CIS Benchmarks - Center for Internet Security (CIS) Benchmarks

CIS Benchmarks are consensus-based, best-practice security configuration guides developed and accepted by government, business, industry, and academia. Mapped to CIS Critical Security Controls, these secure configuration recommendations take the guesswork out of effectively hardening your systems. IT professionals from around the world worked together to create the CIS Benchmarks through a community consensus process. Each benchmark includes audit and remediation procedures that tell you not only what to do to securely configure your systems and how to do it.   There are often multiple configuration profiles within a benchmark, depending on an organization’s security requirements. 

Built-in compliance capabilities

Red Hat products have built-in capabilities that help you to align with the CIS Benchmarks policy. By using integrations with the system management solutions available in our portfolio, you can align the configuration of the machine with the requirements. However, the result is not full compliance - you always need to review the results and take the context of your specific deployment into account.

Red Hat Enterprise Linux

You can install the system already pre-configured to CIS Benchmarks by using RHEL image builder:

• RHEL 10: Creating pre-hardened images with RHEL image builder OpenSCAP integration
• RHEL 9: Creating pre-hardened images with RHEL image builder OpenSCAP integration

Note that this is integrated also in the Red Hat Insights, linked below.

If you prefer a kickstart-based installation, the method is described in the RHEL security guide:

• RHEL 10: Performing a hardened installation of RHEL with Kickstart
• RHEL 9: Kickstart-based installation of compliant systems

You can build and deploy hardened bootable images pre-configured to CIS Benchmarks for RHEL Image mode:

• RHEL 10: Security hardening and compliance of bootable images
• RHEL 9: Security hardening and compliance of bootable images

You can check the system configuration during runtime by using the OpenSCAP command-line tool:

• RHEL 10: Scanning the system for configuration compliance
• RHEL 9: Scanning the system for configuration compliance and vulnerabilities
• RHEL 8: Scanning the system for configuration compliance and vulnerabilities
• RHEL 7: Scanning the System for Configuration Compliance and Vulnerabilities

Red Hat Satellite

You can plan and configure compliance policies, deploy the policies to hosts, and monitor the compliance of your hosts in Red Hat Satellite. For more information, see the product documentation:

• Managing Security Compliance

Red Hat Insights for RHEL

You can create and manage your custom security policies entirely within the compliance service UI, as well as monitor the compliance state of your systems, remediate any discrepancies, and use the custom security policies in image builder to deploy additional systems:

• Managing SCAP security policies in the Insights for RHEL compliance service

Red Hat OpenShift

You can automate the inspection of numerous technical implementations and compare them against certain aspects of industry standards, benchmarks, and baselines.

• Compliance Operator 

• Information about CIS Benchmark for Red Hat OpenShift Container Platform 4
• Center for Internet Security
• CIS Shared Responsibility Model Resources