# CIS Benchmarks Reference ## Overview This skill implements controls aligned with CIS (Center for Internet Security) Benchmarks for Linux. The following sections map skill operations to specific CIS controls. ## CIS Ubuntu/Debian Linux Benchmark Mappings ### 1. Initial Setup | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 1.1.1.x | Disable unused filesystems | Out of scope | | 1.5.x | Secure boot settings | Out of scope | ### 2. Services | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 2.1.x | Disable inetd services | Out of scope | | 2.2.x | Special purpose services | fail2ban, auditd enabled | ### 3. Network Configuration | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 3.1.1 | Disable IPv6 | Not disabled (optional) | | 3.2.x | Network parameters (host) | Handled by sysctl (future) | | 3.4.x | Firewall configuration | **UFW enabled** | ### 4. Logging and Auditing | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 4.1.1 | Ensure auditing is enabled | **auditd installed** | | 4.1.2 | Configure audit log storage | Default settings | | 4.1.x | Audit rules | Basic rules via template | ### 5. Access, Authentication, and Authorization | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 5.2.1 | Ensure sshd is running | Verified in preflight | | 5.2.2 | SSH Protocol version | Implicit (OpenSSH 7.4+) | | 5.2.3 | SSH LogLevel | **Set to VERBOSE** | | 5.2.4 | SSH X11Forwarding | **Disabled** | | 5.2.5 | SSH MaxAuthTries | **Set to 3** | | 5.2.6 | SSH IgnoreRhosts | **Set to yes** | | 5.2.7 | SSH HostbasedAuth | **Disabled** | | 5.2.8 | SSH PermitRootLogin | **Disabled** | | 5.2.9 | SSH PermitEmptyPasswords | **Disabled** | | 5.2.10 | SSH PermitUserEnvironment | **Disabled** | | 5.2.11 | SSH strong ciphers | **Configured** | | 5.2.12 | SSH strong MACs | **Configured** | | 5.2.13 | SSH strong KEX | **Configured** | | 5.2.14 | SSH Idle Timeout | **Set (ClientAliveInterval)** | | 5.2.15 | SSH LoginGraceTime | **Set to 20** | | 5.2.16 | SSH access restriction | Via AllowUsers (optional) | ### 6. System Maintenance | CIS Control | Description | Skill Implementation | |-------------|-------------|----------------------| | 6.1.x | System file permissions | Out of scope | | 6.2.x | User and group settings | Out of scope | ## SSH Hardening Details The sshd_config template implements: ``` # CIS 5.2.4 X11Forwarding no # CIS 5.2.5 MaxAuthTries 3 # CIS 5.2.6 IgnoreRhosts yes # CIS 5.2.7 HostbasedAuthentication no # CIS 5.2.8 PermitRootLogin no # CIS 5.2.9 PermitEmptyPasswords no # CIS 5.2.10 PermitUserEnvironment no # CIS 5.2.11-13 - Strong crypto Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org # CIS 5.2.14 ClientAliveInterval 300 ClientAliveCountMax 2 # CIS 5.2.15 LoginGraceTime 20 ``` ## Firewall Rules Default UFW policy: - Default deny incoming - Default allow outgoing - SSH port allowed (rate-limited if configured) - HTTP/HTTPS optional ## References - [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) - [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux) - [CIS Debian Linux Benchmark](https://www.cisecurity.org/benchmark/debian_linux)