Controls requiring end-user configuration

The following controls are excluded from hardened Linux images. Applicability varies by image type. VM images typically require bootloader and SSH configuration, while container images may require runtime-level security settings.

Configure these controls based on your environment and security policies.

Virtual machine images

  • CIS 1.3.1: Ensure the bootloader password is set.

  • CIS 1.3.2: Verify the UEFI GRUB2 bootloader configuration:

    • UEFI Boot Loader grub.cfg group ownership

    • /boot/efi/EFI/redhat/user.cfg group ownership

    • UEFI Boot Loader grub.cfg user ownership

    • /boot/efi/EFI/redhat/user.cfg user ownership

    • UEFI Boot Loader grub.cfg permissions

    • /boot/efi/EFI/redhat/user.cfg permissions

  • CIS 4.2.4: Ensure SSH daemon access is configured

  • CIS 1.4.1: Ensure the bootloader password is set

  • CIS 5.1.4: Ensure sshd access is configured

  • CIS 6.1.2.1: Configure systemd-journal-remote

    • CIS 6.1.2.1.2: Ensure systemd-journal-upload authentication is configured

    • CIS 6.1.2.1.3: Ensure systemd-journal-upload is enabled and active

  • CIS 4.2.1: Ensure UFW (Uncomplicated Firewall) is installed

  • CIS 6.1.2: Configure journald

    • CIS 6.1.2.2: Ensure journald ForwardToSyslog is disabled

  • CIS 2.3.1: Ensure time synchronization is in use

    • CIS 2.3.1.1: Ensure a single time synchronization daemon is in use

  • CIS 1.4.1: Ensure bootloader password is set

  • CIS 5.1.4: Ensure sshd access is configured

Container images

  • CIS 4.4.1.2: Ensure the latest version of authselect is installed

  • CIS 5.3.1.2: Ensure the latest version of authselect is installed

  • CIS 5.3.1.3: Ensure libpam-pwquality is installed (automated)