vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/node-hardening/references/cis_benchmarks.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

3.5 KiB
Raw Blame History

CIS Benchmarks Reference

Overview

This skill implements controls aligned with CIS (Center for Internet Security) Benchmarks for Linux. The following sections map skill operations to specific CIS controls.

CIS Ubuntu/Debian Linux Benchmark Mappings

1. Initial Setup

CIS Control Description Skill Implementation
1.1.1.x Disable unused filesystems Out of scope
1.5.x Secure boot settings Out of scope

2. Services

CIS Control Description Skill Implementation
2.1.x Disable inetd services Out of scope
2.2.x Special purpose services fail2ban, auditd enabled

3. Network Configuration

CIS Control Description Skill Implementation
3.1.1 Disable IPv6 Not disabled (optional)
3.2.x Network parameters (host) Handled by sysctl (future)
3.4.x Firewall configuration UFW enabled

4. Logging and Auditing

CIS Control Description Skill Implementation
4.1.1 Ensure auditing is enabled auditd installed
4.1.2 Configure audit log storage Default settings
4.1.x Audit rules Basic rules via template

5. Access, Authentication, and Authorization

CIS Control Description Skill Implementation
5.2.1 Ensure sshd is running Verified in preflight
5.2.2 SSH Protocol version Implicit (OpenSSH 7.4+)
5.2.3 SSH LogLevel Set to VERBOSE
5.2.4 SSH X11Forwarding Disabled
5.2.5 SSH MaxAuthTries Set to 3
5.2.6 SSH IgnoreRhosts Set to yes
5.2.7 SSH HostbasedAuth Disabled
5.2.8 SSH PermitRootLogin Disabled
5.2.9 SSH PermitEmptyPasswords Disabled
5.2.10 SSH PermitUserEnvironment Disabled
5.2.11 SSH strong ciphers Configured
5.2.12 SSH strong MACs Configured
5.2.13 SSH strong KEX Configured
5.2.14 SSH Idle Timeout Set (ClientAliveInterval)
5.2.15 SSH LoginGraceTime Set to 20
5.2.16 SSH access restriction Via AllowUsers (optional)

6. System Maintenance

CIS Control Description Skill Implementation
6.1.x System file permissions Out of scope
6.2.x User and group settings Out of scope

SSH Hardening Details

The sshd_config template implements:

# CIS 5.2.4
X11Forwarding no

# CIS 5.2.5
MaxAuthTries 3

# CIS 5.2.6
IgnoreRhosts yes

# CIS 5.2.7
HostbasedAuthentication no

# CIS 5.2.8
PermitRootLogin no

# CIS 5.2.9
PermitEmptyPasswords no

# CIS 5.2.10
PermitUserEnvironment no

# CIS 5.2.11-13 - Strong crypto
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org

# CIS 5.2.14
ClientAliveInterval 300
ClientAliveCountMax 2

# CIS 5.2.15
LoginGraceTime 20

Firewall Rules

Default UFW policy:

  • Default deny incoming
  • Default allow outgoing
  • SSH port allowed (rate-limited if configured)
  • HTTP/HTTPS optional

References

Reference in New Issue View Git Blame Copy Permalink