Default Security Configuration Standards
By default, Tenable Core applies security configurations based on the following Center for Internet Security (CIS) standards. For more information about CIS standards, see cisecurity.org.
Note: SELinux: is enabled by default on the Tenable Core operating system.
CIS Standards
CIS Benchmarks: Tenable has implemented the following parts of the CIS Level 1 Benchmark on the Tenable Core:
CIS Level 1 - 1.x
- CIS 1.1.1.* (Disable mounting of miscellaneous filesystems)
- CIS 1.1.21 (Ensure sticky bit is set on all world-writable directories)
- CIS 1.4.* (Bootloader adjustments)
- CIS 1.4.1 Ensure permissions on bootloader config are configured
- CIS 1.7.1.* (Messaging/banners)
- Ensure message of the day is configured properly
- Ensure local login warning banner is configured properly
- Ensure remote login warning banner is configured properly
- Ensure GDM login banner is configured - banner message enabled
- Ensure GDM login banner is configured - banner message text
CIS Level 1 - 2.x
- CIS 2.2.* (disabled packages)
- x11
- avahi-server
- CUPS
- nfs
- Rpc
CIS level 1 - 3.x
- CIS 3.1.* (packet redirects)
- 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
- 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
- CIS 3.2.* (ipv4, icmp, etc)
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
- 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
- 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
- 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
- 3.2.5 Ensure broadcast ICMP requests are ignored
- 3.2.6 Ensure bogus ICMP responses are ignored
- 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1'
- 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1'
- 3.2.8 Ensure TCP SYN Cookies is enabled
- CIS 3.3.* (IPv6)
- 3.3.1 Ensure IPv6 router advertisements are not accepted
- 3.3.2 Ensure IPv6 redirects are not accepted
- CIS 3.5.* (network protocols)
- 3.5.1 Ensure DCCP is disabled
- 3.5.2 Ensure SCTP is disabled
- 3.5.3 Ensure RDS is disabled
- 3.5.4 Ensure TIPC is disabled
CIS Level 1 - 4.x
- CIS 4.2.* (rsyslog)
- 4.2.1.3 Ensure rsyslog default file permissions configured
- 4.2.4 Ensure permissions on all logfiles are configured
CIS Level 1 - 5.x
- CIS 5.1.* (cron permissions)
- 5.1.2 Ensure permissions on /etc/crontab are configured
- 5.1.3 Ensure permissions on /etc/cron.hourly are configured
- 5.1.4 Ensure permissions on /etc/cron.daily are configured
- 5.1.5 Ensure permissions on /etc/cron.weekly are configured
- 5.1.6 Ensure permissions on /etc/cron.monthly are configured
- 5.1.7 Ensure permissions on /etc/cron.d are configured
- 5.1.8 Ensure at/cron is restricted to authorized users - at.allow
- 5.1.8 Ensure at/cron is restricted to authorized users - at.deny
- 5.1.8 Ensure at/cron is restricted to authorized users - cron.allow
- CIS 5.3.* (password/pam)
- 5.3.1 Ensure password creation requirements are configured - dcredit
- 5.3.1 Ensure password creation requirements are configured - lcredit
- 5.3.1 Ensure password creation requirements are configured - minlen
- 5.3.1 Ensure password creation requirements are configured - ocredit
- 5.3.1 Ensure password creation requirements are configured - ucredit
- 5.3.2 Lockout for failed password attempts - password-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
- 5.3.2 Lockout for failed password attempts - password-auth 'auth [success=1 default=bad] pam_unix.so'
- 5.3.2 Lockout for failed password attempts - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'
- 5.3.2 Lockout for failed password attempts - password-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'
- 5.3.2 Lockout for failed password attempts - system-auth 'auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900'
- 5.3.2 Lockout for failed password attempts - system-auth 'auth [success=1 default=bad] pam_unix.so'
- 5.3.2 Lockout for failed password attempts - system-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'
- 5.3.2 Lockout for failed password attempts - system-auth 'auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900'
- 5.3.3 Ensure password reuse is limited - password-auth
- 5.3.3 Ensure password reuse is limited - system-auth
- CIS 5.4.* (user prefs)
- 5.4.1.2 Ensure minimum days between password changes is 7 or more
- 5.4.1.4 Ensure inactive password lock is 30 days or less
- 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/bashrc
- CIS 5.6.* (wheel group)
- 5.6 Ensure access to the su command is restricted - pam_wheel.so
- 5.6 Ensure access to the su command is restricted - wheel group contains root
CIS Level 1 - 6.x
- CIS 6.1.* (misc conf permissions)
- 6.1.6 Ensure permissions on /etc/passwd- are configured
- 6.1.8 Ensure permissions on /etc/group- are configured