// Level 3 · Controls
Linux
CIS Distribution-Independent Linux Benchmark
1.1.1.1Medium
Ensure mounting of cramfs filesystems is disabled
Reduce attack surface.
1.1.2Medium
Ensure /tmp is configured
Separate tmp partition.
1.4.1High
Ensure permissions on bootloader config are configured
Protect grub.cfg.
1.5.1High
Ensure address space layout randomization (ASLR) is enabled
Anti-exploit mitigation.
1.6.1.1High
Ensure SELinux is installed
Mandatory access control.
2.2.1Medium
Ensure xinetd is not installed
Remove unused services.
3.1.1Medium
Ensure IP forwarding is disabled
Prevent unintended routing.
3.5.1.1High
Ensure ufw is installed
Host firewall.
4.1.1.1High
Ensure auditd is installed
Audit logging.
5.2.1High
Ensure permissions on /etc/ssh/sshd_config are configured
Protect SSH config.
5.2.5Medium
Ensure SSH LogLevel is appropriate
Sufficient SSH logs.
5.2.10Critical
Ensure SSH PermitRootLogin is disabled
No direct root SSH.
5.3.1High
Ensure password creation requirements are configured
pam_pwquality.
6.1.1Medium
Audit system file permissions
Detect tampering.