Skip to content
ATO Pathways
  Log In

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

Rules and Groups employed by this XCCDF Profile

  • Verify Group Who Owns cron.hourly

    To properly set the group owner of /etc/cron.hourly, run the command: 
    $ sudo chgrp root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.monthly

    To properly set the group owner of /etc/cron.monthly, run the command: 
    $ sudo chgrp root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Group Who Owns cron.weekly

    To properly set the group owner of /etc/cron.weekly, run the command: 
    $ sudo chgrp root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Group Who Owns Crontab

    To properly set the group owner of /etc/crontab, run the command: 
    $ sudo chgrp root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Owner on cron.d

    To properly set the owner of /etc/cron.d, run the command: 
    $ sudo chown root /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Owner on cron.daily

    To properly set the owner of /etc/cron.daily, run the command: 
    $ sudo chown root /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Owner on cron.hourly

    To properly set the owner of /etc/cron.hourly, run the command: 
    $ sudo chown root /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Owner on cron.monthly

    To properly set the owner of /etc/cron.monthly, run the command: 
    $ sudo chown root /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Owner on cron.weekly

    To properly set the owner of /etc/cron.weekly, run the command: 
    $ sudo chown root /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Owner on crontab

    To properly set the owner of /etc/crontab, run the command: 
    $ sudo chown root /etc/crontab
    Rule Medium Severity
    Show

  • Verify Permissions on cron.d

    To properly set the permissions of /etc/cron.d, run the command: 
    $ sudo chmod 0700 /etc/cron.d
    Rule Medium Severity
    Show

  • Verify Permissions on cron.daily

    To properly set the permissions of /etc/cron.daily, run the command: 
    $ sudo chmod 0700 /etc/cron.daily
    Rule Medium Severity
    Show

  • Verify Permissions on cron.hourly

    To properly set the permissions of /etc/cron.hourly, run the command: 
    $ sudo chmod 0700 /etc/cron.hourly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.monthly

    To properly set the permissions of /etc/cron.monthly, run the command: 
    $ sudo chmod 0700 /etc/cron.monthly
    Rule Medium Severity
    Show

  • Verify Permissions on cron.weekly

    To properly set the permissions of /etc/cron.weekly, run the command: 
    $ sudo chmod 0700 /etc/cron.weekly
    Rule Medium Severity
    Show

  • Verify Permissions on crontab

    To properly set the permissions of /etc/crontab, run the command: 
    $ sudo chmod 0600 /etc/crontab
    Rule Medium Severity
    Show

  • Restrict at and cron to Authorized Users if Necessary

    The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed to use <code>cron</code> and at to del...
    Group
    Show

  • Ensure that /etc/at.deny does not exist

    The file /etc/at.deny should not exist. Use /etc/at.allow instead.
    Rule Medium Severity
    Show

  • Ensure that /etc/cron.deny does not exist

    The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/at.allow</code>, ...
    Rule Medium Severity
    Show

  • Verify Group Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be group-owned by <code>root</code>. To properly set the group owner of <code>/etc/cron.allow</cod...
    Rule Medium Severity
    Show

  • Verify User Who Owns /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must be owned by <code>root</code>. To properly set the owner of <code>/etc/cron.allow</code>, run the ...
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/at.allow file

    If <code>/etc/at.allow</code> exists, it must have permissions <code>0600</code> or more restrictive. To properly set the permissions of <code>/e...
    Rule Medium Severity
    Show

  • Verify Permissions on /etc/cron.allow file

    If <code>/etc/cron.allow</code> exists, it must have permissions <code>0600</code> or more restrictive. To properly set the permissions of <code>...
    Rule Medium Severity
    Show

  • DHCP

    The Dynamic Host Configuration Protocol (DHCP) allows systems to request and obtain an IP address and other configuration parameters from a server....
    Group
    Show

  • Disable DHCP Server

    The DHCP server <code>dhcpd</code> is not installed or activated by default. If the software was installed and activated, but the system does not n...
    Group
    Show

  • Uninstall DHCP Server Package

    If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. The <code>dhcp-server</code> package can be removed with...
    Rule Medium Severity
    Show

  • DNS Server

    Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, a...
    Group
    Show

  • Uninstall dnsmasq Package

    dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services. <br> The <code>dns...
    Rule Low Severity
    Show

  • Disable DNS Server

    DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on R...
    Group
    Show

  • Uninstall bind Package

    The <code>named</code> service is provided by the <code>bind</code> package. The <code>bind</code> package can be removed with the following comman...
    Rule Low Severity
    Show

  • FTP Server

    FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data...
    Group
    Show

  • Remove ftp Package

    FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, esp...
    Rule Low Severity
    Show

  • Disable vsftpd if Possible

    To minimize attack surface, disable vsftpd if at all possible.
    Group
    Show

  • Uninstall vsftpd Package

    The vsftpd package can be removed with the following command: 
     $ sudo dnf erase vsftpd
    Rule High Severity
    Show

  • Web Server

    The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because: <br...
    Group
    Show

  • Disable Apache if Possible

    If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system.
    Group
    Show

  • Uninstall httpd Package

    The httpd package can be removed with the following command: 
    $ sudo dnf erase httpd
    Rule Unknown Severity
    Show

  • Disable NGINX if Possible

    If NGINX was installed and activated, but the system does not need to act as a web server, then it should be removed from the system.
    Group
    Show

  • Uninstall nginx Package

    The nginx package can be removed with the following command: 
    $ sudo dnf erase nginx
    Rule Unknown Severity
    Show

  • IMAP and POP3 Server

    Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovec...
    Group
    Show

  • Disable Cyrus IMAP

    If the system does not need to operate as an IMAP or POP3 server, the Cyrus IMAP software should be removed.
    Group
    Show

  • Uninstall cyrus-imapd Package

    The cyrus-imapd package can be removed with the following command: 
    $ sudo dnf erase cyrus-imapd
    Rule Unknown Severity
    Show

  • Disable Dovecot

    If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed.
    Group
    Show

  • Uninstall dovecot Package

    The dovecot package can be removed with the following command: 
    $ sudo dnf erase dovecot
    Rule Unknown Severity
    Show

  • LDAP

    LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 9 incl...
    Group
    Show

  • Configure OpenLDAP Clients

    This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate con...
    Group
    Show

  • Ensure LDAP client is not installed

    The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The <code>...
    Rule Low Severity
    Show

  • Mail Server Software

    Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious target...
    Group
    Show

  • Ensure Mail Transfer Agent is not Listening on any non-loopback Address

    Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules