Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides detailed information about the CIS Security Benchmarks for AKS Optimized Azure Linux, including supported benchmarks, mismatched rules, and configurable parameters across all supported versions.
Supported benchmarks
| AKS Optimized Azure Linux Version | Benchmark Title |
|---|---|
| AKS Optimized Azure Linux 3 | CIS AKS Optimized Azure Linux 3 Benchmark 1.0.0 Level 1 + Level 2 - Server |
CIS AKS Optimized Azure Linux 3 Benchmark 1.0.0 Level 1 + Level 2 - Server
Mismatched rules
Note
The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.
- None
Configurable parameters
| Rule | Parameter | Default Value |
|---|---|---|
| Ensure /tmp is a separate partition | mountPoint | /tmp |
| Ensure nodev option set on /tmp partition | mountPoint | /tmp |
| requiredMountOptions | nodev | |
| Ensure nosuid option set on /tmp partition | mountPoint | /tmp |
| requiredMountOptions | nosuid | |
| Ensure /dev/shm is a separate partition | mountPoint | /dev/shm |
| Ensure nodev option set on /dev/shm partition | mountPoint | /dev/shm |
| requiredMountOptions | nodev | |
| Ensure nosuid option set on /dev/shm partition | mountPoint | /dev/shm |
| requiredMountOptions | nosuid | |
| Ensure core dump backtraces are disabled | processSizeMaxRegex | 0 |
| Ensure core dump storage is disabled | storageRegex | none |
| Ensure access to /etc/motd is configured | mask | 0133 |
| owner | root | |
| group | root | |
| Ensure access to /etc/issue is configured | filename | /etc/issue |
| mask | 0133 | |
| owner | root | |
| group | root | |
| Ensure time synchronization is in use | packageName | chrony |
| Ensure telnet client is not installed | packageName | telnet |
| Ensure permissions on /etc/crontab are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure permissions on /etc/cron.hourly are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure permissions on /etc/cron.daily are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure permissions on /etc/cron.weekly are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure permissions on /etc/cron.monthly are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure permissions on /etc/cron.d are configured | mask | 0077 |
| owner | root | |
| group | root | |
| Ensure cron is restricted to authorized users | filenameEtcCronDeny | /etc/cron.deny |
| owner | root | |
| group | root | |
| mask | 0137 | |
| filenameEtcCronAllow | /etc/cron.allow | |
| Ensure at is restricted to authorized users | owner | root |
| group | root | |
| mask | 0177 | |
| Ensure access to /etc/ssh/sshd_config is configured | mask | 0177 |
| owner | root | |
| group | root | |
| Ensure sshd Ciphers are configured | ciphersDisallowedValues | 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,arcfour,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,rijndael-cbc@lysator.liu.se |
| Ensure sshd KexAlgorithms is configured | kexalgorithmsDisallowedValues | diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 |
| Ensure sshd MACs are configured | macsDisallowedValues | hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com |
| Ensure sshd access is configured | allowUsersValuePattern | [^ \t]+ |
| allowGroupsValuePattern | [^ \t]+ | |
| denyUsersValuePattern | [^ \t]+ | |
| denyGroupsValuePattern | [^ \t]+ | |
| Ensure sshd Banner is configured | bannerExpectedValueT | /[^ \t]+ |
| bannerDisallowedValuesNone | none | |
| Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | clientalivecountmaxThreshold | 0 |
| clientaliveintervalThreshold | 0 | |
| Ensure sshd LoginGraceTime is configured | logingracetimeThresholdValue60 | 60 |
| logingracetimeThresholdValue0 | 0 | |
| Ensure sshd LogLevel is configured | loglevelExpectedValue | verbose,info |
| Ensure sshd MaxAuthTries is configured | maxauthtriesThreshold | 4 |
| Ensure sshd MaxStartups is configured | maxstartupsExpectedValue | 10:30:100 |
| Ensure sshd MaxSessions is configured | maxsessionsThreshold | 10 |
| Ensure password expiration is 365 days or less | maxDays | 365 |
| Ensure minimum days between password changes is configured | minDays | 1 |
| Ensure password expiration warning days is 7 or more | warnDays | 7 |
| Ensure journald Storage is configured | storageValue | persistent |
| Ensure journald Compress is configured | compressValue | yes |
| Ensure access to /etc/security/opasswd is configured | mask | 0177 |
| owner | root | |
| group | root |