On This Page
TufinOS 4 CIS Benchmark Hardening
This topic contains hardening improvements as recommended by the CIS Rocky Linux 8 Benchmark v1.0.0. Other issues from the document are not implemented.
From TufinOS 4.40
There are no new hardening improvements for this release.
From TufinOS 4.30
|
Section Number |
Section Title |
|---|---|
| 1.1.9 | Disable Automounting (Automated) |
| 1.4.3 | Ensure authentication is required when booting into rescue mode |
| 1.5.3 | Ensure address space layout randomization (ASLR) is enabled (Automated) |
| 1.90 | Ensure updates, patches, and additional security software are installed (Manual) |
| 2.2.3 | Ensure Avahi Server is not installed (Automated) |
| 2.2.4 | Ensure CUPS is not installed (Automated) |
| 2.2.7 | Ensure FTP Server is not installed (Automated) |
| 2.2.8 | Ensure VSFTP Server is not installed (Automated) |
| 2.2.9 | Ensure TFTP Server is not installed (Automated) |
| 2.2.10 | Ensure a web server is not installed (Automated) |
| 2.2.16 | Ensure telnet-server is not installed (Automated) |
| 2.2.19 | Ensure rpcbind is not installed or the rpcbind services are masked (Automated) |
| 2.2.20 | Ensure rsync is not installed or the rsyncd service is masked (Automated) |
| 3.1.1 | Verify if IPv6 is enabled on the system (Manual) |
| 3.2.2 | Ensure packet redirect sending is disabled (Automated) |
| 3.3.1 | Ensure source routed packets are not accepted (Automated) |
| 3.3.2 | Ensure ICMP redirects are not accepted (Automated) |
| 3.3.3 | Ensure secure ICMP redirects are not accepted (Automated) |
| 3.3.5 | Ensure broadcast ICMP requests are ignored (Automated) |
| 3.3.6 | Ensure bogus ICMP responses are ignored (Automated) |
| 3.3.7 | Ensure Reverse Path Filtering is enabled (Automated) |
|
3.4.1.2 |
Ensure iptables-services not installed with firewalld (Automated) |
|
4.1.1.1 |
Ensure auditd is installed (Automated) |
|
4.1.1.3 |
Ensure auditing for processes that start prior to auditd is enabled (Automated) |
|
4.1.1.4 |
Ensure audit_backlog_limit is sufficient (Automated) |
|
4.1.2.1 |
Ensure audit log storage size is configured (Automated) |
|
4.1.3.2 |
Ensure actions as another user are always logged (Automated) |
|
4.1.3.3 |
Ensure events that modify the sudo log file are collected |
|
4.1.3.4 |
Ensure events that modify date and time information are collected (Automated) |
|
4.1.3.5 |
Ensure events that modify the system's network environment are collected (Automated) |
|
4.1.3.6 |
Ensure use of privileged commands are collected (Automated) |
|
4.1.3.7 |
Ensure unsuccessful file access attempts are collected (Automated) |
|
4.1.3.10 |
Ensure successful file system mounts are collected (Automated) |
|
4.1.3.16 |
Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) |
|
4.1.3.17 |
Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) |
|
4.1.3.18 |
Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) |
|
4.1.3.19 |
Ensure kernel module loading unloading and modification is collected (Automated) |
|
4.2.2.1.4 |
Ensure journald is not configured to receive logs from a remote client (Automated) |
|
4.2.2.7 |
Ensure journald default file permissions configured (Manual) |
|
5.1.2 |
Ensure permissions on /etc/crontab are configured (Automated) |
|
5.1.3 |
Ensure permissions on /etc/cron.hourly are configured (Automated) |
|
5.1.4 |
Ensure permissions on /etc/cron.daily are configured (Automated) |
|
5.1.5 |
Ensure permissions on /etc/cron.weekly are configured (Automated) |
|
5.1.6 |
Ensure permissions on /etc/cron.monthly are configured (Automated) |
|
5.1.7 |
Ensure permissions on /etc/cron.d are configured (Automated) |
|
5.1.9 |
Ensure at is restricted to authorized users (Automated) |
|
5.2.1 |
Ensure permissions on /etc/ssh/sshd_config are configured (Automated) |
|
5.2.4 |
Ensure SSH access is limited (Automated) |
|
5.2.7 |
Ensure SSH root login is disabled (Automated) |
|
5.2.8 |
Ensure SSH HostbasedAuthentication is disabled (Automated) |
|
5.3.1 |
Ensure sudo is installed (Automated) |
|
5.3.3 |
Ensure sudo log file exists (Automated) |
|
5.5.4 |
Ensure password hashing algorithm is SHA-512 (Automated) |
|
5.6.2 |
Ensure system accounts are secured (Automated) |
|
5.6.4 |
Ensure default group for the root account is GID 0 (Automated) |
|
6.1.2 |
Ensure sticky bit is set on all world-writable directories (Automated) |
|
6.1.3 |
Ensure permissions on /etc/passwd are configured (Automated) |
|
6.1.5 |
Ensure permissions on /etc/group are configured (Automated) |
|
6.1.6 |
Ensure permissions on /etc/gshadow are configured (Automated) |
|
6.1.7 |
Ensure permissions on /etc/passwd- are configured (Automated) |
|
6.1.8 |
Ensure permissions on /etc/shadow- are configured (Automated) |
|
6.1.9 |
Ensure permissions on /etc/group- are configured (Automated) |
|
6.1.10 |
Ensure permissions on /etc/gshadow- are configured (Automated) |
|
6.2.1 |
Ensure password fields are not empty (Automated) |
|
6.2.7 |
Ensure root PATH Integrity (Automated) |
|
6.2.8 |
Ensure root is the only UID 0 account (Automated) |
From TufinOS 4.00
|
Section Number |
Section Title |
|---|---|
| 1.1.2.1 | Ensure /tmp is a separate partition (Automated) |
| 1.1.2.2 | Ensure nodev option set on /tmp partition (Automated) |
|
1.1.2.3 |
Ensure noexec option set on /tmp partition (Automated) |
|
1.1.2.4 |
Ensure nosuid option set on /tmp partition (Automated) |
|
1.1.3.1 |
Ensure separate partition exists for /var (Automated) |
|
1.1.3.2 |
Ensure nodev option set on /var partition (Automated) |
|
1.1.3.4 |
Ensure nosuid option set on /var partition (Automated) |
|
1.1.4.3 |
Ensure nosuid option set on /var/tmp partition (Automated) |
|
1.1.5.1 |
Ensure separate partition exists for /var/log (Automated) |
|
1.1.5.2 |
Ensure nodev option set on /var/log partition (Automated) |
|
1.1.5.3 |
Ensure noexec option set on /var/log partition (Automated) |
|
1.1.6.1 |
Ensure noexec option set on /var/log/audit partition |
|
1.1.6.2 |
Ensure noexec option set on /var/log/audit partition |
|
1.1.6.3 |
Ensure nodev option set on /var/log/audit partition (Automated) |
|
1.1.8.3 |
Ensure nosuid option set on /dev/shm partition (Automated) |
|
1.10 |
Ensure system-wide crypto policy is not legacy (Automated) |
|
4.1.1.2 |
Ensure auditd service is enabled (Automated) |
|
4.1.3.1 |
Ensure changes to system administration scope (sudoers) is collected (Automated) |
|
4.1.3.8 |
Ensure events that modify user/group information are collected (Automated) |
|
5.1.8 |
Ensure cron is restricted to authorized users (Automated) |
|
6.1.4 |
Ensure permissions on /etc/shadow are configured (Automated) |
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague