Skip to content

Framework Reference

Ryan edited this page Jul 11, 2026 · 4 revisions

Framework Reference

This guide provides comprehensive documentation of the security frameworks, standards, and compliance requirements implemented by the Linux Security Audit Project, including authoritative sources, key concepts, and practical applications.

Table of Contents

Original Core Frameworks

Phase 3 Expansion Frameworks (v3.0+)

Reference

Framework Overview

The Linux Security Audit Project (v3.9) implements 16 distinct security frameworks split into 8 original core frameworks (Core, CIS, CISA, ENISA, ISO27001, NIST, NSA, STIG) and 8 Phase 3 expansion frameworks (ACSC, CMMC, DistBaseline, EDR, GDPR, HIPAA, PCI-DSS, SOC2). Each framework has specific focus areas, compliance requirements, and target audiences.

Framework Categories

Industry Standards:

  • CIS Benchmarks: Consensus-based security configurations
  • ISO/IEC 27001/27017/27018/27701: International infosec, cloud, PII, privacy

US Government Frameworks:

  • NIST 800-53 R5, CSF 2.0, 800-171, 800-207, 800-161
  • DISA STIGs: Department of Defense security standards
  • NSA: Advanced security hardening and classified systems (CSfC)
  • CISA: Critical infrastructure protection (CPG, ZTMM, BOD)
  • CMMC: Defense Industrial Base certification

Regional / National Standards:

  • ENISA: EU cybersecurity guidelines (NIS2, DORA, EU-CSA)
  • ACSC: Australian Cyber Security Centre Essential 8 / ISM

Privacy & Sectoral Regulations:

  • GDPR: EU General Data Protection Regulation
  • HIPAA: US healthcare data privacy/security
  • PCI DSS: Payment card industry standard
  • SOC 2: Service organization Trust Service Criteria

Detection & Response:

  • EDR / MITRE ATT&CK: Endpoint detection capability indicators

Baseline:

  • Core: Industry best practices and vendor-specific guidance
  • DistBaseline: Distribution-specific hardening (Debian, RHEL, SUSE, Arch)

Core Security Best Practices

Overview

Focus: Fundamental security baseline for all Linux systems Authority: Industry consensus, vendor security guides Applicability: Universal - all Linux environments

Standards Sources

Linux Foundation

  • Open Source Security Foundation (OpenSSF)
  • Linux Foundation Best Practices
  • Secure Software Development Fundamentals

URL: https://www.linuxfoundation.org/projects/security

Vendor Security Guides

Debian Security Manual

  • Debian-specific security configurations
  • Security update procedures
  • Package management security
  • Security advisories (DSA)

URL: https://www.debian.org/security/

Red Hat Security Guide

  • RHEL security best practices
  • SELinux implementation
  • Security advisories (RHSA)
  • Enterprise security configurations

URL: https://access.redhat.com/security/

Ubuntu Security Notices

  • Ubuntu-specific security updates
  • USN (Ubuntu Security Notice) tracking
  • AppArmor configuration
  • Security hardening guides

URL: https://ubuntu.com/security/notices

Security Standards Organizations

SANS Institute

  • Critical Security Controls (now CIS Controls)
  • System hardening guidelines
  • Security best practices

URL: https://www.sans.org/

OWASP (Open Web Application Security Project)

  • Application security guidelines
  • Security testing methodologies
  • Common vulnerabilities

URL: https://owasp.org/

Key Concepts

Defense in Depth

Multiple layers of security controls:

  1. Perimeter (firewall, network security)
  2. Host (system hardening, access control)
  3. Application (service security, sandboxing)
  4. Data (encryption, access controls)

Principle of Least Privilege

  • Minimal permissions for users and processes
  • Need-to-know access
  • Regular privilege reviews
  • Separation of duties

Secure by Default

  • Default deny policies
  • Minimal initial attack surface
  • Secure default configurations
  • Hardened baselines

Security Patch Management

  • Regular security updates
  • Vulnerability tracking
  • Timely patch application
  • Testing before deployment

Practical Application

The Core module checks are derived from:

  • OS vendor security documentation
  • Industry best practices consensus
  • Common security misconfigurations
  • Real-world security incidents

CIS Benchmarks

Overview

Full Name: Center for Internet Security Benchmarks Authority: Center for Internet Security (CIS) Version: CIS Benchmarks for Linux (Distribution-specific) Applicability: All organizations seeking security baselines

About CIS

The Center for Internet Security is a nonprofit organization that develops consensus-based security configuration guidelines. CIS Benchmarks are created through a global community of cybersecurity experts.

URL: https://www.cisecurity.org/

CIS Benchmark Structure

Benchmark Organization

CIS Benchmark
+-- Section 1: Initial Setup
|   +-- 1.1 Filesystem Configuration
|   +-- 1.2 Software Updates
|   +-- 1.3 Filesystem Integrity
|   +-- 1.4 Secure Boot
|   +-- 1.5 Process Hardening
|   `-- 1.6 Mandatory Access Control
+-- Section 2: Services
|   +-- 2.1 Time Synchronization
|   +-- 2.2 Special Purpose Services
|   `-- 2.3 Service Clients
+-- Section 3: Network Configuration
|   +-- 3.1 Network Parameters (Host)
|   +-- 3.2 Network Parameters (Host/Router)
|   +-- 3.3 IPv6
|   `-- 3.4 Uncommon Protocols
+-- Section 4: Logging and Auditing
|   +-- 4.1 System Accounting (auditd)
|   `-- 4.2 Logging Configuration
+-- Section 5: Access, Authentication, Authorization
|   +-- 5.1 Cron Configuration
|   +-- 5.2 SSH Configuration
|   +-- 5.3 PAM Configuration
|   +-- 5.4 User Accounts
|   +-- 5.5 Root Login Restrictions
|   `-- 5.6 su Command Restrictions
`-- Section 6: System Maintenance
    +-- 6.1 System File Permissions
    `-- 6.2 User and Group Settings

Profile Levels

Level 1 (L1)

  • Purpose: Basic security with minimal impact
  • Characteristics: Low risk, practical for most systems
  • Impact: Minimal service disruption
  • Recommendation: All production systems

Example Controls:

  • Disable unused filesystems
  • Configure software updates
  • Set secure file permissions
  • Enable basic auditing
  • Configure SSH securely

Level 2 (L2)

  • Purpose: Defense-in-depth with higher security
  • Characteristics: More restrictive, potential operational impact
  • Impact: May affect functionality
  • Recommendation: High-security environments

Example Controls:

  • Separate partitions for all sensitive directories
  • Comprehensive audit logging
  • Strict access controls
  • Advanced network hardening
  • Mandatory Access Control (MAC)

Benchmark Versions

CIS provides distribution-specific benchmarks:

Ubuntu Linux:

  • CIS Ubuntu Linux 20.04 LTS Benchmark
  • CIS Ubuntu Linux 22.04 LTS Benchmark
  • CIS Ubuntu Linux 24.04 LTS Benchmark

Red Hat Enterprise Linux:

  • CIS Red Hat Enterprise Linux 7 Benchmark
  • CIS Red Hat Enterprise Linux 8 Benchmark
  • CIS Red Hat Enterprise Linux 9 Benchmark

Debian Linux:

  • CIS Debian Linux 10 Benchmark
  • CIS Debian Linux 11 Benchmark
  • CIS Debian Linux 12 Benchmark

Scoring Methodology

Scored Controls

  • Can be automatically verified
  • Pass/Fail determination
  • Counted in compliance score
  • Example: "Ensure SSH root login is disabled"

Not Scored Controls

  • Require manual verification
  • Organizational policy dependent
  • Guidance provided, not enforced
  • Example: "Ensure security policies are documented"

References

Official CIS Resources:

CISA Cybersecurity Guidance

Overview

Full Name: Cybersecurity and Infrastructure Security Agency Authority: U.S. Department of Homeland Security Focus: Critical infrastructure protection and cybersecurity Applicability: Federal agencies, critical infrastructure, state/local governments

About CISA

CISA leads the national effort to understand, manage, and reduce risk to cyber and physical infrastructure. It provides cybersecurity guidance, tools, and services for government and private sector organizations.

URL: https://www.cisa.gov/

CISA Directive Types

Binding Operational Directives (BODs)

Compulsory directives for federal civilian executive branch agencies.

BOD 18-01: Enhanced Email and Web Security

  • DMARC implementation
  • Email authentication (SPF, DKIM)
  • Web security headers
  • HTTPS enforcement

URL: https://cyber.dhs.gov/bod/18-01/

BOD 19-02: Vulnerability Remediation Requirements

  • Critical vulnerability remediation within 15 days
  • High vulnerability remediation within 30 days
  • Vulnerability scanning requirements

URL: https://cyber.dhs.gov/bod/19-02/

BOD 20-01: Vulnerability Disclosure Policy

  • Develop vulnerability disclosure policy
  • Create security.txt file
  • Establish reporting mechanisms

URL: https://cyber.dhs.gov/bod/20-01/

BOD 22-01: Known Exploited Vulnerabilities

  • Remediate KEV catalog vulnerabilities
  • Track actively exploited vulnerabilities
  • Automated patch management

URL: https://www.cisa.gov/known-exploited-vulnerabilities

BOD 23-01: Asset Visibility and Vulnerability Detection

  • Comprehensive asset inventory
  • Vulnerability detection capabilities
  • Network segmentation verification

URL: https://www.cisa.gov/news-events/directives/bod-23-01

Emergency Directives (EDs)

Require immediate action due to known or actively exploited vulnerabilities.

Characteristics:

  • Issued for critical threats
  • Immediate compliance required
  • Time-sensitive actions
  • Address zero-day vulnerabilities

Recent Examples:

  • ED 21-01: Mitigate Microsoft Exchange vulnerabilities
  • ED 22-02: Mitigate Apache Log4j vulnerabilities
  • ED 23-02: Mitigate Ivanti vulnerabilities

URL: https://www.cisa.gov/emergency-directives

Known Exploited Vulnerabilities (KEV) Catalog

Purpose: Prioritize vulnerabilities based on active exploitation

Inclusion Criteria:

  1. Assigned CVE ID
  2. Known exploited in the wild
  3. Remediation action available

URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CISA Security Frameworks

Cross-Sector Cybersecurity Performance Goals (CPGs)

Voluntary baseline cybersecurity practices for critical infrastructure.

Focus Areas:

  • Account security
  • Device security
  • Data security
  • Governance and training
  • Vulnerability management
  • Supply chain security

URL: https://www.cisa.gov/cpg

CISA Insights

Regular threat intelligence and mitigation guidance.

Topics:

  • Ransomware guidance
  • Phishing defense
  • Insider threat mitigation
  • Supply chain security
  • Cloud security

URL: https://www.cisa.gov/insights

Critical Infrastructure Sectors

CISA provides sector-specific guidance for:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors
  • Transportation Systems
  • Water and Wastewater

References

Key CISA Resources:

ENISA Cybersecurity Guidelines

Overview

Full Name: European Union Agency for Cybersecurity Authority: European Union Focus: EU-wide cybersecurity policy and standards Applicability: EU member states, organizations operating in EU

About ENISA

ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes, and cooperates with EU member states and institutions to develop a culture of network and information security.

URL: https://www.enisa.europa.eu/

ENISA Framework Coverage

Baseline Security Recommendations

Core security measures for all organizations.

Categories:

  • Organizational security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development, and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance

URL: https://www.enisa.europa.eu/topics/cybersecurity-policy

Threat Landscape

Annual report on cybersecurity threats affecting the EU.

ENISA Threat Landscape (ETL) Topics:

  • Ransomware
  • Malware
  • Social engineering
  • Data-related threats
  • DDoS attacks
  • Supply chain attacks
  • Identity theft

URL: https://www.enisa.europa.eu/topics/cyber-threats

Good Practices

Secure Software Development:

  • Secure coding practices
  • Security testing integration
  • DevSecOps guidelines
  • Supply chain security

Cloud Security:

  • Cloud security certification schemes
  • Secure cloud adoption
  • Multi-cloud security
  • Cloud incident response

IoT Security:

  • IoT security baseline
  • Secure lifecycle management
  • IoT risk assessment
  • Device certification

URL: https://www.enisa.europa.eu/topics/

EU Regulations Alignment

NIS2 Directive

Network and Information Security Directive (revised).

Requirements:

  • Risk management measures
  • Business continuity
  • Supply chain security
  • Incident handling
  • Vulnerability disclosure

URL: https://www.enisa.europa.eu/topics/nis-directive

GDPR Alignment

General Data Protection Regulation security requirements.

Security Principles:

  • Security of processing (Article 32)
  • Data protection by design and default
  • Personal data breach notification
  • Data protection impact assessment

URL: https://gdpr.eu/

Cybersecurity Act

EU-wide certification framework for ICT products and services.

Assurance Levels:

  • Basic
  • Substantial
  • High

URL: https://www.enisa.europa.eu/topics/eu-cybersecurity-certification-framework

ENISA Publications

Cybersecurity Guide for SMEs:

  • Practical security measures
  • Budget-conscious solutions
  • Risk-based approach
  • Step-by-step implementation

5G Cybersecurity Standards:

  • 5G network security
  • Edge computing security
  • Network slicing security

Incident Response Guidelines:

  • Incident classification
  • Response procedures
  • Information sharing
  • Recovery strategies

References

Key ENISA Resources:

ISO/IEC 27001

Overview

Full Name: ISO/IEC 27001:2022 Information Security Management Authority: International Organization for Standardization (ISO) Version: ISO/IEC 27001:2022 (current), ISO/IEC 27001:2013 (previous) Applicability: Global - all organizations implementing ISMS

About ISO 27001

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.

URL: https://www.iso.org/isoiec-27001-information-security.html

ISO 27001:2022 Structure

Core Components

Clauses 4-10: ISMS Requirements

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

Annex A: Information Security Controls

  • 93 controls organized into 4 themes
  • Controls are derived from ISO/IEC 27002:2022

Annex A Control Categories

Organizational Controls (37 controls)

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Supplier relationships

Example Controls:

  • A.5.1: Policies for information security
  • A.5.7: Threat intelligence
  • A.5.23: Information security for cloud services
  • A.5.37: Documented operating procedures

People Controls (8 controls)

  • Pre-employment screening
  • Terms and conditions of employment
  • Information security awareness
  • Disciplinary process

Example Controls:

  • A.6.1: Screening
  • A.6.2: Terms and conditions of employment
  • A.6.3: Information security awareness, education, and training
  • A.6.8: Information security event reporting

Physical Controls (14 controls)

  • Physical security perimeters
  • Physical entry controls
  • Securing offices, rooms, and facilities
  • Protecting against threats
  • Equipment security

Example Controls:

  • A.7.1: Physical security perimeters
  • A.7.2: Physical entry
  • A.7.4: Physical security monitoring
  • A.7.7: Clear desk and clear screen

Technological Controls (34 controls)

  • User endpoint devices
  • Privileged access rights
  • Information access restriction
  • Secure authentication
  • Cryptographic controls
  • Network security
  • Secure development

Example Controls:

  • A.8.1: User endpoint devices
  • A.8.2: Privileged access rights
  • A.8.3: Information access restriction
  • A.8.5: Secure authentication
  • A.8.9: Configuration management
  • A.8.24: Use of cryptography

ISO/IEC 27002:2022

Companion Standard: Code of practice providing implementation guidance for ISO 27001 Annex A controls.

Structure:

  • Detailed implementation guidance
  • Purpose and control objective
  • Guidance sections
  • Additional information

URL: https://www.iso.org/standard/75652.html

Certification Process

Steps to ISO 27001 Certification:

  1. Gap analysis against standard
  2. ISMS implementation
  3. Internal audit
  4. Management review
  5. Stage 1 audit (documentation review)
  6. Stage 2 audit (implementation verification)
  7. Certification decision
  8. Surveillance audits (annual)
  9. Recertification (every 3 years)

Related Standards

ISO/IEC 27000 Family:

  • 27000: Vocabulary and overview
  • 27001: Requirements (certifiable)
  • 27002: Code of practice
  • 27003: ISMS implementation guidance
  • 27004: Monitoring, measurement, analysis, and evaluation
  • 27005: Information security risk management
  • 27017: Cloud services information security
  • 27018: Cloud privacy
  • 27701: Privacy information management

References

Key ISO Resources:

NIST Frameworks

Overview

Full Name: National Institute of Standards and Technology Authority: U.S. Department of Commerce Focus: Federal information security standards and guidelines Applicability: Federal agencies, contractors, critical infrastructure

About NIST

NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.

URL: https://www.nist.gov/cybersecurity

NIST SP 800-53 Rev 5

Full Title: Security and Privacy Controls for Information Systems and Organizations

Purpose: Comprehensive catalog of security and privacy controls for federal information systems and organizations.

URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Control Families (20 families)

Access Control (AC): Account management, access enforcement, least privilege Awareness and Training (AT): Security awareness, role-based training Audit and Accountability (AU): Audit logging, review, retention Assessment, Authorization, and Monitoring (CA): Security assessments, continuous monitoring Configuration Management (CM): Baseline configurations, change control Contingency Planning (CP): Incident response, disaster recovery Identification and Authentication (IA): User and device identification Incident Response (IR): Incident handling, reporting Maintenance (MA): System maintenance, tools Media Protection (MP): Media access, storage, transport Physical and Environmental Protection (PE): Physical access, monitoring Planning (PL): Security planning, rules of behavior Program Management (PM): Security program management Personnel Security (PS): Position categorization, screening PII Processing and Transparency (PT): Privacy controls Risk Assessment (RA): Risk assessment, vulnerability scanning System and Services Acquisition (SA): Acquisition process, supply chain System and Communications Protection (SC): Application partitioning, boundary protection System and Information Integrity (SI): Flaw remediation, malicious code protection Supply Chain Risk Management (SR): Supply chain security

Control Baselines

Low Impact: Basic protection (53 controls) Moderate Impact: Moderate protection (325 controls) High Impact: High protection (421 controls)

Control Enhancement Levels

  • Base control
  • Enhancements (1), (2), (3), etc.
  • Example: AC-2(1), AC-2(2)

NIST Cybersecurity Framework (CSF) 2.0

Full Title: Framework for Improving Critical Infrastructure Cybersecurity

Purpose: Voluntary framework for managing cybersecurity risks.

URL: https://www.nist.gov/cyberframework

CSF 2.0 Functions

Govern (GV): NEW in CSF 2.0

  • Organizational context
  • Risk management strategy
  • Roles, responsibilities, and authorities
  • Policy
  • Oversight
  • Cybersecurity supply chain risk management

Identify (ID):

  • Asset Management (ID.AM)
  • Risk Assessment (ID.RA)
  • Improvement (ID.IM)

Protect (PR):

  • Identity Management, Authentication and Access Control (PR.AA)
  • Awareness and Training (PR.AT)
  • Data Security (PR.DS)
  • Platform Security (PR.PS)
  • Technology Infrastructure Resilience (PR.IR)

Detect (DE):

  • Continuous Monitoring (DE.CM)
  • Adverse Event Analysis (DE.AE)

Respond (RS):

  • Incident Management (RS.MA)
  • Incident Analysis (RS.AN)
  • Incident Response Reporting and Communication (RS.CO)
  • Incident Mitigation (RS.MI)

Recover (RC):

  • Incident Recovery Plan Execution (RC.RP)
  • Incident Recovery Communication (RC.CO)

Implementation Tiers

Tier 1: Partial

  • Risk management is ad hoc
  • Limited awareness
  • Reactive approach

Tier 2: Risk Informed

  • Risk management practices approved but not policy
  • Awareness exists but not formalized
  • Some processes in place

Tier 3: Repeatable

  • Risk management practices are formal policy
  • Organization-wide awareness
  • Consistent implementation

Tier 4: Adaptive

  • Proactive risk management
  • Continuous improvement
  • Advanced and innovative practices

NIST SP 800-171 Rev 2

Full Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Purpose: Protect Controlled Unclassified Information (CUI) in non-federal systems.

URL: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

14 Requirement Families (110 requirements)

  1. Access Control (AC): 22 requirements
  2. Awareness and Training (AT): 3 requirements
  3. Audit and Accountability (AU): 9 requirements
  4. Configuration Management (CM): 9 requirements
  5. Identification and Authentication (IA): 11 requirements
  6. Incident Response (IR): 5 requirements
  7. Maintenance (MA): 5 requirements
  8. Media Protection (MP): 7 requirements
  9. Personnel Security (PS): 2 requirements
  10. Physical Protection (PE): 6 requirements
  11. Risk Assessment (RA): 3 requirements
  12. Security Assessment (CA): 7 requirements
  13. System and Communications Protection (SC): 17 requirements
  14. System and Information Integrity (SI): 7 requirements

Applicability

Required for:

  • Federal contractors handling CUI
  • Defense Industrial Base (DIB)
  • Organizations with Federal Acquisition Regulation (FAR) contracts
  • DFARS 252.204-7012 compliance

NIST Special Publications

Key Security Publications:

  • SP 800-53: Security controls catalog
  • SP 800-171: CUI protection
  • SP 800-37: Risk Management Framework
  • SP 800-30: Risk assessment guide
  • SP 800-61: Incident handling guide
  • SP 800-115: Technical security testing
  • SP 800-190: Container security

URL: https://csrc.nist.gov/publications/sp

References

Key NIST Resources:

NSA Cybersecurity Guidance

Overview

Full Name: National Security Agency Cybersecurity Directorate Authority: U.S. National Security Agency Focus: Defense-grade security, classified systems, advanced threats Applicability: DoD, Intelligence Community, NSS, defense contractors

About NSA Cybersecurity

NSA Cybersecurity prevents and eradicates threats to U.S. national security systems with an integrated approach that includes strong cyber defense, integrated cyber intelligence, and resilient solutions.

URL: https://www.nsa.gov/What-We-Do/Cybersecurity/

NSA Key Technologies

Security-Enhanced Linux (SELinux)

Development: Created by NSA Purpose: Mandatory Access Control (MAC) for Linux Status: Integrated into Linux kernel

Key Features:

  • Mandatory access controls
  • Role-based access control (RBAC)
  • Type enforcement (TE)
  • Multi-level security (MLS)
  • Multi-category security (MCS)

URL: https://www.nsa.gov/What-We-Do/Research/SELinux/

SELinux Modes:

  • Enforcing: Denies access based on policy
  • Permissive: Logs but doesn't deny (testing mode)
  • Disabled: SELinux not active

SELinux Policies:

  • Targeted: Default policy, selected processes confined
  • Strict: All processes confined
  • MLS: Multi-level security policy

Commercial Solutions for Classified (CSfC)

Purpose: NSA-approved commercial products to protect classified information.

Components Program: List of approved products that can be layered for classified protection.

Capability Packages: Guidance on layering commercial products.

URL: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/

NSA Cybersecurity Guidance Documents

Cybersecurity Technical Reports (CTRs)

Topics:

  • System hardening
  • Network security
  • Cryptography
  • Insider threat mitigation
  • Supply chain security

Recent CTRs:

  • Linux Hardening Guidance
  • Kubernetes Hardening Guidance
  • Network Infrastructure Security Guidance
  • Securing Wireless Devices
  • Mitigating Cloud Vulnerabilities

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

Cybersecurity Information Sheets (CSIs)

Quick-reference security guidance on specific topics.

Topics:

  • Secure communications
  • Authentication best practices
  • Zero trust principles
  • Encrypted DNS
  • Software supply chain

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

Cybersecurity Advisories

Time-sensitive information about cyber threats and vulnerabilities.

Types:

  • CVE-based advisories
  • Threat actor TTPs
  • Mitigation guidance
  • Detection signatures

URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/

NSA Security Configuration Guides

Operating System Hardening

  • Linux hardening
  • Windows hardening
  • Network device hardening
  • Mobile device security

Application Security

  • Web server security
  • Database security
  • Email security
  • DNS security

Network Security

  • Network segmentation
  • Boundary protection
  • Secure protocols
  • IPsec and VPN

Cryptographic Standards

NSA works with NIST on cryptographic standards:

  • Suite B Cryptography (legacy): RSA, ECC, SHA, AES
  • Commercial National Security Algorithm (CNSA) Suite: Post-quantum preparation
  • FIPS 140-2/140-3: Cryptographic module validation

URL: https://www.nsa.gov/Cybersecurity/Cryptographic-Capabilities/

References

Key NSA Resources:

DISA STIGs

Overview

Full Name: Defense Information Systems Agency Security Technical Implementation Guides Authority: U.S. Department of Defense Focus: DoD security requirements for information systems Applicability: DoD systems, defense contractors, federal agencies

About DISA

The Defense Information Systems Agency (DISA) provides IT and communications support to the President, Vice President, Secretary of Defense, and other DoD components.

URL: https://public.cyber.mil/

STIG Overview

STIGs are configuration standards for DoD systems. They contain technical guidance to "lock down" information systems to protect against threats.

URL: https://public.cyber.mil/stigs/

STIG Structure

Finding Severity Categories

CAT I (High/Critical):

  • Severity: High
  • Description: Vulnerabilities that allow attacker to compromise system
  • Remediation: Immediate
  • Impact: Loss of confidentiality, integrity, or availability
  • Example: Default passwords, unpatched critical vulnerabilities

CAT II (Medium):

  • Severity: Medium
  • Description: Vulnerabilities that could result in compromise
  • Remediation: Within 30 days
  • Impact: Potential loss of confidentiality, integrity, or availability
  • Example: Weak authentication, insufficient logging

CAT III (Low):

  • Severity: Low
  • Description: Vulnerabilities that degrade security
  • Remediation: Within 90 days
  • Impact: Minor security degradation
  • Example: Missing security banners, incomplete documentation

STIG Components

Vulnerability ID (VID): Unique identifier (V-XXXXXX) Rule ID: STIG rule identifier (SV-XXXXXX) STIG ID: Control identifier Severity: CAT I, CAT II, or CAT III Check Text: How to verify compliance Fix Text: How to remediate

Linux STIG Coverage

Operating System STIGs

Red Hat Enterprise Linux (RHEL):

  • RHEL 7 STIG
  • RHEL 8 STIG
  • RHEL 9 STIG

URL: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux

Ubuntu:

  • Ubuntu 20.04 LTS STIG
  • Ubuntu 22.04 LTS STIG

General Purpose Operating System STIG:

  • Applies to various Linux distributions
  • Generic Unix/Linux guidance

STIG Requirements Categories

Access Control:

  • Account management
  • Access enforcement
  • Least privilege
  • Remote access

Audit and Accountability:

  • Audit generation
  • Audit review
  • Audit protection
  • Clock synchronization

Identification and Authentication:

  • User identification
  • Device identification
  • Authenticator management
  • Session controls

System and Information Integrity:

  • Flaw remediation
  • Malicious code protection
  • System monitoring
  • Software integrity

Configuration Management:

  • Baseline configuration
  • Change control
  • Least functionality
  • Security settings

System and Communications Protection:

  • Application separation
  • Cryptographic protection
  • Network security
  • Session management

Security Requirements Guide (SRG)

Purpose: High-level security requirements that STIGs implement.

Hierarchy:

DoD Instruction 8500.01
    v
Security Requirements Guide (SRG)
    v
Security Technical Implementation Guide (STIG)

URL: https://public.cyber.mil/stigs/srg-stig-tools/

STIG Compliance Tools

SCC (SCAP Compliance Checker)

DISA's official STIG compliance scanning tool.

Features:

  • Automated STIG compliance checking
  • SCAP 1.2/1.3 support
  • Results in CKL format

URL: https://public.cyber.mil/stigs/scap/

STIG Viewer

View and manage STIG checklists.

Features:

  • Read XCCDF and CKL files
  • Create checklist files
  • Export reports

URL: https://public.cyber.mil/stigs/srg-stig-tools/

Assessment and Authorization (A&A)

STIGs are part of the Risk Management Framework (RMF) process:

  1. Categorize: Determine system impact level
  2. Select: Choose security controls
  3. Implement: Apply STIGs
  4. Assess: Verify STIG compliance
  5. Authorize: ATO decision
  6. Monitor: Continuous monitoring

References

Key DISA Resources:

ACSC Essential 8

Overview

Focus: Australian Cyber Security Centre Essential 8 + Information Security Manual (ISM) Authority: Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD) Applicability: Australian Government, critical infrastructure, defense

Standards Sources

Essential Eight Maturity Model

The Essential Eight is a baseline of mitigation strategies for organizations to mitigate cybersecurity incidents. It defines three maturity levels (ML1, ML2, ML3).

The Essential Eight strategies:

  1. Application Control - allowlist applications
  2. Patch Applications - keep applications current
  3. Configure Microsoft Office Macro Settings - restrict macro execution
  4. User Application Hardening - harden web browsers, PDF readers, etc.
  5. Restrict Administrative Privileges - least privilege
  6. Patch Operating Systems - keep OS current
  7. Multi-Factor Authentication - phishing-resistant where possible
  8. Regular Backups - tested, isolated, retained

Information Security Manual (ISM)

A comprehensive cyber security framework for Australian Government entities.

Implementation in Audit Tool

The ACSC module evaluates host-side technical indicators of E8 ML1-3 controls: allowlisting (AppArmor/SELinux/fapolicyd), patching (unattended-upgrades), hardening (kernel sysctls), MFA (PAM modules), and backups (rsync/borg/restic).


CMMC

Overview

Focus: DoD Cybersecurity Maturity Model Certification 2.0 Authority: U.S. Department of Defense (DoD), CMMC Accreditation Body Applicability: Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI)

Standards Sources

CMMC 2.0 Framework

Three certification levels:

  • Level 1 (Foundational): 17 basic safeguarding requirements (FAR 52.204-21)
  • Level 2 (Advanced): 110 NIST SP 800-171 Rev 2 practices
  • Level 3 (Expert): NIST SP 800-172 enhanced security requirements

URLs:

DFARS Clauses

  • DFARS 252.204-7012 - CUI safeguarding and incident reporting
  • DFARS 252.204-7019 - SPRS (Supplier Performance Risk System)
  • DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment

URL: https://www.acquisition.gov/dfars

Implementation in Audit Tool

The CMMC module evaluates host-level technical controls aligning to CMMC L1 basic safeguarding, L2 NIST 800-171 controls (across 14 control families), and L3 NIST 800-172 enhanced practices (penetration resistance, threat hunting, cyber resiliency).


Distribution-Specific Baselines

Overview

Focus: Distribution-specific hardening baselines for Linux distributions Authority: Distribution maintainers, security teams, vendor hardening guides Applicability: Multi-distribution Linux fleets

Standards Sources

Debian Hardening Manual

Red Hat Enterprise Linux 9 Security Guide

Ubuntu Security Guide (USG)

SUSE Linux Enterprise Security Guide

Arch Linux Security

Implementation in Audit Tool

The DistBaseline module performs OS-family-aware hardening verification. Checks fire conditionally based on detected distribution. Coverage includes mount options, systemd unit hardening, boot security, crypto policies, kernel features, time sync, account security, audit dispatcher, and per-distro extended checks.


EDR (MITRE ATT&CK)

Overview

Focus: Endpoint Detection & Response posture and MITRE ATT&CK technique coverage Authority: MITRE Corporation; commercial EDR vendors Applicability: All organizations measuring detection capability

Standards Sources

MITRE ATT&CK Framework

A globally-accessible knowledge base of adversary tactics and techniques.

Covered tactics (selected):

  • TA0003 Persistence - T1543 (System Process), T1547 (Boot/Logon Autostart), T1053 (Scheduled Task), T1546 (Event Triggered Execution)
  • TA0005 Defense Evasion - T1070 (Indicator Removal), T1562 (Impair Defenses)

NIST SP 800-94 - Guide to Intrusion Detection and Prevention Systems

Implementation in Audit Tool

The EDR module evaluates the host's detection posture: presence of EDR products (Defender, CrowdStrike, SentinelOne, Falco, Wazuh, osquery), auditd ruleset depth for ATT&CK technique coverage, eBPF/LSM capability, container runtime visibility, and process accounting.


GDPR

Overview

Focus: EU General Data Protection Regulation technical and organizational measures Authority: European Union (Regulation (EU) 2016/679) Applicability: Any organization processing personal data of EU residents

Standards Sources

Regulation (EU) 2016/679 - GDPR

Key articles audited:

  • Article 5 - Principles relating to processing of personal data
  • Article 17 - Right to erasure ("right to be forgotten")
  • Article 25 - Data protection by design and by default
  • Article 30 - Records of processing activities
  • Article 32 - Security of processing
  • Article 33 - Notification of personal data breach to supervisory authority
  • Article 44 - General principle for transfers (international)

Implementation in Audit Tool

The GDPR module audits host-level technical controls supporting GDPR compliance: log retention (Article 5), secure deletion (Article 17), default-restrictive permissions (Article 25), audit logging (Article 30), pseudonymization libraries and encryption (Article 32), log forwarding for breach detection (Article 33), and VPN/encryption tools for international transfers (Article 44).


HIPAA

Overview

Focus: US HIPAA Security Rule (45 CFR Part 164) Authority: U.S. Department of Health and Human Services (HHS) Applicability: Covered entities and business associates handling PHI

Standards Sources

45 CFR Part 164 - HIPAA Security Rule

Subparts audited:

  • Subpart C - 164.302-318 - Security Standards for the Protection of EPHI
    • 164.308 Administrative Safeguards
    • 164.310 Physical Safeguards
    • 164.312 Technical Safeguards
    • 164.314 Organizational Requirements
    • 164.316 Policies and Procedures Requirements
  • Subpart D - 164.400-414 - Notification in the Case of Breach of Unsecured Protected Health Information

NIST SP 800-66 Rev 2 - Implementing the HIPAA Security Rule

Implementation in Audit Tool

The HIPAA module audits host-level technical and administrative safeguards: account lifecycle (164.308), USB/physical access controls (164.310), unique user IDs and encryption (164.312), policy/procedure indicators (164.316), and breach notification readiness (Subpart D).


PCI DSS

Overview

Focus: Payment Card Industry Data Security Standard v4.0 Authority: PCI Security Standards Council (PCI SSC) Applicability: Any entity that stores, processes, or transmits cardholder data

Standards Sources

PCI DSS v4.0.1

The 12 Requirements:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

Implementation in Audit Tool

The PCI-DSS module audits host-level technical controls aligning to all 12 PCI DSS v4.0.1 requirements: firewall (Req 1), secure configurations (Req 2), LUKS and FIPS (Req 3), TLS 1.2+ and SSH cipher hardening (Req 4), AV/EDR (Req 5), patch automation (Req 6), least privilege (Req 7), MFA and faillock (Req 8), USB controls (Req 9), auditd with comprehensive ruleset and remote forwarding (Req 10), vulnerability scanning and FIM (Req 11), policy indicators (Req 12).


SOC 2

Overview

Focus: AICPA Trust Services Criteria for SOC 2 reports Authority: American Institute of Certified Public Accountants (AICPA) Applicability: Service organizations subject to SOC 2 Type II

Standards Sources

AICPA Trust Services Criteria (2017, with 2022 updates)

Trust Services Criteria:

  • Security (Common Criteria) - CC1 through CC9
  • Availability (A1)
  • Confidentiality (C1)
  • Processing Integrity (PI)
  • Privacy (P)

Implementation in Audit Tool

The SOC2 module audits host-level technical controls supporting all five trust principles. Common Criteria coverage: control environment (CC1), communication (CC2), risk assessment (CC3), monitoring (CC4), control activities (CC5), logical access (CC6), system operations (CC7), change management (CC8), risk mitigation (CC9). Additional coverage: backups (A1), encryption (C1), FIM (PI), pseudonymization and erasure (P).


Framework Comparison

Comparative Analysis

Framework Prescriptive Risk-Based Certification Global U.S. Federal Defense/Intel
Core Low High No Yes No No
CIS Medium Medium No Yes No No
CISA Medium High No Yes Yes Partial
ENISA Low High No EU No No
ISO 27001 Medium High Yes Yes No No
NIST 800-53 High Medium No No Yes Yes
NIST CSF Low High No Yes Partial No
NSA High Medium No No Yes Yes
STIG Very High Low No No Yes Yes

Framework Selection Guide

For General Organizations:

Start with: Core + CIS
Add for certification: ISO 27001
Add for best practices: NIST CSF

For U.S. Federal Agencies:

Required: NIST 800-53 + CISA directives
Add: NIST CSF
Defense: Add STIG + NSA

For Defense Contractors:

Required: STIG + NIST 800-171
Recommended: NSA + CISA
Foundation: Core + CIS

For EU Organizations:

Required: ENISA (if critical infrastructure)
Add for certification: ISO 27001
Foundation: Core + CIS

For Critical Infrastructure:

U.S.: CISA + NIST CSF + CIS
EU: ENISA + ISO 27001 + CIS
Defense: Add NSA + STIG

Compliance Mapping

Control Mapping Examples

Common security controls across frameworks:

Password Policy

Framework Control ID Requirement
Core Password Policy Complexity, aging, history
CIS 5.4.1 Password expiration <= 365 days
ISO 27001 A.5.17 Authentication information
NIST 800-53 IA-5 Authenticator management
STIG V-204392 Password minimum length 15 chars

Audit Logging

Framework Control ID Requirement
Core Audit Logging Comprehensive logging enabled
CIS 4.1 auditd installed and enabled
ISO 27001 A.8.15 Logging
NIST 800-53 AU-2 Audit events
NIST CSF DE.CM Continuous monitoring
STIG V-204486 Audit events for account access

Encryption

Framework Control ID Requirement
Core Data Protection Encryption at rest and in transit
CIS Multiple Cryptographic configuration
ENISA Cryptographic Controls Strong cryptography
ISO 27001 A.8.24 Use of cryptography
NIST 800-53 SC-8 Transmission confidentiality
NSA Crypto Standards CNSA Suite algorithms

Compliance Attestation

Organizations often need to attest compliance to multiple frameworks:

Example: Financial Services Company

  • Required: ISO 27001 (certification)
  • Required: SOX (Sarbanes-Oxley)
  • Industry: PCI-DSS
  • Foundation: CIS Benchmarks

Implementation: Use Core + CIS as baseline, implement ISO 27001 ISMS, map to PCI-DSS

Example: Defense Contractor

  • Required: NIST 800-171 (CUI protection)
  • Required: DFARS 252.204-7012
  • Required: STIGs (contract-specific)
  • Recommended: NSA guidance

Implementation: Implement STIGs fully, verify NIST 800-171 compliance, add NSA hardening

Additional Resources

Framework Documentation:

Standards Organizations:


<- Back to Module Documentation | Home | Next: Development Guide ->

Linux Security Audit

Version 3.9 - 16 modules - 2,297 checks


Getting Started


Reference


Architecture


Operations


Release Information


Quick Reference

Original modules (v2.0 baseline + v3.3 expansion)

Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG

New modules (v3.0+ Phase 3)

ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2

Output Formats

HTML - JSON - CSV - XML - Console

Status Values

Pass - Fail - Warning - Info - Error

Severity Levels

Critical - High - Medium - Low - Informational


External Links

Clone this wiki locally