Hardening Guideline for Redhat 6 / CentOS 6 and Ubuntu 12.04 LTS CIS Rule ID Description Ubuntu CentOS / 12.04 LTS RHEL 6 Patching and Software Updates 1.2.3 (CentOS) Install OS updates, patches and additional security 1.1 1.2.5 (RHEL) software in a timely manner OS Services 5.1.1 2.1.5 Ensure NIS client and server are not installed 2.1.6 5.1.2 2.1.3 Ensure rsh server is not enabled 5.1.3 2.1.4 Ensure rsh client is not installed 5.1.4 2.1.10 Ensure talk server is not enabled 5.1.5 2.1.9 Ensure talk client is not installed 5.1.6 2.1.1 Ensure telnet server is not enabled 5.1.7 2.1.8 Ensure tftp-server is not enabled 5.2 2.1.12 Ensure chargen is not enabled 2.1.13 5.3 2.1.14 Ensure daytime is not enabled 2.1.15 5.4 2.1.16 Ensure echo is not enabled 2.1.17 5.5 Ensure discard is not enabled 5.6 Ensure time is not enabled 6.1 3.2 Ensure the X Window system is not installed 6.5 3.6 Ensure NTP service is running 6.9 3.10 Ensure FTP Server is not enabled Firewall 7.7 4.7 Ensure firewall is active Logging and Auditing 8.1.2 5.2.2 Install and Enable auditd Service 8.1.3 5.2.3 Enable auditing for processes that start prior to auditd 8.1.8 5.2.8 Collect login and logout events 8.1.14 5.2.14 Collect file deletion events by user System Access, Authentication and Authorization 9.2.1 6.3.2 Set strong password creation policies password must be 14 characters or more provide at least 1 digit 1 9.2.2 6.3.3 9.2.3 6.3.4 9.3.8 6.2.8 9.4 6.4 10.1.1 7.1.1 10.1.3 7.1.3 User Settings 13.1 9.2.1 13.5 9.2.5 provide at least 1 uppercase character provide at least 1 special character provide at least 1 lowercase character Set lockout for 5 failed password attempts Prohibit reuse past 5 passwords Disable SSH root login Restrict root login to system console Set password expiration days to 90 days Provide 7-day advance warning that a password will expire Ensure password fields are not empty Verify No UID 0 Accounts Exist Other Than root 2