d/su Script message: Please remember to put the appropriate users into /etc/group under the wheel entry to give them su access after this script completes. |
| 5.5.1 Ensure password creation requirements are configured | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
| 5.5.2 Ensure lockout for failed password attempts is configured | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
| 5.5.3 Ensure password reuse is limited | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
| 5.5.4 Ensure password hashing algorithm is SHA-512 or yescrypt | /etc/pam.d/password-auth and /etc/pam.d/system-auth |
| 5.6.1.1 Ensure password expiration is 365 days or less | /etc/login.defs |
| 5.6.1.2 Ensure minimum days between password changes is configured | /etc/login.defs |
| 5.6.1.3 Ensure password expiration warning days is 7 or more | /etc/login.defs |
| 5.6.1.4 Ensure inactive password lock is 30 days or less | Set the default password inactivity period to 30 days and inactivate the users with passwords older than 30 days. |
Pre-CIS |
Post-CIS |
| 5.6.2 Ensure system accounts are secured | Set the shell for any accounts returned by the audit to nologin and lock any non root accounts returned by the audit. |
| 5.6.4 Ensure default group for the root account is GID 0 | Run usermod command: usermod -g 0 root |
| 5.6.5 Ensure default user umask is 027 or more restrictive | /etc/bashrc and /etc/profile |
| Section 6 |
|
| 6.1.1 Ensure permissions on /etc/passwd are configured | /etc/passwd |
| 6.1.2 Ensure permissions on /etc/passwd- are configured | /etc/passwd- |
| 6.1.3 Ensure permissions on /etc/group are configured | /etc/group |
| 6.1.4 Ensure permissions on /etc/group- are configured | /etc/group- |
| 6.1.5 Ensure permissions on /etc/shadow are configured | /etc/shadow |
| 6.1.6 Ensure permissions on /etc/shadow- are configured | /etc/shadow- |
| 6.1.7 Ensure permissions on /etc/gshadow are configured | /etc/gshadow |
| 6.1.8 Ensure permissions on /etc/gshadow- are configured | /etc/gshadow- |
| 6.1.9 Ensure no world writable files exist | Writable files are listed in root.wfiles, boot.wfiles, usrlocal.wfiles files. Script message: There are world writable files on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes. |
| 6.1.10 Ensure no unowned files or directories exist | Unknown files are listed in root.unowned, boot.unowned, and usrlocal.unowned files. Script message: There are unowned files/directories on the *** partition. Please check the *** for a list of files found and take the appropriate permission changes. |
| 6.1.11 Ensure no ungrouped files or directories exist | Ungrouped files are listed in root.nogroup, boot.nogroup, and usrlocal.nogroup files. Script message: There are ungrouped files/directories on the *** partition. Please check the *** for a list of files/directories found and take the appropriate permission changes. |
| 6.1.13 Audit SUID executables | SUID files are listed in root.suid, boot.suid, and usrlocal.suid files. Script message: There are SUID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any). |
| 6.1.14 Audit SGID executables | SGID files are listed in root.sgid, boot.sgid, and usrlocal.sgid files. Script message: There are SGID programs on the *** partition. Please check the *** for a list of programs found and take the appropriate action (if any). |
| 6.2.2 Ensure /etc/shadow password fields are not empty | Lock user which does not have a password using passwd command. |
| 6.2.9 Ensure root is the only UID 0 account | Verify root has UID 0. |
| 6.2.10 Ensure local interactive user home directories exist | Find and list if any of the user on the system whose home directory does not exist. |
| 6.2.11 Ensure local interactive users own their home directories | Update home directories are owned by user. |
| 6.2.12 Ensure local interactive user home directories are mode 750 or more restrictive | chmod 700 /usr/local/strongauth Script message: The directory /usr/local/strongauth/batchrequests/domain1 must have group write permissions for the batch function to work correctly. |