Skip to Content
TestingCIS Benchmarks

CIS Benchmarks

OpenFactory integrates Center for Internet Security (CIS) benchmark testing for compliance verification.

What is CIS?

The Center for Internet Security publishes security configuration benchmarks for operating systems. These benchmarks provide:

  • Consensus-based security recommendations
  • Measurable security controls
  • Compliance documentation
  • Industry-standard hardening

Supported Benchmarks

DistributionBenchmark
Debian 12CIS Debian Linux 12 Benchmark
Ubuntu 24.04CIS Ubuntu Linux 24.04 LTS Benchmark

Benchmark Levels

CIS benchmarks define two compliance levels:

Level 1

Basic security configuration that:

  • Shouldn’t impact functionality
  • Suitable for most environments
  • Lower administrative overhead

Examples:

  • Disable unused filesystems
  • Configure password policies
  • Enable logging

Level 2

Enhanced security for sensitive environments:

  • May impact functionality
  • Requires more configuration
  • Higher security posture

Examples:

  • Mandatory access controls (SELinux/AppArmor)
  • Stricter network rules
  • Enhanced auditing

Profiles

Server Profile

Optimized for headless servers:

  • No GUI-related controls
  • Focus on network security
  • Service hardening

Workstation Profile

For desktop systems:

  • Desktop-specific controls
  • User environment settings
  • GUI security

Enabling CIS Testing

Via Features

Enable the security hardening feature:

Create a CIS Level 1 hardened Debian server

Via Custom Assertions

Add explicit CIS testing:

{
  "type": "cis_benchmark",
  "params": {
    "level": 1,
    "profile": "server"
  }
}

Hardening Levels

OpenFactory’s security-hardening feature maps to CIS levels:

Hardening LevelCIS LevelProfile
minimalLevel 1 (partial)Server
standardLevel 1Server
strictLevel 2Server

CIS Controls Applied

Filesystem Configuration

  • Disable unused filesystems (cramfs, freevxfs, jffs2, etc.)
  • Separate partitions for /tmp, /var, /var/log
  • Mount options (nodev, nosuid, noexec)

Software Updates

  • Package manager configuration
  • GPG key verification
  • Automatic security updates

Network Configuration

  • Disable IP forwarding (unless router)
  • Ignore ICMP redirects
  • Enable TCP SYN cookies
  • Disable IPv6 (if not used)

Access Control

  • Configure PAM modules
  • Password complexity requirements
  • Account lockout policies
  • SSH hardening

Logging and Auditing

  • Configure auditd
  • Log file permissions
  • Remote logging (optional)
  • Log rotation

SSH Server

  • Protocol version 2 only
  • Disable root login
  • Configure allowed ciphers
  • Set idle timeout

Test Results

CIS benchmark results show:

CIS Benchmark: Debian 12 Level 1 Server
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Section 1: Initial Setup
  ✓ 1.1.1.1 Ensure cramfs is disabled
  ✓ 1.1.1.2 Ensure freevxfs is disabled
  ✗ 1.1.2 Ensure /tmp is configured
    Finding: /tmp is not a separate partition

Section 2: Services
  ✓ 2.1.1 Ensure xinetd is not installed
  ✓ 2.2.1 Ensure NFS is not installed

...

Summary: 187 passed, 3 failed, 12 not applicable
Compliance: 98.4%

Exceptions

Some CIS controls may not apply:

Not Applicable

Controls that don’t apply to your use case:

  • GUI controls on headless servers
  • IPv6 controls when IPv6 is required
  • Partition controls on cloud instances

Intentional Exceptions

Document exceptions in your configuration:

Apply CIS Level 1 hardening with exceptions:
- Allow IPv6 (required for our network)
- Don't separate /var partition (cloud instance)

Compliance Reports

Generate compliance documentation:

  1. Build DetailsTestsCIS Report
  2. Download PDF or JSON report
  3. Use for audits and documentation

Reports include:

  • All controls tested
  • Pass/fail status
  • Remediation guidance for failures
  • Exception documentation

Custom CIS Testing

Test specific CIS controls:

{
  "type": "cis_benchmark",
  "params": {
    "controls": ["1.1.1.1", "5.2.1", "5.2.2"]
  }
}

Remediation

When CIS tests fail:

  1. Review the finding - Understand what’s required
  2. Check configuration - Verify your recipe
  3. Update and rebuild - Apply fixes
  4. Document exceptions - If control doesn’t apply

Best Practices

  1. Start with Level 1 - Establish baseline security
  2. Test iteratively - Add controls incrementally
  3. Document exceptions - Explain intentional deviations
  4. Regular audits - Re-run benchmarks periodically
  5. Keep updated - CIS benchmarks are updated regularly
TestingCRO Testing Guide