Center for Internet Security

CIS Community and CIS Benchmarks help you safeguard systems, software, and networks against today’s evolving cyber threats.

History & Purpose

The Center for Internet Security (CIS) is a nonprofit organization founded to develop best-practice security benchmarks and tools that help organizations reduce risk and improve security posture. CIS Benchmarks are consensus-based, vendor-neutral secure configuration guidelines developed and maintained by a global community of cybersecurity experts. The Benchmarks cover operating systems, server software, network devices, and cloud services. CIS also provides assessment tools (CIS-CAT), implementation guides, and a community-driven process for updates.

How to use these guidelines

• Assess: Inventory systems and map them to relevant CIS Benchmarks.
• Plan: Define a baseline (CIS Level 1 for general security; Level 2 for hardened environments) and identify business-impacting items.
• Test: Apply settings in staging/test environments and run regression tests.
• Automate: Use configuration management (Ansible, Salt, Puppet) to enforce baselines.
• Monitor: Continuously check configuration drift and audit results.
• Document: Record approved exceptions and compensating controls.

General implementation checklist (applies to all technologies)

• Map assets to Benchmarks and required level (1 or 2).
• Establish IAM and least-privilege access.
• Harden OS: accounts, SSH, filesystem permissions, auditing.
• Harden network: firewall rules (nftables/iptables), host-based controls.
• Enable integrity monitoring (AIDE) and file auditing.
• Enable and tune logging and centralize to SIEM (Wazuh, Elastic).
• Validate services after changes; maintain rollback plans.
• Keep packages updated and track CVEs.

Users / Roles (IAM)

• Use least-privilege and role-based access controls for services and human users.
• Separate application/service accounts from interactive users.
• Use SSH key management, short-lived keys when possible, and disable password authentication for admins.
• Log and rotate keys; integrate with Vault or other secret stores for automation.

Per-technology guidance

• Rocky Linux 10 / Debian 13 (OS baseline)
  • Apply the relevant CIS Linux Benchmark (choose distribution-appropriate controls).
  • Key areas: SSH hardening, disable unused services, secure cron jobs, kernel parameter hardening (sysctl), secure shared memory, remove unnecessary packages.
  • Firewalls: prefer nftables on modern systems; use deterministic rulesets and manage via configuration management.
  • Mandatory Access Control: enable and configure SELinux (Rocky) or AppArmor (Debian) per application profiles.
  • Integrity: install and schedule AIDE; store baseline database off-host.
• SSH
  • Disable root login, disallow password auth for admin users, use strong KEX and ciphers, limit user login via AllowUsers/AllowGroups.
  • Use sshd config from CIS; reload and test with parallel sessions before disconnecting.
• iptables / nftables
  • Implement default-deny inbound rules; allow only required ports/services.
  • Document rules, test in staging, and persist rules declaratively.
• SELinux / AppArmor
  • Enforce mode for production; create/adjust policies for custom services; monitor AVC/denials and iterate policies.
• Nginx (Web server / Reverse proxy)
  • Follow CIS Web Server Benchmark and the Nginx community hardening guides.
  • Harden TLS (use modern ciphersuites, TLS 1.3 preferred), disable insecure protocols, enable HSTS where applicable.
  • Run Nginx worker processes as non-root user, limit access to config and cert files, use strict file permissions.
  • Use upstream health checks and rate-limiting where relevant.
• PostgreSQL 16+ + PgBouncer (SQL server)
  • Use CIS Database Benchmarks as a baseline for account management, logging, and network restrictions.
  • Enforce pg_hba.conf to limit connections to trusted hosts; prefer TLS for connections.
  • Ensure password_encryption is enabled, disable superuser admission where not required, audit role memberships.
  • For PgBouncer: run in a dedicated user, protect its config, and secure pooler connections via TLS and auth_query.
• Zabbix agent (Monitoring)
  • Harden the agent config: restrict allowed hosts, enable TLS for the agent-server channel, run as non-root, restrict file permissions.
• Zabbix server (Monitoring)
  • Secure the web interface (TLS), require strong admin credentials, limit API access, harden DB backend per CIS Database Benchmarks.
  • Isolate monitoring network and use read-only credentials for data collection where possible.
• Wazuh agent (SIEM + XDR) and integrations (Suricata, Zeek)
  • Deploy agents with minimal privileges; configure secure enrollment and TLS communication to Wazuh manager.
  • Forward logs (syslog, auditd) and IDS logs (Suricata, Zeek) to Wazuh for correlation.
  • Keep detection rules updated and tune to reduce false positives.
• Wazuh server (SIEM + XDR)
  • Harden the server host (OS CIS Benchmark), secure Elasticsearch/Kibana access, enable RBAC, and limit network exposure.
• WireGuard (Secure L3 Tunnel)
  • Manage keys securely (Vault), restrict allowed IPs and peers to minimum necessary, and run on a hardened OS.
  • Monitor for unexpected peer activity and rotate keys periodically.
• iRedMail (Mail server)
  • Follow CIS mail server guidance where available; secure SMTP (STARTTLS/TLS), enforce strong authentication, and harden underlying OS.
  • Isolate mail services, enable rate limiting and anti-spam measures, and tightly control SMTP relays.
• Znuny (ITSM)
  • Run Znuny under a dedicated, least-privileged user; secure web UI with TLS and strong auth; apply patches and secure database backend.
• UniFi Wireless Controller (Wi‑Fi Manager)
  • Place controller behind reverse proxy or VPN; secure admin UI with TLS and strong auth; limit network access to controller service ports.
• Vault (Secrets Management)
  • Follow HashiCorp best practices: seal/unseal procedures, strict ACL policies, audit logging, lease/rotation for secrets, and run Vault in HA with secure storage backend.
  • Avoid embedding static secrets in repo; integrate service accounts with short-lived tokens.
• GitLab (Source Code Management)
  • Harden GitLab per CIS benchmark for web apps: secure web UI with TLS, enforce MFA for users, restrict project visibility, and run background runners with least privilege.
  • Protect CI secrets with Vault integration and review job token permissions.
• GitLab Runner (Job executor)
  • Run runners in isolated executors (Docker, Kubernetes) with limited privileges; use protected runners for sensitive pipelines and isolate artifacts storage.
• SpiderFoot (OSINT)
  • Run on isolated hosts or containers; restrict network egress where possible; protect API keys and credentials using Vault.
• Proxmox
  • Harden the Proxmox host (OS CIS Benchmark), secure web UI with TLS and RBAC, disable unused management interfaces, and backup VM templates and configurations.
• PHP 8.2+ + PHP-FPM
  • Apply PHP hardening: disable dangerous functions, enforce open_basedir, run PHP-FPM workers as dedicated users, and secure pool configs.
  • Keep PHP and extensions up to date and scan for vulnerable dependencies.
• Ruby
  • Run apps with least privilege, use Bundler with locked dependencies, and ensure application frameworks are kept up to date. Protect secrets outside of code.

Verification & Continuous Compliance

• Use automated scanners and CIS-CAT where possible to produce reports.
• Integrate benchmark checks into CI pipelines to prevent drift.
• Schedule regular reviews and update baselines after major upgrades.

Exceptions and Risk Management

• Document any deviations from CIS recommendations with justification and compensating controls.
• Maintain a review cadence for approved exceptions.

CIS Benchmarks & downloads

Recommended CIS Benchmarks for each technology:

• Rocky Linux 10: CIS_Rocky_Linux_10_Benchmark_v1.0.0.pdf
• Rocky Linux 9: CIS_Rocky_Linux_9_Benchmark_v2.0.0.pdf
• Rocky Linux 8: CIS_Rocky_Linux_8_Benchmark_v3.0.0.pdf
• Debian Linux 13: CIS_Debian_Linux_13_Benchmark_v1.0.0.pdf
• Debian Linux 12: CIS_Debian_Linux_12_Benchmark_v1.1.0.pdf
• Debian Linux 11: CIS_Debian_Linux_11_Benchmark_v2.0.0.pdf
• RHEL 10: CIS_Red_Hat_Enterprise_Linux_10_Benchmark_v1.0.1.pdf
• RHEL 9: CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v2.0.0.pdf
• RHEL 8: CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v4.0.0.pdf
• Nginx: CIS_NGINX_Benchmark_v3.0.0.pdf
• PostgreSQL 16: CIS_PostgreSQL_16_Benchmark_v1.1.0.pdf
• PostgreSQL 15: CIS_PostgreSQL_15_Benchmark_v1.2.0.pdf
• PostgreSQL 14: CIS_PostgreSQL_14_Benchmark_v1.3.0.pdf
• PostgreSQL 13: CIS_PostgreSQL_13_Benchmark_v1.3.0.pdf
• Docker: CIS_Docker_Benchmark_v1.8.0.pdf
• Windows Server 2022: CIS_Microsoft_Windows_Server_2022_Benchmark_v4.0.0.pdf
• Windows Server 2019: CIS_Microsoft_Windows_Server_2019_Benchmark_v4.0.0.pdf
• Windows Server 2016: CIS_Microsoft_Windows_Server_2016_Benchmark_v4.0.0.pdf

Technologies without dedicated CIS Benchmarks — use host OS Benchmark plus vendor hardening guides:

• Zabbix agent / server: Use OS Benchmark + https://www.zabbix.com/documentation/
• Wazuh agent / server: Use OS Benchmark + https://documentation.wazuh.com/
• WireGuard: Use OS Benchmark + https://www.wireguard.com/
• iRedMail: Use OS Benchmark + https://www.iredmail.org/docs.html
• Znuny (ITSM): Use OS Benchmark + https://www.znuny.org/
• UniFi Controller: Use OS Benchmark + vendor documentation
• Vault: Use OS Benchmark + https://www.vaultproject.io/docs/
• GitLab / Runner: Use OS Benchmark + https://docs.gitlab.com/
• SpiderFoot: Use OS Benchmark + project documentation
• Proxmox: Use OS Benchmark + https://pve.proxmox.com/wiki/Security
• PHP 8.2+ / PHP-FPM: Use OS Benchmark + https://www.php.net/security
• Ruby: Use OS Benchmark + framework-specific guides

Final notes

This page provides a practical starting point and short implementation guidance. For production deployments, consult the official CIS Benchmarks for each product and consider using CIS-CAT, vendor hardening guides, and your organization’s risk policies.