Appendix: CIS Controls v7 IG 1 Mapped

Recommendations
Recommendation Set
Correctly
I Yes I No•
1.1.2.3 Ensure noexec option set on /tmp partition □ □
1.1.2.4 Ensure nosuid option set on /tmp partition □ □
1.1.3.1 Ensure separate partition exists for /var □ □
1.1.3.2 Ensure nodev option set on /var partition □ □
1.1.3.3 Ensure nosuid option set on /var partition □ □
1.1.4.1 Ensure separate partition exists for /var/tmp □ □
1.1.4.2 Ensure noexec option set on /var/tmp partition □ □
1.1.4.3 Ensure nosuid option set on /var/tmp partition □ □
1.1.4.4 Ensure nodev option set on /var/tmp partition □ □
1.1.5.2 Ensure nodev option set on /var/log partition □ □
1.1.5.3 Ensure noexec option set on /var/log partition □ □
1.1.5.4 Ensure nosuid option set on /var/log partition □ □
1.1.6.2 Ensure noexec option set on /var/log/audit partition □ □
1.1.6.3 Ensure nodev option set on /var/log/audit partition □ □
1.1.6.4 Ensure nosuid option set on /var/log/audit partition □ □
1.1.7.1 Ensure separate partition exists for /home □ □
1.1.7.2 Ensure nodev option set on /home partition □ □
1.1.7.3 Ensure nosuid option set on /home partition □ □
1.1.8.2 Ensure nodev option set on /dev/shm partition □ □
1.1.8.3 Ensure noexec option set on /dev/shm partition □ □
1.1.8.4 Ensure nosuid option set on /dev/shm partition □ □
1.2.1 Ensure GPG keys are configured □ □
1.2.2 Ensure gpgcheck is globally activated □ □
1.2.3 Ensure package manager repositories are configured □ □
1.2.4 Ensure repo_gpgcheck is globally activated □ □
1.4.1 Ensure bootloader password is set □ □
1.4.2 Ensure permissions on bootloader config are configured □ □

Page 1
 Recommendation Set
Correctly
I Yes I No
1.6.1.1 Ensure SELinux is installed □ □
1.6.1.2 Ensure SELinux is not disabled in
bootloader configuration □ □
I 1.6.1.3 I Ensure SELinux policy is configured □ □
I 1.6.1.4 I Ensure the SELinux mode is not disabled □ □
I 1.6.1.5 I Ensure the SELinux mode is enforcing □ □
I 1.6.1.7 I Ensure SETroubleshoot is not installed □ □
I 1.7.4 I Ensure permissions on /etc/motd are configured □ □
I 1.7.5 I Ensure permissions on /etc/issue are configured □ □
I 1.7.6 I Ensure permissions on /etc/issue.net are configured □ □
I 1.8.4 I Ensure GDM screen locks when the user is idle □ □
I 1.8.5 I Ensure GDM screen locks cannot be overridden □ □
1.8.6 Ensure GDM automatic mounting of removable media
is disabled
□ □
1.8.7 Ensure GDM disabling automatic mounting of
removable media is not overridden
□ □
I 1.8.8 I Ensure GDM autorun-never is enabled □ □
I 1.8.9 I Ensure GDM autorun-never is not overridden □ □
1.9 Ensure updates, patches, and additional
security software are installed
□ □
2.2.12 Ensure net-snmp is not installed □ □
2.2.13 Ensure telnet-server is not installed □ □
2.3.1 Ensure telnet client is not installed □ □
2.3.2 Ensure LDAP client is not installed □ □
3.3.4 Ensure suspicious packets are logged □ □
3.4.1.1 Ensure nftables is installed □ □
3.4.1.2 Ensure a single firewall configuration utility is in use □ □
3.4.2.1 Ensure firewalld default zone is set □ □
3.4.2.2 Ensure at least one nftables table exists □ □
3.4.2.3 Ensure nftables base chains exist □ □
3.4.2.4 Ensure host based firewall loopback traffic is configured □ □
3.4.2.5 Ensure firewalld drops unnecessary services and ports □ □

Page 2
 Recommendation Set
Correctly
I Yes I No
3.4.2.6 Ensure nftables established connections are configured □ □
13.4.2.7 Ensure nftables default deny firewall policy □ □
I 4.1.1.1 Ensure auditd is installed
Ensure auditing for processes that start prior to auditd is
4.1.1.2
enabled
□ □
I 4.1.1.3 Ensure audit backlo _limit is sufficient □ □
14.1.1.4 Ensure auditd service is enabled
14.1.3.6 Ensure use of privileged commands are collected
14.1.3.12 Ensure login and logout events are collected
14.1.3.13 Ensure file deletion events by users are collected
4.1.3.15 Ensure successful and unsuccessful attempts to use the
chcon command are recorded
□ □
Ensure successful and unsuccessful attempts to use the
4.1.3.16
setfacl command are recorded
□ □
Ensure successful and unsuccessful attempts to use the
4.1.3.17
chacl command are recorded
□ □
Ensure successful and unsuccessful attempts to use the
4.1.3.18
usermod command are recorded
□ □
Ensure kernel module loading unloading and modification
4.1.3.19
is collected
□ □
14.1.3.20 Ensure the audit configuration is immutable □ □
4.1.4.1 Ensure audit log files are mode 0640 or less permissive
I14.1.4.2 Ensure only authorized users own audit log files
Ensure only authorized groups are assigned ownership
4.1.4.3
of audit log files
□ □
14.1.4.4 Ensure the audit log directory is 0750 or more restrictive □ □
Ensure audit configuration files are 640 or more
4.1.4.5
restrictive
□ □
14.1.4.6 Ensure audit configuration files are owned by root □ □
14.1.4.7 Ensure audit configuration files belong to group root
14.1.4.8 Ensure audit tools are 755 or more restrictive
14.1.4.9 Ensure audit tools are owned by root
14.1.4.10 Ensure audit tools belong to group root

Page 3
 Recommendation Set
Correctly
I Yes I No
I 4.2.1.1 I Ensure rsyslog is installed I □ I□
14.2.1.2 Ensure rsyslog service is enabled
14.2.1.3 Ensure journald is configured to send logs to rsyslog
14.2.1.4 Ensure rsyslog default file permissions are configured
14.2.1.5 Ensure logging is configured
4.2.1.6 Ensure rsyslog is configured to send logs to a remote log
host
□ □
4.2.1.7 Ensure rsyslog is not configured to receive logs from a
remote client
□ □
14.2.2.1.1 Ensure systemd-journal-remote is installed □ □
14.2.2.1.2 Ensure systemd-journal-remote is configured
14.2.2.1.3 Ensure systemd-journal-remote is enabled
4.2.2.1.4 Ensure journald is not configured to receive logs from a
remote client
□ □
14.2.2.2 Ensure journald service is enabled □ □
14.2.2.3 Ensure journald is configured to compress large log files
4.2.2.4 Ensure journald is configured to write logfiles to
persistent disk
□ □
14.2.2.5 Ensure journald is not configured to send logs to rsyslog □ □
14.2.2.6 Ensure journald log rotation is configured per site policy
14.2.2.7 Ensure journald default file permissions configured
4.2.3 Ensure all logfiles have appropriate permissions and
ownership
□ □
15.1.2 Ensure permissions on /etc/crontab are configured □ □
15.1.3 Ensure permissions on /etc/cron.hourly are configured
15.1.4 Ensure permissions on /etc/cron.daily are configured
15.1.5 Ensure permissions on /etc/cron.weekly are configured
15.1.6 Ensure permissions on /etc/cron.monthly are configured
15.1.7 Ensure permissions on /etc/cron.d are configured
15.1.8 Ensure cron is restricted to authorized users
15.1.9 Ensure at is restricted to authorized users
5.2.1 Ensure permissions on /etc/ssh/sshd_config are
configured
□ □

Page 4
 Recommendation Set
Correctly
I Yes I No
Ensure permissions on SSH private host key files are
5.2.2
configured
□ □
Ensure permissions on SSH public host key files are
5.2.3
Iconfigured
□ □
15.2.4 IEnsure SSH access is limited □
□ □
□
15.2.5 I Ensure SSH Loglevel is appropriate □ □
15.2.6 I Ensure SSH PAM is enabled □ □
15.2.7 I Ensure SSH root login is disabled □ □
15.2.10 I Ensure SSH PermitUserEnvironment is disabled □ □
15.2.15 I Ensure SSH warning banner is configured □ □
15.2.17 I Ensure SSH MaxStartups is configured □ □
I5.2.1s I Ensure SSH MaxSessions is set to 10 or less □ □
15.3.1 I Ensure sudo is installed □ □
5.3.2
I15.3.4 I Ensure sudo commands use pty □ □
Ensure users must provide password for escalation
Ensure re-authentication for privilege escalation is not
5.3.5
disabled globally
□ □
Ensure sudo authentication timeout is configured
5.3.6
correctly
□ □
5.3.7 Ensure access to the su command is restricted □ □
5.6.2 Ensure system accounts are secured □ □
5.6.3 Ensure default user shell timeout is 900 seconds or less □ □
5.6.4 Ensure default group for the root account is GID 0 □ □
5.6.5 Ensure default user umask is 027 or more restrictive □ □
5.6.6 Ensure root password is set □ □
6.1.9 Ensure no world writable files exist □ □
6.1.10 Ensure no unowned files or directories exist □ □
6.1.11 Ensure no ungrouped files or directories exist □ □
6.1.12 Ensure sticky bit is set on all world-writable directories □ □
6.1.13 Audit SUID executables □ □
6.1.14 Audit SGID executables □ □
6.1.15 Audit system file permissions □ □

Page 5
 Recommendation Set
Correctly
I Yes I No
16.2.10 I Ensure local interactive user home directories exist I □
□ I □
□
16.2.11 Ensure local interactive users own their home directories
6.2.12 Ensure local interactive user home directories are mode
I750 or more restrictive
□ □
16.2.13 IEnsure no local interactive user has .netrc files □
□ □
□
I 6.2.14 I Ensure no local interactive user has .forward files □ □
16.2.15 Ensure no local interactive user has .rhosts files
6.2.16 Ensure local interactive user dot files are not group or
world writable
□ □

Page 6