CIS Level 1 Guidelines

For more details about Center for Internet Security (CIS) please refer to this document

Instruction steps

I. Install OpenSCAP

bash
    
 
yum install openscap-scanner scap-security-guide
Copy

II. Generate a result file and a HTML report using OpenSCAP scanner tool

Bash
    
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Copy

III. Remediation of CIS Level 1 issues

Generate a remediation script based on the ssg-rhel9-ds.xml file:

Bash
    
oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --fix-type bash --output remediations.sh /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Copy

And execute remediation script.

Bash
    
 
./remediations.sh
Copy

IV. Review the results after remediation

Bash
    
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Copy

Example:

Notes

CIS Level 1 requires /tmp folder to be mounted in a separate partition. Please ensure that that new partition have enough disk space for MetaDefender Core to run.
CIS Level 1 requires that "Ensure No World-Writable Files Exist".
- For now, when freshly installing MetaDefender Core, all its binary files meet the requirement.
- When installing/updating engines, some engines might create additional files for its operation, and it might violate this requirement. In this case, you need to again execute the remediation script in the step III.

Last updated on

Was this page helpful?