Update Red Hat Enterprise Linux 9 Benchmark Section 1.6.2
CIS Red Hat Enterprise Linux 9 Benchmark Section 1.6.2 (Ensure system wide crypto policy is not set in sshd configuration) is wrong.
On RHEL9 system wide crypto ...
Audit Procedure incorrect
For GitLab "1.1.5 Ensure there are restrictions on who can dismiss code change reviews" I think the audit procedure is not complete what happens after I ...
Detailed benchmark information
I have reviewed several benchmarks, particularly those related to Windows Workstation and Windows Server. Overall, I found that most controls are well-defined and ...
CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 - 2.2.23 (L1) - Include printspoolerservice
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
FAILED due to:
Output
'printspoolerservice' && 'network service' && ...
CIS CAT Pro: Windows Server Benchmarks for Windows OS that use 3rd party Virusscanner/Firewall etc.
Hi,
I would be very helpfull to have a set of Benchmarks for CIS CAT Pro for instances of Windows Server where the customer uses a 3rd party Virusscanner/Firewall. ...
Oracle19c-benchmark
Since new CISCAT 4.58/9 the regular Oracle19c Benchmark for unified auditing has been removed/disappeared. This was available until CISCAT 4.56/7. Please add this ...
9.1.10 - (L1) : Service principals can use Fabric APIs
The option : Service principals can use Fabric APIs is not an option anymore. Probaply changed or removed. ...
More helpful email notifications
I get a lot of emails about work being done in Workbench, but few of them seem to give me the context I need within the email or in the link to understand what was ...
ASLR checks in versions of RHEL CIS are giving False positives
Hi,
I have looked into the profiles of CIS for Red Hat Enterprise, and found the checks for ASLR are implemented differently.
(FP = False Positive)
CIS Red Hat ...
Windows 2016: 2.3.10.1: 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'
CIS Microsoft Windows Server 2016 Benchmark v4.0.0
2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'
Below Audit ...
2.6.6.6.2.1.1 Audit Procedure Path incorrect
The Audit procedure for 2.6.6.6.2.1.1 in the Office Enterprise benchmark suggests the path to be: "HKEY_USERS\[USER ...
Typo on benchmark for macOS 14.
When going to your v2.1.0 build kit
=> CIS Apple macOS 14.0 Sonoma Benchmark v2.1.0 - Build Kit
We are offered to download this build kit
=> ...
Clarification of 4.1.5Secure Permissions for the Primary Archive Log Location (LOGARCHMETH1)
The control is about secure archive log location but the benchmark requirement is "Although there are many ways to ensure that your primary logs will be archived, we ...
Missing info on 18.10.43.11.1.1.2 on Windows 11 Benchmark v4.0.0
Hello all,
At least on workbench the data page for 18.10.43.11.1.1.2 contains info on 18.10.43.11.1.1.1, not 18.10.43.11.1.1.2.
Thanks
Turn off cloud optimized content
Hello EveryOne,
I would like to know more about below CIS control what cloud optimized content is secure after applying this settings. AS per my understanding it ...
quotes
Last December scans of the Tomcat 10.1 Benchmark were producing failure codes when scanning the catalina.sh file if the following was not found: ...
Benchmark 3248135 1.6.5
https://workbench.cisecurity.org/sections/3248135/recommendations/5315120
The example of remedy is reverted by the CIS script itself.
The example given on the ...
2.22 Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entr
I would like to challenge this recommendation.
If imposing MFA on "device registration and joining", wont this interfere with users registering their MFA devices? ...
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
# Script the verification
# Get all storage accounts and their resource groups
$storageAccounts = Get-AzStorageAccount
# Loop through each storage account and ...
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
# Avoid having to use account-keys -- "Reader" Azure RBAC is sufficient with "auth login"
az storage blob service-properties delete-policy show --account-name ...
3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
# Az PowerShell alternative
$(Invoke-RestMethod -Uri ...
3.1.12 Ensure That 'All users with the following roles' is set to 'Owner'
# Az PowerShell SDK alternative
$accessToken = (Get-AzAccessToken).Token
$subscriptionId = (Get-AzContext).Subscription.Id
$(Invoke-RestMethod -Uri ...
Kindly provide us with the Microsoft SentinelOne CIS benchmarks for hardening the SentinelOne servic
Tried of Microsoft SentinelOne CIS benchmark pdf and unfortunately we didn't found it. Kindly provide us with the Microsoft SentinelOne CIS benchmarks for hardening ...
Typo in PostgreSQL 17
The description for CIS PostgreSQL 17 Benchmark v.1.0.0. - PDF has a typo:
"This document, CIS PostgreSQL 13 Benchmark" should be
"This document, CIS PostgreSQL 17 ...
CIS Benchmark for Windows Server 2025
When is the CIS Level 1 and 2 Benchmark going to be made available for Windows Server 2025?
Juniper OS 23.X Cis Benchmark release date
Is CIS currently working on adding a Benchmark for JunOS 23.X?
Possible Error in CIS Oracle Database 19c Benchmark 1.1.0 Chapter 3.2
Hi all,
I'am currently working on CIS Oracle Database 19c Benchmark 1.1.0 and in Chapter 3.2-Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1' the query ...
Update rules 3.8 and 3.9
As discussed before in version 3.0.0, rules 3.8 and 3.9 could indeed be merged.
Moreover, maybe the approach for audit and remediation is not optimal. Indeed, I ...
Windows 11 benchmark - Block execution from removable devices
Can we add rule to prevent executables to be run from removable devices as a second layer of defense (L2 rule)?
updates
I have checked the activity for the most common benchmarks that we use (windows 10 and 11) and the updates all say 9 months ago. Has nothing been changed or updated ...
Amazon RDS encryption-in-transit
https://workbench.cisecurity.org/sections/2300747/recommendations/3682102
This section should also include guidance on how to properly modify Parameter Groups. ...
Amazon RDS encryption-at-rest
https://workbench.cisecurity.org/sections/2300747/recommendations/3682101
In that page, the guidance indicates encryption-at-rest can be enabled for an existing ...
Contained Availability Groups in - CIS Microsoft SQL Server 2022 Benchmark v1.1.0 NEXT
I would like to see some controls or how to adapt the CIS benchmark to Contained Availability Groups. Some rules has passed when I have run the CIS benchmark ...
For Windows 11 enterprise check 18.10.3.2 is misleading
18.10.3.2 states that "If a Microsoft Store app is required for legitimate use, an Administrator will need to perform the installation from an Administrator context." ...
/usr/sbin/aide => /usr/bin/aide
Page 90 in CIS_SUSE_Linux_Enterprise_15_Benchmark_v1.1.1.pdf
should be /usr/bin/aide and not /usr/sbin/aide
Have a lot of fun...
sles@suse-leap-cis:~> ls -l ...
Chrome OS / ChromeBook Benchmarks
Are these ever going to be updated/ finished?
bootloader password check faulty
Audit process for new CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0 section 1.4.1 seems to be faulty.
you are doing a find in /boot for usr.cfg to set a ...
CIS Kubernetes Benchmark v1.10.0 - 1.2.29
In 1.2.29 Ensure that the API Server only makes use of Strong Cryptographic Ciphers the benchmark recommends to use some insecure ciphers.
Please compare with ...
3.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email
# Az PowerShell alternative
$(Invoke-RestMethod -Uri ...
CIS Red Hat Enterprise Linux 9 Benchmark Section 1.6.2 is wrong
CIS Red Hat Enterprise Linux 9 Benchmark Section 1.6.2 (Ensure system wide crypto policy is not set in sshd configuration) is wrong.
On RHEL9 system wide crypto ...
Suggested by:
Mihajlo
(13 Apr)
•
Comments: 1