CIS CentOS Linux 8 Server L1 v2.0.0

Audit Details

Name: CIS CentOS Linux 8 Server L1 v2.0.0

Updated: 1/6/2025

Authority: CIS

Plugin: Unix

Revision: 1.40

Estimated Item Count: 229

File Details

Filename: CIS_CentOS_8_Server_v2.0.0_L1.audit

Size: 848 kB

MD5: 50aa584b3a90084d954e058e6cd9e06c

SHA256: d96f3a9f831748e061d9342b704559df85d2a062bfbb336614722da8e193cef9

Audit Changelog


Revision 1.40 Jan 6, 2025 Informational Update 1.4.2 Ensure permissions on bootloader config are configured 3.1.4 Ensure wireless interfaces are disabled 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.6.2 Ensure system accounts are secured 6.2.10 Ensure users own their home directories 6.2.11 Ensure users' home directories permissions are 750 or more restrictive 6.2.12 Ensure users' dot files are not group or world writable 6.2.13 Ensure users' .netrc Files are not group or world accessible 6.2.14 Ensure no users have .forward files 6.2.15 Ensure no users have .netrc files 6.2.16 Ensure no users have .rhosts files 6.2.9 Ensure all users' home directories exist Miscellaneous Metadata updated.
Revision 1.39 Nov 6, 2024 Functional Update 6.1.11 Ensure no world writable files exist 6.1.12 Ensure no unowned files or directories exist 6.1.13 Ensure no ungrouped files or directories exist 6.1.14 Audit SUID executables 6.1.15 Audit SGID executables 6.1.2 Ensure sticky bit is set on all world-writable directories Miscellaneous References updated.
Revision 1.38 Jul 24, 2024 Functional Update 5.2.6 Ensure SSH PAM is enabled
Revision 1.37 Jul 19, 2024 Functional Update 5.6.2 Ensure system accounts are secured
Revision 1.36 Jul 9, 2024 Functional Update 5.1.9 Ensure at is restricted to authorized users
Revision 1.35 Jun 17, 2024 Miscellaneous Metadata updated.
Revision 1.34 Jun 6, 2024 Functional Update 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure noexec option set on /var partition 1.1.3.4 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.7.4 Ensure usrquota option set on /home partition 1.1.7.5 Ensure grpquota option set on /home partition 1.1.8.1 Ensure nodev option set on /dev/shm partition 1.1.8.2 Ensure noexec option set on /dev/shm partition 1.1.8.3 Ensure nosuid option set on /dev/shm partition 1.1.9 Disable Automounting 1.10 Ensure system-wide crypto policy is not legacy 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.4.1 Ensure bootloader password is set 1.4.2 Ensure permissions on bootloader config are configured 1.4.3 Ensure authentication is required when booting into rescue mode 1.5.1 Ensure core dump storage is disabled 1.5.2 Ensure core dump backtraces are disabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8.4 Ensure XDMCP is not enabled 1.8.5 Ensure automatic mounting of removable media is disabled 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure time synchronization is in use 2.2.1 Ensure xinetd is not installed 2.2.12 Ensure Samba is not installed 2.2.13 Ensure HTTP Proxy Server is not installed 2.2.14 Ensure net-snmp is not installed 2.2.15 Ensure NIS server is not installed 2.2.16 Ensure telnet-server is not installed 2.2.17 Ensure mail transfer agent is configured for local-only mode 2.2.2 Ensure xorg-x11-server-common is not installed 2.2.20 Ensure rsync is not installed or the rsyncd service is masked 2.2.4 Ensure CUPS is not installed 2.2.5 Ensure DHCP Server is not installed 2.2.6 Ensure DNS Server is not installed 2.2.7 Ensure FTP Server is not installed 2.2.8 Ensure VSFTP Server is not installed 2.2.9 Ensure TFTP Server is not installed 2.3.1 Ensure NIS Client is not installed 2.3.2 Ensure rsh client is not installed 2.3.3 Ensure talk client is not installed 2.3.4 Ensure telnet client is not installed 2.3.5 Ensure LDAP client is not installed 2.3.6 Ensure TFTP client is not installed 2.4 Ensure nonessential services are removed or masked 3.1.1 Verify if IPv6 is enabled on the system 3.1.4 Ensure wireless interfaces are disabled 3.2.1 Ensure IP forwarding is disabled 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.8 Ensure TCP SYN Cookies is enabled 3.4.1.2 Ensure iptables-services not installed with firewalld 3.4.1.3 Ensure nftables either not installed or masked with firewalld 3.4.1.5 Ensure firewalld default zone is set 3.4.1.6 Ensure network interfaces are assigned to appropriate zone 3.4.1.7 Ensure firewalld drops unnecessary services and ports 3.4.2.1 Ensure nftables is installed 3.4.2.10 Ensure nftables service is enabled 3.4.2.2 Ensure firewalld is either not installed or masked with nftables 3.4.2.3 Ensure iptables-services not installed with nftables 3.4.2.5 Ensure an nftables table exists 3.4.3.1.1 Ensure iptables packages are installed 3.4.3.1.2 Ensure nftables is not installed with iptables 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables 3.4.3.2.2 Ensure iptables outbound and established connections are configured 3.4.3.2.3 Ensure iptables rules exist for all open ports 3.4.3.2.5 Ensure iptables rules are saved 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports 3.4.3.3.5 Ensure ip6tables rules are saved 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.3 Ensure journald is configured to send logs to rsyslog 4.2.1.4 Ensure rsyslog default file permissions are configured 4.2.1.5 Ensure logging is configured 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured 5.1.1 Ensure cron daemon is enabled 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.14 Ensure system-wide crypto policy is not over-ridden 5.2.15 Ensure SSH warning banner is configured 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.3 Ensure permissions on SSH public host key files are configured 5.3.1 Ensure sudo is installed 5.3.2 Ensure sudo commands use pty 5.3.3 Ensure sudo log file exists 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally 5.3.6 Ensure sudo authentication timeout is configured correctly 5.3.7 Ensure access to the su command is restricted 5.4.1 Ensure custom authselect profile is used 5.5.3 Ensure password reuse is limited 5.6.1.5 Ensure all users last password change date is in the past 5.6.3 Ensure default user shell timeout is 900 seconds or less 5.6.4 Ensure default group for the root account is GID 0 6.1.10 Ensure permissions on /etc/gshadow- are configured 6.1.11 Ensure no world writable files exist 6.1.12 Ensure no unowned files or directories exist 6.1.13 Ensure no ungrouped files or directories exist 6.1.2 Ensure sticky bit is set on all world-writable directories 6.1.3 Ensure permissions on /etc/passwd are configured 6.1.4 Ensure permissions on /etc/shadow are configured 6.1.5 Ensure permissions on /etc/group are configured 6.1.6 Ensure permissions on /etc/gshadow are configured 6.1.7 Ensure permissions on /etc/passwd- are configured 6.1.8 Ensure permissions on /etc/shadow- are configured 6.1.9 Ensure permissions on /etc/group- are configured 6.2.1 Ensure password fields are not empty 6.2.10 Ensure users own their home directories 6.2.11 Ensure users' home directories permissions are 750 or more restrictive 6.2.12 Ensure users' dot files are not group or world writable 6.2.13 Ensure users' .netrc Files are not group or world accessible 6.2.14 Ensure no users have .forward files 6.2.15 Ensure no users have .netrc files 6.2.16 Ensure no users have .rhosts files 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group 6.2.3 Ensure no duplicate UIDs exist 6.2.4 Ensure no duplicate GIDs exist 6.2.5 Ensure no duplicate user names exist 6.2.6 Ensure no duplicate group names exist 6.2.7 Ensure root PATH Integrity 6.2.8 Ensure root is the only UID 0 account 6.2.9 Ensure all users' home directories exist Informational Update 1.1.2.2 Ensure nodev option set on /tmp partition 1.1.2.3 Ensure noexec option set on /tmp partition 1.1.2.4 Ensure nosuid option set on /tmp partition 1.1.3.2 Ensure nodev option set on /var partition 1.1.3.3 Ensure noexec option set on /var partition 1.1.3.4 Ensure nosuid option set on /var partition 1.1.4.2 Ensure noexec option set on /var/tmp partition 1.1.4.3 Ensure nosuid option set on /var/tmp partition 1.1.4.4 Ensure nodev option set on /var/tmp partition 1.1.5.2 Ensure nodev option set on /var/log partition 1.1.5.3 Ensure noexec option set on /var/log partition 1.1.5.4 Ensure nosuid option set on /var/log partition 1.1.6.2 Ensure noexec option set on /var/log/audit partition 1.1.6.3 Ensure nodev option set on /var/log/audit partition 1.1.6.4 Ensure nosuid option set on /var/log/audit partition 1.1.7.2 Ensure nodev option set on /home partition 1.1.7.3 Ensure nosuid option set on /home partition 1.1.7.4 Ensure usrquota option set on /home partition 1.1.7.5 Ensure grpquota option set on /home partition 1.1.8.1 Ensure nodev option set on /dev/shm partition 1.1.8.2 Ensure noexec option set on /dev/shm partition 1.1.8.3 Ensure nosuid option set on /dev/shm partition 1.1.9 Disable Automounting 1.10 Ensure system-wide crypto policy is not legacy 1.2.3 Ensure package manager repositories are configured 1.3.1 Ensure AIDE is installed 1.4.1 Ensure bootloader password is set 1.4.2 Ensure permissions on bootloader config are configured 1.4.3 Ensure authentication is required when booting into rescue mode 1.5.1 Ensure core dump storage is disabled 1.5.2 Ensure core dump backtraces are disabled 1.6.1.1 Ensure SELinux is installed 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration 1.6.1.6 Ensure no unconfined services exist 1.6.1.7 Ensure SETroubleshoot is not installed 1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed 1.7.1 Ensure message of the day is configured properly 1.7.2 Ensure local login warning banner is configured properly 1.7.3 Ensure remote login warning banner is configured properly 1.7.4 Ensure permissions on /etc/motd are configured 1.7.5 Ensure permissions on /etc/issue are configured 1.7.6 Ensure permissions on /etc/issue.net are configured 1.8.4 Ensure XDMCP is not enabled 1.8.5 Ensure automatic mounting of removable media is disabled 1.9 Ensure updates, patches, and additional security software are installed 2.1.1 Ensure time synchronization is in use 2.2.1 Ensure xinetd is not installed 2.2.12 Ensure Samba is not installed 2.2.13 Ensure HTTP Proxy Server is not installed 2.2.14 Ensure net-snmp is not installed 2.2.15 Ensure NIS server is not installed 2.2.16 Ensure telnet-server is not installed 2.2.17 Ensure mail transfer agent is configured for local-only mode 2.2.2 Ensure xorg-x11-server-common is not installed 2.2.20 Ensure rsync is not installed or the rsyncd service is masked 2.2.4 Ensure CUPS is not installed 2.2.5 Ensure DHCP Server is not installed 2.2.6 Ensure DNS Server is not installed 2.2.7 Ensure FTP Server is not installed 2.2.8 Ensure VSFTP Server is not installed 2.2.9 Ensure TFTP Server is not installed 2.3.1 Ensure NIS Client is not installed 2.3.2 Ensure rsh client is not installed 2.3.3 Ensure talk client is not installed 2.3.4 Ensure telnet client is not installed 2.3.5 Ensure LDAP client is not installed 2.3.6 Ensure TFTP client is not installed 2.4 Ensure nonessential services are removed or masked 3.1.1 Verify if IPv6 is enabled on the system 3.1.4 Ensure wireless interfaces are disabled 3.2.1 Ensure IP forwarding is disabled 3.3.5 Ensure broadcast ICMP requests are ignored 3.3.6 Ensure bogus ICMP responses are ignored 3.3.8 Ensure TCP SYN Cookies is enabled 3.4.1.2 Ensure iptables-services not installed with firewalld 3.4.1.3 Ensure nftables either not installed or masked with firewalld 3.4.1.5 Ensure firewalld default zone is set 3.4.1.6 Ensure network interfaces are assigned to appropriate zone 3.4.1.7 Ensure firewalld drops unnecessary services and ports 3.4.2.1 Ensure nftables is installed 3.4.2.10 Ensure nftables service is enabled 3.4.2.2 Ensure firewalld is either not installed or masked with nftables 3.4.2.3 Ensure iptables-services not installed with nftables 3.4.2.5 Ensure an nftables table exists 3.4.3.1.1 Ensure iptables packages are installed 3.4.3.1.2 Ensure nftables is not installed with iptables 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables 3.4.3.2.2 Ensure iptables outbound and established connections are configured 3.4.3.2.3 Ensure iptables rules exist for all open ports 3.4.3.2.5 Ensure iptables rules are saved 3.4.3.3.2 Ensure ip6tables outbound and established connections are configured 3.4.3.3.3 Ensure ip6tables firewall rules exist for all open ports 3.4.3.3.5 Ensure ip6tables rules are saved 4.2.1.1 Ensure rsyslog is installed 4.2.1.2 Ensure rsyslog service is enabled 4.2.1.3 Ensure journald is configured to send logs to rsyslog 4.2.1.4 Ensure rsyslog default file permissions are configured 4.2.1.5 Ensure logging is configured 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host 4.2.2.1.1 Ensure systemd-journal-remote is installed 4.2.2.1.2 Ensure systemd-journal-remote is configured 4.2.2.1.3 Ensure systemd-journal-remote is enabled 4.2.2.2 Ensure journald service is enabled 4.2.2.3 Ensure journald is configured to compress large log files 4.2.2.4 Ensure journald is configured to write logfiles to persistent disk 4.2.2.5 Ensure journald is not configured to send logs to rsyslog 4.2.2.6 Ensure journald log rotation is configured per site policy 4.2.2.7 Ensure journald default file permissions configured 4.3 Ensure logrotate is configured 5.1.1 Ensure cron daemon is enabled 5.1.2 Ensure permissions on /etc/crontab are configured 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5.1.4 Ensure permissions on /etc/cron.daily are configured 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5.1.7 Ensure permissions on /etc/cron.d are configured 5.1.8 Ensure cron is restricted to authorized users 5.1.9 Ensure at is restricted to authorized users 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5.2.14 Ensure system-wide crypto policy is not over-ridden 5.2.15 Ensure SSH warning banner is configured 5.2.2 Ensure permissions on SSH private host key files are configured 5.2.3 Ensure permissions on SSH public host key files are configured 5.3.1 Ensure sudo is installed 5.3.2 Ensure sudo commands use pty 5.3.3 Ensure sudo log file exists 5.3.5 Ensure re-authentication for privilege escalation is not disabled globally 5.3.6 Ensure sudo authentication timeout is configured correctly 5.3.7 Ensure access to the su command is restricted 5.4.1 Ensure custom authselect profile is used 5.5.3 Ensure password reuse is limited 5.6.1.5 Ensure all users last password change date is in the past 5.6.3 Ensure default user shell timeout is 900 seconds or less 5.6.4 Ensure default group for the root account is GID 0 6.1.10 Ensure permissions on /etc/gshadow- are configured 6.1.11 Ensure no world writable files exist 6.1.12 Ensure no unowned files or directories exist 6.1.13 Ensure no ungrouped files or directories exist 6.1.14 Audit SUID executables 6.1.15 Audit SGID executables 6.1.2 Ensure sticky bit is set on all world-writable directories 6.1.3 Ensure permissions on /etc/passwd are configured 6.1.4 Ensure permissions on /etc/shadow are configured 6.1.5 Ensure permissions on /etc/group are configured 6.1.6 Ensure permissions on /etc/gshadow are configured 6.1.7 Ensure permissions on /etc/passwd- are configured 6.1.8 Ensure permissions on /etc/shadow- are configured 6.1.9 Ensure permissions on /etc/group- are configured 6.2.1 Ensure password fields are not empty 6.2.10 Ensure users own their home directories 6.2.11 Ensure users' home directories permissions are 750 or more restrictive 6.2.12 Ensure users' dot files are not group or world writable 6.2.13 Ensure users' .netrc Files are not group or world accessible 6.2.14 Ensure no users have .forward files 6.2.15 Ensure no users have .netrc files 6.2.16 Ensure no users have .rhosts files 6.2.2 Ensure all groups in /etc/passwd exist in /etc/group 6.2.3 Ensure no duplicate UIDs exist 6.2.4 Ensure no duplicate GIDs exist 6.2.5 Ensure no duplicate user names exist 6.2.6 Ensure no duplicate group names exist 6.2.7 Ensure root PATH Integrity 6.2.8 Ensure root is the only UID 0 account 6.2.9 Ensure all users' home directories exist Miscellaneous Metadata updated. Platform check updated. References updated. Variables updated. Added 1.1.1.1 Ensure mounting of cramfs filesystems is disabled 1.1.10 Disable USB Storage 1.1.2.1 Ensure /tmp is a separate partition 1.2.1 Ensure GPG keys are configured 1.2.2 Ensure gpgcheck is globally activated 1.3.2 Ensure filesystem integrity is regularly checked 1.5.3 Ensure address space layout randomization (ASLR) is enabled 1.6.1.3 Ensure SELinux policy is configured 1.6.1.4 Ensure the SELinux mode is not disabled 1.8.2 Ensure GDM login banner is configured 1.8.3 Ensure last logged in user display is disabled 2.1.2 Ensure chrony is configured 2.2.10 Ensure a web server is not installed 2.2.11 Ensure IMAP and POP3 server is not installed 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked 2.2.3 Ensure Avahi Server is not installed 3.2.2 Ensure packet redirect sending is disabled 3.3.1 Ensure source routed packets are not accepted 3.3.2 Ensure ICMP redirects are not accepted 3.3.3 Ensure secure ICMP redirects are not accepted 3.3.4 Ensure suspicious packets are logged 3.3.7 Ensure Reverse Path Filtering is enabled 3.3.9 Ensure IPv6 router advertisements are not accepted 3.4.1.1 Ensure firewalld is installed 3.4.1.4 Ensure firewalld service enabled and running 3.4.2.11 Ensure nftables rules are permanent 3.4.2.4 Ensure iptables are flushed with nftables 3.4.2.6 Ensure nftables base chains exist 3.4.2.7 Ensure nftables loopback traffic is configured 3.4.2.8 Ensure nftables outbound and established connections are configured 3.4.2.9 Ensure nftables default deny firewall policy 3.4.3.2.1 Ensure iptables loopback traffic is configured 3.4.3.2.4 Ensure iptables default deny firewall policy 3.4.3.2.6 Ensure iptables is enabled and active 3.4.3.3.1 Ensure ip6tables loopback traffic is configured 3.4.3.3.4 Ensure ip6tables default deny firewall policy 3.4.3.3.6 Ensure ip6tables is enabled and active 4.2.1.7 Ensure rsyslog is not configured to recieve logs from a remote client 4.2.2.1.4 Ensure journald is not configured to recieve logs from a remote client 4.2.3 Ensure permissions on all logfiles are configured 5.2.10 Ensure SSH PermitUserEnvironment is disabled 5.2.11 Ensure SSH IgnoreRhosts is enabled 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less 5.2.17 Ensure SSH MaxStartups is configured 5.2.18 Ensure SSH MaxSessions is set to 10 or less 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less 5.2.20 Ensure SSH Idle Timeout Interval is configured 5.2.4 Ensure SSH access is limited 5.2.5 Ensure SSH LogLevel is appropriate 5.2.6 Ensure SSH PAM is enabled 5.2.7 Ensure SSH root login is disabled 5.2.8 Ensure SSH HostbasedAuthentication is disabled 5.2.9 Ensure SSH PermitEmptyPasswords is disabled 5.4.2 Ensure authselect includes with-faillock 5.5.1 Ensure password creation requirements are configured 5.5.2 Ensure lockout for failed password attempts is configured 5.5.4 Ensure password hashing algorithm is SHA-512 5.6.1.1 Ensure password expiration is 365 days or less 5.6.1.2 Ensure minimum days between password changes is 7 or more 5.6.1.3 Ensure password expiration warning days is 7 or more 5.6.1.4 Ensure inactive password lock is 30 days or less 5.6.2 Ensure system accounts are secured 5.6.5 Ensure default user umask is 027 or more restrictive Removed 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - blacklist 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - lsmod 1.1.1.1 Ensure mounting of cramfs filesystems is disabled - modprobe 1.1.10 Disable USB Storage - lsmod 1.1.10 Disable USB Storage - modprobe 1.1.2.1 Ensure /tmp is a separate partition - config check 1.1.2.1 Ensure /tmp is a separate partition - mount check 1.2.1 Ensure GPG keys are configured - gpgkey 1.2.1 Ensure GPG keys are configured - show rpm keys 1.2.2 Ensure gpgcheck is globally activated - /etc/yum.repos.d/* 1.2.2 Ensure gpgcheck is globally activated - dnf.conf 1.3.2 Ensure filesystem integrity is regularly checked - cron 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.service 1.3.2 Ensure filesystem integrity is regularly checked - systemctl is-enabled aidecheck.timer 1.3.2 Ensure filesystem integrity is regularly checked - systemctl status aidecheck.timer 1.5.3 Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.d/* 1.6.1.3 Ensure SELinux policy is configured - /etc/selinux/config 1.6.1.3 Ensure SELinux policy is configured - sestatus 1.6.1.4 Ensure the SELinux mode is not disabled - /etc/selinux/config 1.6.1.4 Ensure the SELinux mode is not disabled - getenforce 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm greeter-dconf-defaults 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm system-db 1.8.2 Ensure GDM login banner is configured - /etc/dconf/profile/gdm user-db 1.8.2 Ensure GDM login banner is configured - banner message enabled 1.8.2 Ensure GDM login banner is configured - banner message text 1.8.3 Ensure last logged in user display is disabled - disable user list 1.8.3 Ensure last logged in user display is disabled - file-db 1.8.3 Ensure last logged in user display is disabled - system-db:gdm 1.8.3 Ensure last logged in user display is disabled - user-db:user 2.1.2 Ensure chrony is configured - ntp server 2.1.2 Ensure chrony is configured - user 2.2.10 Ensure a web server is not installed - httpd 2.2.10 Ensure a web server is not installed - nginx 2.2.11 Ensure IMAP and POP3 server is not installed - cyrus-imapd 2.2.11 Ensure IMAP and POP3 server is not installed - dovecot 2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind 2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked - rpcbind.socket 2.2.3 Ensure Avahi Server is not installed - avahi 2.2.3 Ensure Avahi Server is not installed - avahi-autoipd 3.2.1 Ensure IP forwarding is disabled - ipv6 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects 3.2.2 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.all.accept_source_route = 0' 3.3.1 Ensure source routed packets are not accepted - 'net.ipv6.conf.default.accept_source_route = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0' 3.3.2 Ensure ICMP redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0' 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0' 3.3.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0' 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.all.secure_redirects 3.3.3 Ensure secure ICMP redirects are not accepted - sysctl net.ipv4.conf.default.secure_redirects 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1' 3.3.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1' 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.all.rp_filter = 1 3.3.7 Ensure Reverse Path Filtering is enabled - net.ipv4.conf.default.rp_filter = 1 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.all.accept_ra = 0 3.3.9 Ensure IPv6 router advertisements are not accepted - net.ipv6.conf.default.accept_ra = 0 3.4.1.1 Ensure firewalld is installed - firewalld 3.4.1.1 Ensure firewalld is installed - iptables 3.4.1.3 Ensure nftables either not installed or masked with firewalld - inactive 3.4.1.3 Ensure nftables either not installed or masked with firewalld - installed 3.4.1.3 Ensure nftables either not installed or masked with firewalld - masked 3.4.1.4 Ensure firewalld service enabled and running - enabled 3.4.1.4 Ensure firewalld service enabled and running - running 3.4.2.11 Ensure nftables rules are permanent - forward 3.4.2.11 Ensure nftables rules are permanent - input 3.4.2.11 Ensure nftables rules are permanent - output 3.4.2.2 Ensure firewalld is either not installed or masked with nftables - masked 3.4.2.2 Ensure firewalld is either not installed or masked with nftables - stopped 3.4.2.4 Ensure iptables are flushed with nftables - ip6tables 3.4.2.4 Ensure iptables are flushed with nftables - iptables 3.4.2.6 Ensure nftables base chains exist - hook forward 3.4.2.6 Ensure nftables base chains exist - hook input 3.4.2.6 Ensure nftables base chains exist - hook output 3.4.2.7 Ensure nftables loopback traffic is configured - 'iif lo accept' 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip saddr' 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip sddr' 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip6 saddr' 3.4.2.7 Ensure nftables loopback traffic is configured - 'ip6 sddr' 3.4.2.8 Ensure nftables outbound and established connections are configured - input 3.4.2.8 Ensure nftables outbound and established connections are configured - output 3.4.2.9 Ensure nftables default deny firewall policy - hook forward 3.4.2.9 Ensure nftables default deny firewall policy - hook input 3.4.2.9 Ensure nftables default deny firewall policy - hook output 3.4.3.2.1 Ensure iptables loopback traffic is configured - INPUT 3.4.3.2.1 Ensure iptables loopback traffic is configured - OUTPUT 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain FORWARD 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain INPUT 3.4.3.2.4 Ensure iptables default deny firewall policy - Chain OUTPUT 3.4.3.2.6 Ensure iptables is enabled and active - active 3.4.3.2.6 Ensure iptables is enabled and active - enabled 3.4.3.3.1 Ensure ip6tables loopback traffic is configured - INPUT 3.4.3.3.1 Ensure ip6tables loopback traffic is configured - OUTPUT 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain FORWARD 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain INPUT 3.4.3.3.4 Ensure ip6tables default deny firewall policy - Chain OUTPUT 3.4.3.3.6 Ensure ip6tables is enabled and active - active 3.4.3.3.6 Ensure ip6tables is enabled and active - enabled 4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client 4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client 4.2.3 Ensure all logfiles have appropriate access configured 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd output 5.2.10 Ensure SSH PermitUserEnvironment is disabled - sshd_config 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd output 5.2.11 Ensure SSH IgnoreRhosts is enabled - sshd_config 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd output 5.2.16 Ensure SSH MaxAuthTries is set to 4 or less - sshd_config 5.2.17 Ensure SSH MaxStartups is configured - sshd output 5.2.17 Ensure SSH MaxStartups is configured - sshd_config 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd output 5.2.18 Ensure SSH MaxSessions is set to 10 or less - sshd_config 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd output 5.2.19 Ensure SSH LoginGraceTime is set to one minute or less - sshd_config 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd_config 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd output 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval sshd_config 5.2.4 Ensure SSH access is limited - sshd output 5.2.4 Ensure SSH access is limited - sshd_config 5.2.5 Ensure SSH LogLevel is appropriate - sshd output 5.2.5 Ensure SSH LogLevel is appropriate - sshd_config 5.2.6 Ensure SSH PAM is enabled - sshd output 5.2.6 Ensure SSH PAM is enabled - sshd_config 5.2.7 Ensure SSH root login is disabled - sshd output 5.2.7 Ensure SSH root login is disabled - sshd_config 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd output 5.2.8 Ensure SSH HostbasedAuthentication is disabled - sshd_config 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd output 5.2.9 Ensure SSH PermitEmptyPasswords is disabled - sshd_config 5.4.2 Ensure authselect includes with-faillock - password-auth account required 5.4.2 Ensure authselect includes with-faillock - password-auth auth required 5.4.2 Ensure authselect includes with-faillock - system-auth account required 5.4.2 Ensure authselect includes with-faillock - system-auth auth required 5.5.1 Ensure password creation requirements are configured - enforce-for-root 5.5.1 Ensure password creation requirements are configured - minlen 5.5.1 Ensure password creation requirements are configured - password complexity 5.5.1 Ensure password creation requirements are configured - retry 5.5.1 Ensure password creation requirements are configured - try_first_pass 5.5.2 Ensure lockout for failed password attempts is configured - <= 8.1 deny 5.5.2 Ensure lockout for failed password attempts is configured - <= 8.1 unlock_time 5.5.2 Ensure lockout for failed password attempts is configured - >= 8.2 deny 5.5.2 Ensure lockout for failed password attempts is configured - >= 8.2 unlock_time 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/libuser.conf 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/login.defs 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/pam.d/password-auth 5.5.4 Ensure password hashing algorithm is SHA-512 - /etc/pam.d/system-auth 5.6.1.1 Ensure password expiration is 365 days or less - login.defs 5.6.1.1 Ensure password expiration is 365 days or less - users 5.6.1.2 Ensure minimum days between password changes is 7 or more - login.defs 5.6.1.2 Ensure minimum days between password changes is 7 or more - users 5.6.1.3 Ensure password expiration warning days is 7 or more - login.defs 5.6.1.3 Ensure password expiration warning days is 7 or more - users 5.6.1.4 Ensure inactive password lock is 30 days or less - useradd 5.6.1.4 Ensure inactive password lock is 30 days or less - users 5.6.2 Ensure system accounts are secured - lock not root 5.6.2 Ensure system accounts are secured - non login 5.6.5 Ensure default user umask is 027 or more restrictive - default user umask 5.6.5 Ensure default user umask is 027 or more restrictive - less restrictive system wide umask
Revision 1.33 Apr 22, 2024 Functional Update 4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host
Revision 1.32 Mar 18, 2024 Functional Update 4.2.3 Ensure all logfiles have appropriate access configured
Revision 1.31 Jan 22, 2024 Functional Update 5.2.20 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax sshd output Miscellaneous Metadata updated.

Detections

Analytics

CIS CentOS Linux 8 Server L1 v2.0.0

Audit Details

File Details

Audit Changelog

Revision 1.40

Informational Update

Miscellaneous

Revision 1.39

Functional Update

Miscellaneous

Revision 1.38

Functional Update

Revision 1.37

Functional Update

Revision 1.36

Functional Update

Revision 1.35

Miscellaneous

Revision 1.34

Functional Update

Informational Update

Miscellaneous

Added

Removed

Revision 1.33

Functional Update

Revision 1.32

Functional Update

Revision 1.31

Functional Update

Miscellaneous

Detections

Analytics

CIS CentOS Linux 8 Server L1 v2.0.0 Download File

Audit Details

File Details

Audit Changelog

Informational Update

Miscellaneous

Functional Update

Miscellaneous

Functional Update

Functional Update

Functional Update

Miscellaneous

Functional Update

Informational Update

Miscellaneous

Added

Removed

Functional Update

Functional Update

Functional Update

Miscellaneous

CIS CentOS Linux 8 Server L1 v2.0.0