CIS Benchmarks for Linux Systems

Objective:

Below are the standard Guidelines as per the CIS Benchmarking standard to adopt a secure Configuration posture for Linux Systems running on x86 and x64 platforms. This benchmark is intended for system and application administrators, security specialists, auditors, helpdesk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Linux on the x86 or x64 platform.

 

About CIS Benchmarks:

CIS Benchmarks are a set of guidelines and best practices for securing IT systems, networks, and infrastructure. They are developed by the Center for Internet Security (CIS), a global non-profit organization. CIS Benchmarks are free to the public and are used by thousands of businesses.

Note: It is advisable to verify root users’ path integrity and the integrity of any programs being run prior to the execution of commands and scripts.

–> Disable unused filesystems

Ensure mounting of cramfs filesystems is disabled

Ensure mounting of freevxfs filesystems is disabled

Ensure mounting of jffs2 filesystems is disabled

Ensure mounting of hfs filesystems is disabled

Ensure mounting of hfsplus filesystems is disabled

Ensure mounting of squashfs filesystems is disabled

Ensure mounting of udf filesystems is disabled

Ensure mounting of FAT filesystems is limited

Ensure /tmp is configured

Ensure nodev option set on /tmp partition

Ensure nosuid option set on /tmp partition

Ensure noexec option set on /tmp partition

Ensure separate partition exists for /var

Ensure separate partition exists for /var/tmp

Ensure nodev option set on /var/tmp partition

Ensure nosuid option set on /var/tmp partition

Ensure noexec option set on /var/tmp partition

Ensure separate partition exists for /var/log

Ensure separate partition exists for /var/log/audit

Ensure separate partition exists for /home

Ensure nodev option set on /home partition

Ensure nodev option set on /dev/shm partition

Ensure nosuid option set on /dev/shm partition

Ensure noexec option set on /dev/shm partition

Ensure nodev option set on removable media partitions

Ensure nosuid option set on removable media partitions

Ensure noexec option set on removable media partitions

Ensure sticky bit is set on all world-writable directories

Disable Automounting

Disable USB Storage

 –> Configure Software Updates

Ensure package manager repositories are configured

Ensure GPG keys are configured

Filesystem Integrity Checking

Ensure AIDE is installed

Ensure filesystem integrity is regularly checked

Secure Boot Settings

Ensure permissions on bootloader config are configured

Ensure bootloader password is set

Ensure authentication required for single user mode

Ensure interactive boot is not enabled

 –> Additional Process Hardening

Ensure core dumps are restricted

Ensure XD/NX support is enabled

Ensure address space layout randomization (ASLR) is enabled

Ensure prelink is disabled

Mandatory Access Control

Ensure login and logout events are collected

Ensure session initiation information is collected

Ensure discretionary access control permission modification events are collected

Ensure unsuccessful unauthorized file access attempts are collected

Ensure use of privileged commands is collected

Ensure successful file system mounts are collected

Ensure file deletion events by users are collected

Ensure changes to system administration scope (sudoers) is collected

Ensure system administrator actions (sudolog) are collected

Ensure kernel module loading and unloading is collected

Ensure the audit configuration is immutable

 –>Configure Logging

Configure rsyslog

Ensure rsyslog is installed

Ensure rsyslog Service is enabled

Ensure logging is configured

Ensure rsyslog default file permissions configured

Ensure rsyslog is configured to send logs to a remote log host

Ensure remote rsyslog messages are only accepted on designated log hosts.

 –>Configure journald

Ensure journald is configured to send logs to rsyslog

Ensure journald is configured to compress large log files

Ensure journald is configured to write logfiles to persistent disk

Ensure permissions on all logfiles are configured

Ensurelogrotate is configured

Access, Authentication and Authorization

 –> Configure cron

Ensure cron daemon is enabled

Ensure permissions on /etc/crontab are configured

Ensure permissions on /etc/cron.hourly are configured

Ensure permissions on /etc/cron.daily are configured

Ensure permissions on /etc/cron.weekly are configured

Ensure permissions on /etc/cron.monthly are configured

Ensure permissions on /etc/cron.d are configured

Ensure at/cron is restricted to authorized users

 –> SSH Server Configuration

Ensure permissions on /etc/ssh/sshd_config are configured

Ensure permissions on SSH private host key files are configured

Ensure permissions on SSH public host key files are configured

Ensure SSH Protocol is set to 2

Ensure SSH LogLevel is appropriate

Ensure SSH X11 forwarding is disabled

Ensure SSH MaxAuthTries is set to 4 or less

Ensure SSH IgnoreRhosts is enabled

Ensure SSH HostbasedAuthentication is disabled

Ensure SSH root login is disabled

Ensure SSH PermitEmptyPasswords is disabled

Ensure SSH PermitUserEnvironment is disabled

Ensure only strong Ciphers are used

Ensure only strong MAC algorithms are used

Ensure only strong Key Exchange algorithms are used

Ensure SSH Idle Timeout Interval is configured

Ensure SSH LoginGraceTime is set to one minute or less

Ensure SSH access is limited

Ensure SSH warning banner is configured

Ensure SSH PAM is enabled

Ensure SSH AllowTcpForwarding is disabled

Ensure SSH MaxStartups is configured

Ensure SSH MaxSessions is set to 4 or less

–> Configure PAM

Ensure password creation requirements are configured

Ensure lockout for failed password attempts is configured

Ensure password reuse is limited

Ensure password hashing algorithm is SHA-512

–> User Accounts and Environment

–> Set Shadow Password Suite Parameters

Ensure password expiration is 365 days or less

Ensure minimum days between password changes is 7 or more

Ensure password expiration warning days is 7 or more

Ensure inactive password lock is 30 days or less

Ensure all users last password change date is in the past

Ensure system accounts are secured

Ensure default group for the root account is GID 0

Ensure default user umask is 027 or more restrictive

Ensure default user shell timeout is 900 seconds or less

Ensure root login is restricted to system console

Ensure access to the su command is restricted

–> System Maintenance

System File Permissions

Audit system file permissions

Ensure permissions on /etc/passwd are configured

Ensure permissions on /etc/shadow are configured

Ensure permissions on /etc/group are configured

Ensure permissions on /etc/gshadow are configured

Ensure permissions on /etc/passwd-are configured

Ensure permissions on /etc/shadow-are configured

Ensure permissions on /etc/group-are configured

Ensure permissions on /etc/gshadow-are configured

Ensure no world writable files exist

Ensure no unowned files or directories exist

Ensure no ungrouped files or directories exist

Audit SUID executables

Audit SGID executables

–> User and Group Settings

Ensure password fields are not empty

Ensure no legacy “+” entries exist in /etc/passwd

Ensure no legacy “+” entries exist in /etc/shadow

Ensure no legacy “+” entries exist in /etc/group

Ensure root is the only UID 0 account

Ensure root PATH Integrity

Ensure all users’ home directories exist

Ensure users’ home directories permissions are 750 or more restrictive

Ensure users own their home directories

Ensure users’ dot files are not group or world writable

Ensure no users have .forward files

Ensure no users have .netrc files

Ensure users’ .netrc Files are not group or world accessible

Ensure no users have .rhosts files

Ensure all groups in /etc/passwd exist in /etc/group

Ensure no duplicate UIDs exist

Ensure no duplicate GIDs exist

Ensure no duplicate user names exist

Ensure no duplicate group names exist

Ensure shadow group is empty

145 thoughts on “CIS Benchmarks for Linux Systems”

  1. Everything published was actually very reasonable. However, consider this, what if you
    added a little information? I mean, I don’t wish to tell you how
    to run your blog, howevr suppose you added something that grabbed folk’s attention? I mean CIS Benchmarks for Linux Systems – CubenSquare
    is a little vanilla. You could look at Yahoo’s
    front page and see how they create post headkines to gget people
    to click. You might add a related video or a picture or two
    to grab readers excited about what you’ve written. In my opinion, it would bring your posts a little
    livelier. https://663ce975777db.site123.me/

  2. Wonderful goods from you, man. I’ve understand your stuff previous to and you are just
    too great. I actually like what you have acquired here,
    really like what yyou are saying and the way in which you say it.
    You make it entertaining and you still care for to keep it
    sensible. I can not wait to read much more from you. This
    is really a tremendous site. https://www.kickstarter.com/projects/charles22alexander/315960534?ref=hmn6j5&token=063a8512

  3. I have been browsiing online more than three hours today,
    yet I by noo means discovered any interesting article like yours.

    It iss beautiful worth sufficient for me. In my view, if
    alll site owners and bloggers made excellent content material as you
    robably did, the web might be a lot more useful han ever before. https://yoo.rs/integration-of-esports-and-gambling-new-opportunities-for-betting-in-2024-1705409566

  4. Hello would you mind staqting which blog platform you’re using?

    I’m looking to start mmy oown blog soon but I’m having a difficult time deciding between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is becaue your design seems different then most blogs and I’m looking for something unique.
    P.S My apologies for getting off-topic but I had to ask! https://telegra.ph/7-Smartest-Strategies-to-Maximize-your-Winning-in-Online-Casinos-05-09

  5. Undeniably imagine that that yyou said. Your favorite reason appeared
    to be oon the web the simplest factor to bear in mind of.
    I say to you, I certainly gget irked at the same time as other folks think avout worries that they just don’t recognise about.
    You managed to hit thee nail upon the top and outlined
    out the whole thing withoyt having side effect , other folks could take a
    signal. Will liksly be back to get more. Thank you http://forum.altaycoins.com/viewtopic.php?id=693320

  6. It’s a pity you don’t have a donate button! I’d without a doubt donate
    to this fantastic blog! I suppose for now i’ll settle for
    bookmarking and adding youur RSSfeed to my Gogle account.

    I loook forward to fresh updates and willl shsre this site with my Facebook group.
    Talk soon! https://depot.lk/user/profile/29209

  7. My developer is trying tto persuade me to move to .net from PHP.
    I have always disliked the idea because of the expenses.
    But he’s tryiong none the less. I’ve been using WordPrress oon numerous
    websites for about a year and am annxious about switching tto another platform.
    I have heard good thkngs about blogengine.net. Is there a way I can import alll my wordpress
    colntent into it? Any help would be reaply appreciated! https://camillacastro.us/forums/profile.php?id=169915

  8. I tend not to create a leave a response, but after reading a bunch of remarks here CIS Benchmarks for Linux Systems – CubenSquare.
    I actually do have a few questions for you if you
    don’t mind. Could it be just me or do some of the coments appear like they are written by brain dead visitors?
    😛 And, if you are posting at additional online
    sites, I would like too keep up with anythingg freesh
    you have to post. Coild you make a list of all of your social commnunity sites like your linkedin profile, Facebook page or
    twitter feed? https://depot.lk/user/profile/29822

  9. First of all I would like to say awesome blog! I had
    a quick question which I’d like to ask iff yoou do not mind.

    I was interested to find oout how you center yoursedlf andd clear your minbd before writing.

    I’ve had a hard time clearing myy thoughts in getting my thoughts out there.
    I do enjoy writing but it just seems like the first 10 to 15 minutes tend to be lost just
    trying to figure out how to begin. Any suggestions or tips?
    Many thanks! https://camillacastro.us/forums/viewtopic.php?id=327555

  10. Havee you ever considereed abouit adding a little bit more than just your articles?
    I mean, what you say is fundamental and everything.
    However just imagine if you added some grat pictures or videos
    to giive your posts more, “pop”! Yourr content is excellent but with images and video clips, this website could undeniably be one of the bedst in its field.
    Wonderful blog! https://depot.lk/user/profile/29890

  11. Hi there, I found your site by way of Google while looking for a comparable subject,
    your web ssite came up, it seems good. I have bookmarked itt inn my google bookmarks.

    Hello there, simply bcome aware of your weblog via Google, and located that it’s really informative.
    I’m going to bee careful for brussels. I’ll be grateful in case you continue this in future.

    A lot of other people will be benefited out of your writing.

    Cheers! https://migration-bt4.co.uk/profile.php?id=306641

  12. Magnificent goods from you, man. I’ve understand your stuff
    previous to and you’re just extremely wonderful.
    I actuallky like what you have acquired here,certainly likke what you are saying
    and the way in which you say it. You make it entertaining and you still take care of to keep it smart.
    I cant wait to read far more from you. This is really a great site. http://links.musicnotch.com/doretha81925

  13. Hi! I know this is kinda offf topic however , I’d figured I’d ask.

    Would yoou be interested in trading links orr magbe guest writing a blog article or vice-versa?
    My site discusses a lot of the same subjects as yours and I believe we coupd greatly benefit
    from each other. If you’re interested feel free to send mee
    an email. I look forward to hearing from you! Super blog by
    the way! http://another-ro.com/forum/viewtopic.php?id=152045

  14. What i don’t understood is in reality how you are now not actually a lot
    more smartly-liked thaan you may be right now. You are very
    intelligent. You know therefore considerably relating to this topic, made me
    for my part consider it from so many varied angles.
    Its likle women and men aren’t innvolved except it’s one
    tthing to do witgh Lady gaga! Your individual stuffs excellent.

    All the time take caree of it up! https://advansbum.by/component/k2/itemlist/user/888315

  15. What i ddo not realize is in truhth how you are now not really much more neatly-favored than you mifht be right now.

    You’re so intelligent. You understand therefore significantly on the subject off this
    topic, produced me for my part consider it from a loot of various angles.
    Its like women and men don’t seem to bbe fasscinated except it is something to do with Woman gaga!
    Your own stuffs nice. Always deal with it up! http://another-ro.com/forum/viewtopic.php?id=150718

  16. Hey I know this is off topic but I was wondering if you knew
    of anyy widgets I could add to my blog that automatically
    tweet myy newest twitter updates. I’ve been looking for a plug-in like ths for quite some time and
    was hoping maybe you would hawve some experiene with
    something like this. Please let me know if you ruun into anything.
    I truly enjoy reading your blog aand I look forward to your new updates. https://www.fionapremium.com/author/vidaarce29/

  17. Hey there outstanding website! Does runnijg a blog like this require a massive amount work?

    I’ve absolutely no understanding off coding but I had been hoping to
    start my own blog in thee near future. Anyway, should you have any recommendations or tips for neww
    blog owners please share. I understand this is off topic nevertheless I
    simply had to ask. Thanks a lot! https://topnewtechs.mystrikingly.com/

  18. Have you ever considered about adding a little bitt more
    than just your articles?I mean, what you say is fundamental annd everything.
    However think about if you added some great graphics or video clips to give
    your posts more, “pop”! Your clntent is excellent but with pics and video clips, this ite could
    certainly be one off the most beneficial in its niche.
    Excellent blog! https://creationss.mystrikingly.com/

Leave a Comment

Your email address will not be published. Required fields are marked *