vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eac77ef7b4b5a87f0a35a1181dacb4013b09b996
vm-skills/node-hardening/references/cis_benchmarks.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

119 lines
3.5 KiB
Markdown
Raw Blame History

# CIS Benchmarks Reference
## Overview
This skill implements controls aligned with CIS (Center for Internet Security) Benchmarks for Linux. The following sections map skill operations to specific CIS controls.
## CIS Ubuntu/Debian Linux Benchmark Mappings
### 1. Initial Setup
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 1.1.1.x | Disable unused filesystems | Out of scope |
| 1.5.x | Secure boot settings | Out of scope |
### 2. Services
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 2.1.x | Disable inetd services | Out of scope |
| 2.2.x | Special purpose services | fail2ban, auditd enabled |
### 3. Network Configuration
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 3.1.1 | Disable IPv6 | Not disabled (optional) |
| 3.2.x | Network parameters (host) | Handled by sysctl (future) |
| 3.4.x | Firewall configuration | **UFW enabled** |
### 4. Logging and Auditing
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 4.1.1 | Ensure auditing is enabled | **auditd installed** |
| 4.1.2 | Configure audit log storage | Default settings |
| 4.1.x | Audit rules | Basic rules via template |
### 5. Access, Authentication, and Authorization
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 5.2.1 | Ensure sshd is running | Verified in preflight |
| 5.2.2 | SSH Protocol version | Implicit (OpenSSH 7.4+) |
| 5.2.3 | SSH LogLevel | **Set to VERBOSE** |
| 5.2.4 | SSH X11Forwarding | **Disabled** |
| 5.2.5 | SSH MaxAuthTries | **Set to 3** |
| 5.2.6 | SSH IgnoreRhosts | **Set to yes** |
| 5.2.7 | SSH HostbasedAuth | **Disabled** |
| 5.2.8 | SSH PermitRootLogin | **Disabled** |
| 5.2.9 | SSH PermitEmptyPasswords | **Disabled** |
| 5.2.10 | SSH PermitUserEnvironment | **Disabled** |
| 5.2.11 | SSH strong ciphers | **Configured** |
| 5.2.12 | SSH strong MACs | **Configured** |
| 5.2.13 | SSH strong KEX | **Configured** |
| 5.2.14 | SSH Idle Timeout | **Set (ClientAliveInterval)** |
| 5.2.15 | SSH LoginGraceTime | **Set to 20** |
| 5.2.16 | SSH access restriction | Via AllowUsers (optional) |
### 6. System Maintenance
| CIS Control | Description | Skill Implementation |
|-------------|-------------|----------------------|
| 6.1.x | System file permissions | Out of scope |
| 6.2.x | User and group settings | Out of scope |
## SSH Hardening Details
The sshd_config template implements:
```
# CIS 5.2.4
X11Forwarding no
# CIS 5.2.5
MaxAuthTries 3
# CIS 5.2.6
IgnoreRhosts yes
# CIS 5.2.7
HostbasedAuthentication no
# CIS 5.2.8
PermitRootLogin no
# CIS 5.2.9
PermitEmptyPasswords no
# CIS 5.2.10
PermitUserEnvironment no
# CIS 5.2.11-13 - Strong crypto
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# CIS 5.2.14
ClientAliveInterval 300
ClientAliveCountMax 2
# CIS 5.2.15
LoginGraceTime 20
```
## Firewall Rules
Default UFW policy:
- Default deny incoming
- Default allow outgoing
- SSH port allowed (rate-limited if configured)
- HTTP/HTTPS optional
## References
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
- [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
- [CIS Debian Linux Benchmark](https://www.cisecurity.org/benchmark/debian_linux)
Reference in New Issue View Git Blame Copy Permalink