CIS Hardening (sec-hardening)
Checks the system against CIS benchmark recommendations: sudo configuration, kernel parameters, PAM, audit logging, disk encryption, and more.
Configuration
| Parameter | Type | Default | Description |
|---|
enabled | bool | true | Enable/disable module |
| Linux Checks | | | |
check_sudo | bool | true | Check sudoers for NOPASSWD |
check_sysctl | bool | true | Check kernel parameters against expected values |
check_pam | bool | true | Check PAM password quality |
check_auditd | bool | true | Check audit daemon status |
check_repos | bool | true | Check package sources |
check_luks | bool | true | Check disk encryption |
allowed_nopasswd_users | list | ["root"] | Allowed NOPASSWD users |
expected_sysctl | dict | see below | Expected sysctl values |
pam_minlen | int | 8 | Minimum password length (pam_pwquality) |
trusted_sources | list | [] | Trusted package sources |
| Windows Checks | | | |
check_password_policy | bool | true | Check password policy |
check_audit_policy | bool | true | Check audit policy |
check_bitlocker | bool | true | Check BitLocker encryption |
check_uac | bool | true | Check User Account Control |
check_smb1 | bool | true | Check SMBv1 protocol |
check_rdp_nla | bool | true | Check RDP Network Level Authentication |
check_drivers | bool | true | Check driver signatures |
check_winrm | bool | true | Check WinRM encryption |
min_password_length | int | 8 | Minimum password length |
Default sysctl Values
expected_sysctl:
net.ipv4.ip_forward: "0"
net.ipv4.conf.all.accept_redirects: "0"
net.ipv4.tcp_syncookies: "1"
net.ipv4.conf.all.send_redirects: "0"
YAML Example
sec_hardening:
enabled: true
check_sudo: true
check_sysctl: true
expected_sysctl:
net.ipv4.ip_forward: "0"
net.ipv4.tcp_syncookies: "1"
pam_minlen: 12
check_bitlocker: true
min_password_length: 12
Diagnostic Codes
Linux
| Code | Severity | Meaning | Recommendation |
|---|
| 7400 | 0 | Hardening baseline met | — |
| 7401 | 1 | NOPASSWD in sudoers | Remove NOPASSWD or explicitly allow user |
| 7402 | 1 | sudoers permissions too open | chmod 0440 /etc/sudoers |
| 7403 | 1 | Kernel parameter deviates | Adjust sysctl value |
| 7404 | 1 | No/weak password quality | Configure pam_pwquality |
| 7405 | 1 | auditd not active | systemctl enable --now auditd |
| 7406 | 1 | auditd has no audit rules | Configure audit rules |
| 7407 | 1 | Unknown package source | Verify source or add to trusted_sources |
| 7408 | 1 | No LUKS encryption | Set up disk encryption |
Windows
| Code | Severity | Meaning | Recommendation |
|---|
| 8400 | 0 | Hardening baseline met | — |
| 8401 | 1 | Minimum password length too short | Strengthen password policy |
| 8402 | 1 | No account lockout configured | Enable lockout policy |
| 8403 | 1 | Password age not limited | Set maximum password age |
| 8404 | 1 | Audit subcategory not enabled | Enable audit policy |
| 8405 | 1 | Drive not encrypted with BitLocker | Enable BitLocker |
| 8406 | 1 | BitLocker protection suspended | Resume protection |
| 8407 | 2 | UAC disabled | Enable UAC (EnableLUA = 1) |
| 8408 | 1 | UAC at lowest level | Increase ConsentPromptBehaviorAdmin |
| 8409 | 1 | RDP without NLA | Enable NLA |
| 8410 | 1 | SMBv1 enabled | Disable SMBv1 |
| 8411 | 1 | Unsigned driver | Verify or replace driver |
| 8412 | 1 | WinRM allows unencrypted | Enforce encryption |
- Linux: Checks sudoers, sysctl, PAM, auditd, APT/YUM repos, LUKS.
- Windows: Checks password/lockout/audit policies, BitLocker, UAC, SMB, RDP, WinRM, drivers.