1 # OSSEC Linux Audit - (C) 2018 OSSEC Project
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
7 # [Application name] [any or all] [reference]
11 # - f (for file or directory)
12 # - p (process running)
13 # - d (any file inside the directory)
16 # For the registry and for directories, use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # Also, use " -> r:^\. -> ..." to search all files in a directory
19 # For files, use "->" to look for a specific value in the file.
21 # Values can be preceded by: =: (for equal) - default
22 # r: (for ossec regexes)
23 # >: (for strcmp greater)
24 # <: (for strcmp lower)
25 # Multiple patterns can be specified by using " && " between them.
26 # (All of them must match for it to return true).
29 # CIS Checks for Red Hat / CentOS 7
30 # Based on CIS Benchmark for Red Hat Enterprise Linux 7 v1.1.0
33 $sshd_file=/etc/ssh/sshd_config;
36 $rc_dirs=/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
39 [CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
40 f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7;
41 f:/etc/redhat-release -> r:^CentOS && r:release 7;
42 f:/etc/redhat-release -> r:^Cloud && r:release 7;
43 f:/etc/redhat-release -> r:^Oracle && r:release 7;
44 f:/etc/redhat-release -> r:^Better && r:release 7;
45 f:/etc/redhat-release -> r:^OpenVZ && r:release 7;
47 # 1.1.1 /tmp: partition
48 [CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
49 f:/etc/fstab -> !r:/tmp;
52 [CIS - RHEL7 - 1.1.2 - Partition /tmp without 'nodev' set {CIS: 1.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
53 f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;
56 [CIS - RHEL7 - 1.1.3 - Partition /tmp without 'nosuid' set {CIS: 1.1.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
57 f:/etc/fstab -> !r:^# && r:/tmp && !r:nosuid;
60 [CIS - RHEL7 - 1.1.4 - Partition /tmp without 'noexec' set {CIS: 1.1.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
61 f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec;
63 # 1.1.5 Build considerations - Partition scheme.
64 [CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
65 f:/etc/fstab -> !r^# && !r:/var;
67 # 1.1.6 bind mount /var/tmp to /tmp
68 [CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
69 f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;
71 # 1.1.7 /var/log: partition
72 [CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log is not on its own partition {CIS: 1.1.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
73 f:/etc/fstab -> ^# && !r:/var/log;
75 # 1.1.8 /var/log/audit: partition
76 [CIS - RHEL7 - Build considerations - Robust partition scheme - /var/log/audit is not on its own partition {CIS: 1.1.8 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
77 f:/etc/fstab -> ^# && !r:/var/log/audit;
79 # 1.1.9 /home: partition
80 [CIS - RHEL7 - Build considerations - Robust partition scheme - /home is not on its own partition {CIS: 1.1.9 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
81 f:/etc/fstab -> ^# && !r:/home;
84 [CIS - RHEL7 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
85 f:/etc/fstab -> !r:^# && r:/home && !r:nodev;
87 # 1.1.11 nodev on removable media partitions (not scored)
88 [CIS - RHEL7 - 1.1.11 - Removable partition /media without 'nodev' set {CIS: 1.1.11 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
89 f:/etc/fstab -> !r:^# && r:/media && !r:nodev;
91 # 1.1.12 noexec on removable media partitions (not scored)
92 [CIS - RHEL7 - 1.1.12 - Removable partition /media without 'noexec' set {CIS: 1.1.12 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
93 f:/etc/fstab -> !r:^# && r:/media && !r:noexec;
95 # 1.1.13 nosuid on removable media partitions (not scored)
96 [CIS - RHEL7 - 1.1.13 - Removable partition /media without 'nosuid' set {CIS: 1.1.13 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
97 f:/etc/fstab -> !r:^# && r:/media && !r:nosuid;
99 # 1.1.14 /dev/shm: nodev
100 [CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
101 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nodev;
103 # 1.1.15 /dev/shm: nosuid
104 [CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
105 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:nosuid;
107 # 1.1.16 /dev/shm: noexec
108 [CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
109 f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;
111 # 1.1.17 sticky bit on world writable directories (Scored)
114 # 1.1.18 disable cramfs (not scored)
116 # 1.1.19 disable freevxfs (not scored)
118 # 1.1.20 disable jffs2 (not scored)
120 # 1.1.21 disable hfs (not scored)
122 # 1.1.22 disable hfsplus (not scored)
124 # 1.1.23 disable squashfs (not scored)
126 # 1.1.24 disable udf (not scored)
129 ##########################################
130 # 1.2 Software Updates
131 ##########################################
133 # 1.2.1 Configure rhn updates (not scored)
135 # 1.2.2 verify RPM gpg keys (Scored)
138 # 1.2.3 verify gpgcheck enabled (Scored)
141 # 1.2.4 Disable rhnsd (not scored)
143 # 1.2.5 Obtain Software Package Updates with yum (Not Scored)
145 # 1.2.6 Obtain updates with yum (not scored)
148 ###############################################
149 # 1.3 Advanced Intrusion Detection Environment
150 ###############################################
152 # Skipped, this control is obsoleted by OSSEC
155 ###############################################
156 # 1.4 Configure SELinux
157 ###############################################
159 # 1.4.1 enable selinux in /etc/grub.conf
160 [CIS - RHEL7 - 1.4.1 - SELinux Disabled in /etc/grub.conf {CIS: 1.4.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
161 f:/etc/grub.conf -> r:selinux=0;
162 f:/etc/grub2.cfg -> r:selinux=0;
164 # 1.4.2 Set selinux state
165 [CIS - RHEL7 - 1.4.2 - SELinux not set to enforcing {CIS: 1.4.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
166 f:/etc/selinux/config -> !r:SELINUX=enforcing;
168 # 1.4.3 Set seliux policy
169 [CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
170 f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;
172 # 1.4.4 Remove SETroubleshoot
173 [CIS - RHEL7 - 1.4.4 - SELinux setroubleshoot enabled {CIS: 1.4.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
174 d:$rc_dirs -> ^S\d\dsetroubleshoot$;
175 f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert;
177 # 1.4.5 Disable MCS Translation service mcstrans
178 [CIS - RHEL7 - 1.4.5 - SELinux mctrans enabled {CIS: 1.4.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
179 d:$rc_dirs -> ^S\d\dmctrans$;
180 f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd;
182 # 1.4.6 Check for unconfined daemons
186 ###############################################
187 # 1.5 Secure Boot Settings
188 ###############################################
190 # 1.5.1 Set User/Group Owner on /etc/grub.conf
191 # TODO (no mode tests)
192 # stat -L -c "%u %g" /boot/grub2/grub.cfg | egrep "0 0"
194 # 1.5.2 Set Permissions on /etc/grub.conf (Scored)
195 # TODO (no mode tests)
196 # stat -L -c "%a" /boot/grub2/grub.cfg | egrep ".00"
198 # 1.5.3 Set Boot Loader Password (Scored)
199 [CIS - RHEL7 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
200 f:/boot/grub2/grub.cfg -> !r:^# && !r:password;
204 ###############################################
205 # 1.6 Additional Process Hardening
206 ###############################################
208 # 1.6.1 Restrict Core Dumps (Scored)
209 [CIS - RHEL7 - 1.6.1 - Interactive Boot not disabled {CIS: 1.6.1 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
210 f:/etc/security/limits.conf -> !r:^# && !r:hard\.+core\.+0;
212 # 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
213 # Note this is also labeled 1.6.1 in the CIS benchmark.
214 [CIS - RHEL7 - 1.6.1 - Randomized Virtual Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
215 f:/proc/sys/kernel/randomize_va_space -> !r:^2$;
218 ###############################################
219 # 1.7 Use the Latest OS Release (Not Scored)
220 ###############################################
223 ###############################################
225 ###############################################
227 ###############################################
228 # 2.1 Remove Legacy Services
229 ###############################################
231 # 2.1.1 Remove telnet-server (Scored)
232 # TODO: detect it is installed at all
233 [CIS - RHEL7 - 2.1.1 - Telnet enabled on xinetd {CIS: 2.1.1 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
234 f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no;
235 f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;
238 # 2.1.2 Remove telnet Clients (Scored)
241 # 2.1.3 Remove rsh-server (Scored)
242 [CIS - RHEL7 - 2.1.3 - rsh/rlogin/rcp enabled on xinetd {CIS: 2.1.3 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
243 f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no;
244 f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no;
245 f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no;
247 f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;
248 f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;
249 f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;
251 # 2.1.4 Remove rsh (Scored)
254 # 2.1.5 Remove NIS Client (Scored)
255 [CIS - RHEL7 - 2.1.5 - Disable standard boot services - NIS (client) Enabled {CIS: 2.1.5 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
256 d:$rc_dirs -> ^S\d\dypbind$;
257 f:/usr/lib/systemd/system/ypbind.service -> r:Exec;
259 # 2.1.6 Remove NIS Server (Scored)
260 [CIS - RHEL7 - 2.1.6 - Disable standard boot services - NIS (server) Enabled {CIS: 2.1.6 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
261 d:$rc_dirs -> ^S\d\dypserv$;
262 f:/usr/lib/systemd/system/ypserv.service -> r:Exec;
264 # 2.1.7 Remove tftp (Scored)
267 # 2.1.8 Remove tftp-server (Scored)
268 [CIS - RHEL7 - 2.1.8 - tftpd enabled on xinetd {CIS: 2.1.8 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
269 f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no;
270 f:/usr/lib/systemd/system/tftp.service -> r:Exec;
272 # 2.1.9 Remove talk (Scored)
275 # 2.1.10 Remove talk-server (Scored)
276 [CIS - RHEL7 - 2.1.10 - talk enabled on xinetd {CIS: 2.1.10 RHEL7} {PCI_DSS: 2.2.3}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
277 f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no;
278 f:/usr/lib/systemd/system/ntalk.service -> r:Exec;
280 # 2.1.11 Remove xinetd (Scored)
281 [CIS - RHEL7 - 2.1.11 - xinetd detected {CIS: 2.1.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
282 f:/usr/lib/systemd/system/xinetd.service -> r:Exec;
284 # 2.1.12 Disable chargen-dgram (Scored)
285 [CIS - RHEL7 - 2.1.12 - chargen-dgram enabled on xinetd {CIS: 2.1.12 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
286 f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no;
288 # 2.1.13 Disable chargen-stream (Scored)
289 [CIS - RHEL7 - 2.1.13 - chargen-stream enabled on xinetd {CIS: 2.1.13 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
290 f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no;
292 # 2.1.14 Disable daytime-dgram (Scored)
293 [CIS - RHEL7 - 2.1.14 - daytime-dgram enabled on xinetd {CIS: 2.1.14 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
294 f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no;
296 # 2.1.15 Disable daytime-stream (Scored)
297 [CIS - RHEL7 - 2.1.15 - daytime-stream enabled on xinetd {CIS: 2.1.15 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
298 f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no;
301 # 2.1.16 Disable echo-dgram (Scored)
302 [CIS - RHEL7 - 2.1.16 - echo-dgram enabled on xinetd {CIS: 2.1.16 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
303 f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no;
305 # 2.1.17 Disable echo-stream (Scored)
306 [CIS - RHEL7 - 2.1.17 - echo-stream enabled on xinetd {CIS: 2.1.17 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
307 f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no;
309 # 2.1.18 Disable tcpmux-server (Scored)
310 [CIS - RHEL7 - 2.1.18 - tcpmux-server enabled on xinetd {CIS: 2.1.18 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
311 f:/etc/xinetd.d/tcpmux-server -> !r:^# && r:disable && r:no;
314 ###############################################
315 # 3 Special Purpose Services
316 ###############################################
318 # 3.1 Set Daemon umask (Scored)
319 [CIS - RHEL7 - 3.1 - Set daemon umask - Default umask is higher than 027 {CIS: 3.1 RHEL7} {PCI_DSS: 2.2.2}] [all] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
320 f:/etc/sysconfig/init -> !r:^# && r:^umask && <:umask 027;
322 # 3.2 Remove X Windows (Scored)
323 [CIS - RHEL7 - 3.2 - X11 not disabled {CIS: 3.2 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
324 f:/usr/lib/systemd/system/default.target -> r:Graphical;
327 # 3.3 Disable Avahi Server (Scored)
328 [CIS - RHEL7 - 3.2 - Avahi daemon not disabled {CIS: 3.3 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
331 # 3.4 Disable Print Server - CUPS (Not Scored)
333 # 3.5 Remove DHCP Server (Scored)
334 [CIS - RHEL7 - 3.5 - DHCPnot disabled {CIS: 3.5 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
335 f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;
337 # 3.6 Configure Network Time Protocol (NTP) (Scored)
338 [CIS - RHEL7 - 3.6 - NTPD not Configured {CIS: 3.6 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
339 f:/etc/ntp.conf -> r:restrict default kod nomodify notrap nopeer noquery && r:^server;
340 f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";
342 # 3.7 Remove LDAP (Not Scored)
344 # 3.8 Disable NFS and RPC (Not Scored)
345 [CIS - RHEL7 - 3.8 - Disable standard boot services - NFS Enabled {CIS: 3.8 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
346 d:$rc_dirs -> ^S\d\dnfs$;
347 d:$rc_dirs -> ^S\d\dnfslock$;
349 # 3.9 Remove DNS Server (Not Scored)
352 # 3.10 Remove FTP Server (Not Scored)
353 [CIS - RHEL7 - 3.10 - VSFTP enabled on xinetd {CIS: 3.10 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
354 f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no;
356 # 3.11 Remove HTTP Server (Not Scored)
357 [CIS - RHEL7 - 3.11 - Disable standard boot services - Apache web server Enabled {CIS: 3.11 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
358 d:$rc_dirs -> ^S\d\dhttpd$;
360 # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored)
361 [CIS - RHEL7 - 3.12 - imap enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
362 f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no;
364 [CIS - RHEL7 - 3.12 - pop3 enabled on xinetd {CIS: 3.12 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
365 f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no;
367 # 3.13 Remove Samba (Not Scored)
368 [CIS - RHEL7 - 3.13 - Disable standard boot services - Samba Enabled {CIS: 3.13 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
369 d:$rc_dirs -> ^S\d\dsamba$;
370 d:$rc_dirs -> ^S\d\dsmb$;
372 # 3.14 Remove HTTP Proxy Server (Not Scored)
373 [CIS - RHEL7 - 3.14 - Disable standard boot services - Squid Enabled {CIS: 3.14 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
374 d:$rc_dirs -> ^S\d\dsquid$;
376 # 3.15 Remove SNMP Server (Not Scored)
377 [CIS - RHEL7 - 3.15 - Disable standard boot services - SNMPD process Enabled {CIS: 3.15 RHEL7} {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
378 d:$rc_dirs -> ^S\d\dsnmpd$;
380 # 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored)
384 ###############################################
385 # 4 Network Configuration and Firewalls
386 ###############################################
388 ###############################################
389 # 4.1 Modify Network Parameters (Host Only)
390 ###############################################
392 # 4.1.1 Disable IP Forwarding (Scored)
393 [CIS - RHEL7 - 4.1.1 - Network parameters - IP Forwarding enabled {CIS: 4.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
394 f:/proc/sys/net/ipv4/ip_forward -> 1;
395 f:/proc/sys/net/ipv6/ip_forward -> 1;
397 # 4.1.2 Disable Send Packet Redirects (Scored)
398 [CIS - RHEL7 - 4.1.2 - Network parameters - IP send redirects enabled {CIS: 4.1.2 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
399 f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;
400 f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;
403 ###############################################
404 # 4.2 Modify Network Parameters (Host and Router)
405 ###############################################
407 # 4.2.1 Disable Source Routed Packet Acceptance (Scored)
408 [CIS - RHEL7 - 4.2.1 - Network parameters - Source routing accepted {CIS: 4.2.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
409 f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;
411 # 4.2.2 Disable ICMP Redirect Acceptance (Scored)
412 [CIS - RHEL7 - 4.2.2 - Network parameters - ICMP redirects accepted {CIS: 1.1.1 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
413 f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;
414 f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;
416 # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored)
417 [CIS - RHEL7 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
418 f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;
419 f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;
421 # 4.2.4 Log Suspicious Packets (Scored)
422 [CIS - RHEL7 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
423 f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;
425 # 4.2.5 Enable Ignore Broadcast Requests (Scored)
426 [CIS - RHEL7 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
427 f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;
429 # 4.2.6 Enable Bad Error Message Protection (Scored)
430 [CIS - RHEL7 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
431 f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;
433 # 4.2.7 Enable RFC-recommended Source Route Validation (Scored)
434 [CIS - RHEL7 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
435 f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;
436 f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;
438 # 4.2.8 Enable TCP SYN Cookies (Scored)
439 [CIS - RHEL7 - 4.2.8 - Network parameters - SYN Cookies not enabled {CIS: 4.2.8 RHEL7} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
440 f:/proc/sys/net/ipv4/tcp_syncookies -> 0;
443 ###############################################
444 # 4.3 Wireless Networking
445 ###############################################
447 # 4.3.1 Deactivate Wireless Interfaces (Not Scored)
450 ###############################################
452 ###############################################
454 ###############################################
455 # 4.4.1 Configure IPv6
456 ###############################################
458 # 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)
460 # 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)
462 # 4.4.2 Disable IPv6 (Not Scored)
465 ###############################################
466 # 4.5 Install TCP Wrappers
467 ###############################################
469 # 4.5.1 Install TCP Wrappers (Not Scored)
471 # 4.5.2 Create /etc/hosts.allow (Not Scored)
473 # 4.5.3 Verify Permissions on /etc/hosts.allow (Scored)
476 # 4.5.4 Create /etc/hosts.deny (Not Scored)
478 # 4.5.5 Verify Permissions on /etc/hosts.deny (Scored)
482 ###############################################
483 # 4.6 Uncommon Network Protocols
484 ###############################################
486 # 4.6.1 Disable DCCP (Not Scored)
488 # 4.6.2 Disable SCTP (Not Scored)
490 # 4.6.3 Disable RDS (Not Scored)
492 # 4.6.4 Disable TIPC (Not Scored)
494 # 4.7 Enable IPtables (Scored)
495 #[CIS - RHEL7 - 4.7 - Uncommon Network Protocols - Firewalld not enabled {CIS: 4.7 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
496 #f:/usr/lib/systemd/system/firewalld.service -> TODO;
499 ###############################################
500 # 5 Logging and Auditing
501 ###############################################
503 ###############################################
504 # 5.1 Configure Syslog
505 ###############################################
507 # 5.1.1 Install the rsyslog package (Scored)
510 # 5.1.2 Activate the rsyslog Service (Scored)
513 # 5.1.3 Configure /etc/rsyslog.conf (Not Scored)
515 # 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)
517 # 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)
519 # 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored)
522 ###############################################
523 # 5.2 Configure System Accounting (auditd)
524 ###############################################
526 ###############################################
527 # 5.2.1 Configure Data Retention
528 ###############################################
530 # 5.2.1.1 Configure Audit Log Storage Size (Not Scored)
532 # 5.2.1.2 Disable System on Audit Log Full (Not Scored)
534 # 5.2.1.3 Keep All Auditing Information (Scored)
536 # 5.2.2 Enable auditd Service (Scored)
538 # 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)
540 # 5.2.4 Record Events That Modify Date and Time Information (Scored)
542 # 5.2.5 Record Events That Modify User/Group Information (Scored)
544 # 5.2.6 Record Events That Modify the System’s Network Environment (Scored)
546 # 5.2.7 Record Events That Modify the System’s Mandatory Access Controls (Scored)
548 # 5.2.8 Collect Login and Logout Events (Scored)
550 # 5.2.9 Collect Session Initiation Information (Scored)
552 # 5.2.10 Collect Discretionary Access Control Permission Modification Events (Scored)
554 # 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
556 # 5.2.12 Collect Use of Privileged Commands (Scored)
558 # 5.2.13 Collect Successful File System Mounts (Scored)
560 # 5.2.14 Collect File Deletion Events by User (Scored)
562 # 5.2.15 Collect Changes to System Administration Scope (sudoers) (Scored)
564 # 5.2.16 Collect System Administrator Actions (sudolog) (Scored)
566 # 5.2.17 Collect Kernel Module Loading and Unloading (Scored)
568 # 5.2.18 Make the Audit Configuration Immutable (Scored)
570 # 5.3 Configure logrotate (Not Scored)
573 ###############################################
574 # 6 System Access, Authentication and Authorization
575 ###############################################
577 ###############################################
578 # 6.1 Configure cron and anacron
579 ###############################################
581 # 6.1.1 Enable anacron Daemon (Scored)
583 # 6.1.2 Enable cron Daemon (Scored)
585 # 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)
587 # 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)
589 # 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
591 # 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)
593 # 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
595 # 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
597 # 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)
599 # 6.1.10 Restrict at Daemon (Scored)
601 # 6.1.11 Restrict at/cron to Authorized Users (Scored)
603 ###############################################
605 ###############################################
607 # 6.2.1 Set SSH Protocol to 2 (Scored)
608 [CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
609 f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+1;
611 # 6.2.2 Set LogLevel to INFO (Scored)
612 [CIS - RHEL7 - 6.2.1 - SSH Configuration - Protocol version 1 enabled {CIS: 6.2.1 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
613 f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;
615 # 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored)
618 # 6.2.4 Disable SSH X11 Forwarding (Scored)
621 # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored)
622 [ CIS - RHEL7 - 6.2.5 - SSH Configuration - Set SSH MaxAuthTries to 4 or Less {CIS - RHEL7 - 6.2.5} {PCI_DSS: 2.2.4}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
623 f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$;
624 f:$sshd_file -> r:^#\s*MaxAuthTries;
625 f:$sshd_file -> !r:MaxAuthTries;
627 # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored)
628 [CIS - RHEL7 - 6.2.6 - SSH Configuration - IgnoreRHosts disabled {CIS: 6.2.6 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
629 f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no;
631 # 6.2.7 Set SSH HostbasedAuthentication to No (Scored)
632 [CIS - RHEL7 - 6.2.7 - SSH Configuration - Host based authentication enabled {CIS: 6.2.7 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
633 f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\.+yes;
635 # 6.2.8 Disable SSH Root Login (Scored)
636 [CIS - RHEL7 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
637 f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\.+yes;
638 f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;
640 # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored)
641 [CIS - RHEL7 - 6.2.9 - SSH Configuration - Empty passwords permitted {CIS: 6.2.9 RHEL7} {PCI_DSS: 4.1}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
642 f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\.+yes;
643 f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;
645 # 6.2.10 Do Not Allow Users to Set Environment Options (Scored)
647 # 6.2.11 Use Only Approved Ciphers in Counter Mode (Scored)
649 # 6.2.12 Set Idle Timeout Interval for User Login (Not Scored)
651 # 6.2.13 Limit Access via SSH (Scored)
653 # 6.2.14 Set SSH Banner (Scored)
656 ###############################################
658 ###############################################
660 # 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored)
661 # authconfig --test | grep hashing | grep sha512
663 # 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib (Scored)
665 # 6.3.3 Set Lockout for Failed Password Attempts (Not Scored)
667 # 6.3.4 Limit Password Reuse (Scored)
670 # 6.4 Restrict root Login to System Console (Not Scored)
672 # 6.5 Restrict Access to the su Command (Scored)
675 ###############################################
676 # 7 User Accounts and Environment
677 ###############################################
679 ###############################################
680 # 7.1 Set Shadow Password Suite Parameters (/etc/login.defs)
681 ###############################################
683 # 7.1.1 Set Password Expiration Days (Scored)
685 # 7.1.2 Set Password Change Minimum Number of Days (Scored)
687 # 7.1.3 Set Password Expiring Warning Days (Scored)
689 # 7.2 Disable System Accounts (Scored)
691 # 7.3 Set Default Group for root Account (Scored)
693 # 7.4 Set Default umask for Users (Scored)
695 # 7.5 Lock Inactive User Accounts (Scored)
698 ###############################################
700 ###############################################
702 ###############################################
703 # 8.1 Warning Banners for Standard Login Services
704 ###############################################
706 # 8.1 Set Warning Banner for Standard Login Services (Scored)
708 # 8.2 Remove OS Information from Login Warning Banners (Scored)
710 # 8.3 Set GNOME Warning Banner (Not Scored)
713 ###############################################
714 # 9 System Maintenance
715 ###############################################
717 ###############################################
718 # 9.1 Verify System File Permissions
719 ###############################################
721 # 9.1.1 Verify System File Permissions (Not Scored)
723 # 9.1.2 Verify Permissions on /etc/passwd (Scored)
725 # 9.1.3 Verify Permissions on /etc/shadow (Scored)
727 # 9.1.4 Verify Permissions on /etc/gshadow (Scored)
729 # 9.1.5 Verify Permissions on /etc/group (Scored)
731 # 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored)
733 # 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)
735 # 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)
737 # 9.1.9 Verify User/Group Ownership on /etc/group (Scored)
739 # 9.1.10 Find World Writable Files (Not Scored)
741 # 9.1.11 Find Un-owned Files and Directories (Scored)
743 # 9.1.12 Find Un-grouped Files and Directories (Scored)
745 # 9.1.13 Find SUID System Executables (Not Scored)
747 # 9.1.14 Find SGID System Executables (Not Scored)
750 ###############################################
751 # 9.2 Review User and Group Settings
752 ###############################################
754 # 9.2.1 Ensure Password Fields are Not Empty (Scored)
756 # 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
758 # 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
760 # 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
762 # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
763 [CIS - RHEL7 - 9.2.5 - Non-root account with uid 0 {CIS: 9.2.5 RHEL7} {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
764 f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:;
766 # 9.2.6 Ensure root PATH Integrity (Scored)
768 # 9.2.7 Check Permissions on User Home Directories (Scored)
770 # 9.2.8 Check User Dot File Permissions (Scored)
772 # 9.2.9 Check Permissions on User .netrc Files (Scored)
774 # 9.2.10 Check for Presence of User .rhosts Files (Scored)
776 # 9.2.11 Check Groups in /etc/passwd (Scored)
778 # 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored)
780 # 9.2.13 Check User Home Directory Ownership (Scored)
782 # 9.2.14 Check for Duplicate UIDs (Scored)
784 # 9.2.15 Check for Duplicate GIDs (Scored)
786 # 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts (Scored)
788 # 9.2.17 Check for Duplicate User Names (Scored)
790 # 9.2.18 Check for Duplicate Group Names (Scored)
792 # 9.2.19 Check for Presence of User .netrc Files (Scored)
794 # 9.2.20 Check for Presence of User .forward Files (Scored)
798 [CIS - RHEL7 - X.X.X - Account with empty password present {PCI_DSS: 10.2.5}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
799 f:/etc/shadow -> r:^\w+::;
801 [CIS - RHEL7 - X.X.X - User-mounted removable partition allowed on the console] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
802 f:/etc/security/console.perms -> r:^<console> \d+ <cdrom>;
803 f:/etc/security/console.perms -> r:^<console> \d+ <floppy>;
805 [CIS - RHEL7 - X.X.X - Disable standard boot services - Kudzu hardware detection Enabled] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
806 d:$rc_dirs -> ^S\d\dkudzu$;
808 [CIS - RHEL7 - X.X.X - Disable standard boot services - PostgreSQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
809 d:$rc_dirs -> ^S\d\dpostgresql$;
811 [CIS - RHEL7 - X.X.X - Disable standard boot services - MySQL server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
812 d:$rc_dirs -> ^S\d\dmysqld$;
814 [CIS - RHEL7 - X.X.X - Disable standard boot services - DNS server Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
815 d:$rc_dirs -> ^S\d\dnamed$;
817 [CIS - RHEL7 - X.X.X - Disable standard boot services - NetFS Enabled {PCI_DSS: 2.2.2}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
818 d:$rc_dirs -> ^S\d\dnetfs$;