CIS Level 1 Guidelines

Red Hat Enterprise Linux 9

Support Red Hat Enterprise Linux 9

For more details about Center for Internet Security (CIS) please refer to this document

Instruction steps

I. Install OpenSCAP

yum install openscap-scanner scap-security-guide

II. Generate a result file and a HTML report using OpenSCAP scanner tool

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

III. Remediation of CIS Level 1 issues

Generate a remediation script based on the ssg-rhel9-ds.xml file:

oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --fix-type bash --output remediations.sh /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

And execute remediation script.

./remediations.sh

IV. Review the results after remediation

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Example:


Ubuntu 22 Pro

Install the UA client

sudo apt update sudo apt install ubuntu-advantage-tools

Set up the Ubuntu Security Guide

sudo ua enable usg sudo apt install usg

Check SCAP Content Overview (Security Content Automation Protocol)

sudo oscap info /usr/share/ubuntu-scap-security-guides/1/benchmarks/ssg-ubuntu2204-ds.xml

Auditing an Ubuntu System for DISA-STIG compliance

sudo usg audit cis_level1_server

The report is generated in /var/lib/usg/

Applying the CIS rules to a set of systems

There are 2 ways that apply CIS rules

Method 1: directly using usg command - recommend

sudo usg fix cis_level2_server

Method 2: using usg to generate script and then run the script

sudo usg generate-fix cis_level2_server --output fix.sh #And the run ./fix.sh

A reboot is require to take the effect after apply the fix.

Notes

  • CIS Level 1 requires /tmp folder to be mounted in a separate partition. Please ensure that that new partition have enough disk space for MetaDefender Core to run.

  • CIS Level 1 requires that "Ensure No World-Writable Files Exist".

    • For now, when freshly installing MetaDefender Core, all its binary files meet the requirement.

    • When installing/updating engines, some engines might create additional files for its operation, and it might violate this requirement. In this case, you need to again execute the remediation script in the step III.