Controls configured by OpenLogic

The following CIS controls are pre-configured by the OpenLogic team as part of the hardened image build process. Applicability varies by image type. VM images include OS-level configurations such as cryptography and SSH settings. Container images may include runtime or base image configurations.

These controls are implemented to ensure baseline compliance and security without requiring additional user intervention.

Virtual machine images

  • CIS 1.6.1: The system cryptography policy is set to FIPS (but in disabled state)

  • CIS 4.2.6: The configuration parameter sshd_use_approved_ciphers is set to FIPS (but in disabled state)

  • CIS 2.3.1.1: Install the systemd_timesyncd service

  • CIS 2.3.2.1: Configure Systemd Timesyncd servers

  • CIS 4.3.1: Install the nftables package

  • CIS 4.3.9: Verify the nftables service is enabled

  • CIS 5.3.3.4.1: Prevent login to accounts with an empty password

  • CIS 6.1.3.3: Ensure journald is configured to send logs to rsyslog

  • CIS 5.3.3.2.8: Ensure password quality is enforced for the root user

  • CIS 1.3.1.3: Ensure all AppArmor Profiles are in enforce or complain mode

Container images

  • CIS 1.5.3: Ensure core dumps are restricted

  • CIS 5.2.7: Ensure access to the su command is restricted

  • CIS 5.3.3.3.2: Ensure password history is enforced for the root user

  • CIS 5.3.3.4.1: Ensure pam_unix does not include nullok

  • CIS 5.4.1.5: Ensure inactive password lock is configured

  • CIS 1.6.1: The system cryptography policy is set to FIPS (but in disabled state)

  • CIS 7.2.10: Ensure local interactive user dot files access is configured