Default Security Configuration Standards

By default, Tenable Core applies security configurations based on the Center for Internet Security (CIS) standards. For more information about CIS standards, refer to cisecurity.org.

Note: SELinux is enabled by default on the Tenable Core operating system.

CIS Standards

CIS Benchmarks: Tenable has implemented the following parts of the CIS Level 1 Benchmark on the Tenable Core:

CIS Level 1 - 1.x

  • CIS 1.1.1.* (Disable mounting of miscellaneous filesystems)
  • CIS 1.1.21 (Ensure sticky bit is set on all world-writable directories)
  • CIS 1.4.* (Bootloader adjustments)
    • CIS 1.4.1 Ensure permissions on bootloader config are configured
  • CIS 1.7.1.* (Messaging/banners)
    • Ensure message of the day is configured properly
    • Ensure local login warning banner is configured properly
    • Ensure remote login warning banner is configured properly
    • Ensure GDM login banner is configured - banner message enabled
    • Ensure GDM login banner is configured - banner message text

CIS Level 1 - 2.x

  • CIS 2.2.* (disabled packages)
    • x11
    • avahi-server
    • CUPS
    • nfs
    • Rpc

CIS Level 1 - 3.x

  • CIS 3.1.* (packet redirects)
    • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
    • 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
  • CIS 3.2.* (ipv4, icmp, etc)
    • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
    • 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
    • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
    • 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
    • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
    • 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
    • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
    • 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
    • 3.2.5 Ensure broadcast ICMP requests are ignored
    • 3.2.6 Ensure bogus ICMP responses are ignored
    • 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1'
    • 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1'
    • 3.2.8 Ensure TCP SYN Cookies is enabled
  • CIS 3.3.* (IPv6)
    • 3.3.1 Ensure IPv6 router advertisements are not accepted
    • 3.3.2 Ensure IPv6 redirects are not accepted
  • CIS 3.5.* (network protocols)
    • 3.5.1 Ensure DCCP is disabled
    • 3.5.2 Ensure SCTP is disabled
    • 3.5.3 Ensure RDS is disabled
    • 3.5.4 Ensure TIPC is disabled

CIS Level 1 - 4.x

  • CIS 4.2.* (rsyslog)
    • 4.2.1.3 Ensure rsyslog default file permissions configured
    • 4.2.4 Ensure permissions on all logfiles are configured

CIS Level 1 - 5.x

  • CIS 5.1.* (cron permissions)
    • 5.1.2 Ensure permissions on /etc/crontab are configured
    • 5.1.3 Ensure permissions on /etc/cron.hourly are configured
    • 5.1.4 Ensure permissions on /etc/cron.daily are configured
    • 5.1.5 Ensure permissions on /etc/cron.weekly are configured
    • 5.1.6 Ensure permissions on /etc/cron.monthly are configured
    • 5.1.7 Ensure permissions on /etc/cron.d are configured
    • 5.1.8 Ensure at/cron is restricted to authorized users - at.allow
    • 5.1.8 Ensure at/cron is restricted to authorized users - at.deny
    • 5.1.8 Ensure at/cron is restricted to authorized users - cron.allow
  • CIS 5.3.* (password/pam)
    • 5.3.1 Ensure password creation requirements are configured - dcredit
    • 5.3.1 Ensure password creation requirements are configured - lcredit
    • 5.3.1 Ensure password creation requirements are configured - minlen
    • 5.3.1 Ensure password creation requirements are configured - ocredit
    • 5.3.1 Ensure password creation requirements are configured - ucredit
    • 5.3.2 Lockout for failed password attempts - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
    • 5.3.2 Lockout for failed password attempts - password-auth 'auth [success=1 default=bad] pam_unix.so'
    • 5.3.2 Lockout for failed password attempts - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'
    • 5.3.2 Lockout for failed password attempts - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'
    • 5.3.2 Lockout for failed password attempts - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
    • 5.3.2 Lockout for failed password attempts - system-auth 'auth [success=1 default=bad] pam_unix.so'
    • 5.3.2 Lockout for failed password attempts - system-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'
    • 5.3.2 Lockout for failed password attempts - system-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'
    • 5.3.3 Ensure password reuse is limited - password-auth
    • 5.3.3 Ensure password reuse is limited - system-auth
  • CIS 5.4.* (user prefs)
    • 5.4.1.2 Ensure minimum days between password changes is 7 or more
    • 5.4.1.4 Ensure inactive password lock is 30 days or less
    • 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/bashrc
  • CIS 5.6.* (wheel group)
    • 5.6 Ensure access to the su command is restricted - pam_wheel.so
    • 5.6 Ensure access to the su command is restricted - wheel group contains root

CIS Level 1 - 6.x

  • CIS 6.1.* (misc conf permissions)
    • 6.1.6 Ensure permissions on /etc/passwd- are configured
    • 6.1.8 Ensure permissions on /etc/group- are configured