-
Notifications
You must be signed in to change notification settings - Fork 2
Framework Reference
This guide provides documentation of the security frameworks, standards, and compliance requirements implemented by the Linux Security Audit Project, including authoritative sources, key concepts, and practical applications.
- Framework Overview
- Core Security Best Practices
- CIS Benchmarks
- CISA Cybersecurity Guidance
- ENISA Cybersecurity Guidelines
- ISO/IEC 27001
- NIST Frameworks
- NSA Cybersecurity Guidance
- DISA STIGs
The Linux Security Audit Project implements 16 distinct security frameworks: Core, CIS, CISA, ENISA, ISO27001, NIST, NSA, STIG, ACSC, CMMC, DistBaseline, EDR, GDPR, HIPAA, PCI-DSS, and SOC2. Each framework has specific focus areas, compliance requirements, and target audiences.
Industry Standards:
- CIS Benchmarks: Consensus-based security configurations
- ISO/IEC 27001/27017/27018/27701: International infosec, cloud, PII, privacy
US Government Frameworks:
- NIST 800-53 R5, CSF 2.0, 800-171, 800-207, 800-161
- DISA STIGs: Department of Defense security standards
- NSA: Advanced security hardening and classified systems (CSfC)
- CISA: Critical infrastructure protection (CPG, ZTMM, BOD)
- CMMC: Defense Industrial Base certification
Regional / National Standards:
- ENISA: EU cybersecurity guidelines (NIS2, DORA, EU-CSA)
- ACSC: Australian Cyber Security Centre Essential 8 / ISM
Privacy & Sectoral Regulations:
- GDPR: EU General Data Protection Regulation
- HIPAA: US healthcare data privacy/security
- PCI DSS: Payment card industry standard
- SOC 2: Service organization Trust Service Criteria
Detection & Response:
- EDR / MITRE ATT&CK: Endpoint detection capability indicators
Baseline:
- Core: Industry best practices and vendor-specific guidance
- DistBaseline: Distribution-specific hardening (Debian, RHEL, SUSE, Arch)
Focus: Fundamental security baseline for all Linux systems Authority: Industry consensus, vendor security guides Applicability: Universal - all Linux environments
- Open Source Security Foundation (OpenSSF)
- Linux Foundation Best Practices
- Secure Software Development Fundamentals
URL: https://www.linuxfoundation.org/projects/security
Debian Security Manual
- Debian-specific security configurations
- Security update procedures
- Package management security
- Security advisories (DSA)
URL: https://www.debian.org/security/
Red Hat Security Guide
- RHEL security best practices
- SELinux implementation
- Security advisories (RHSA)
- Enterprise security configurations
URL: https://access.redhat.com/security/
Ubuntu Security Notices
- Ubuntu-specific security updates
- USN (Ubuntu Security Notice) tracking
- AppArmor configuration
- Security hardening guides
URL: https://ubuntu.com/security/notices
SANS Institute
- Critical Security Controls (now CIS Controls)
- System hardening guidelines
- Security best practices
OWASP (Open Web Application Security Project)
- Application security guidelines
- Security testing methodologies
- Common vulnerabilities
URL: https://owasp.org/
Multiple layers of security controls:
- Perimeter (firewall, network security)
- Host (system hardening, access control)
- Application (service security, sandboxing)
- Data (encryption, access controls)
- Minimal permissions for users and processes
- Need-to-know access
- Regular privilege reviews
- Separation of duties
- Default deny policies
- Minimal initial attack surface
- Secure default configurations
- Hardened baselines
- Regular security updates
- Vulnerability tracking
- Timely patch application
- Testing before deployment
The Core module checks are derived from:
- OS vendor security documentation
- Industry best practices consensus
- Common security misconfigurations
- Real-world security incidents
Full Name: Center for Internet Security Benchmarks Authority: Center for Internet Security (CIS) Version: CIS Benchmarks for Linux (Distribution-specific) Applicability: All organizations seeking security baselines
The Center for Internet Security is a nonprofit organization that develops consensus-based security configuration guidelines. CIS Benchmarks are created through a global community of cybersecurity experts.
URL: https://www.cisecurity.org/
CIS Benchmark
+-- Section 1: Initial Setup
| +-- 1.1 Filesystem Configuration
| +-- 1.2 Software Updates
| +-- 1.3 Filesystem Integrity
| +-- 1.4 Secure Boot
| +-- 1.5 Process Hardening
| `-- 1.6 Mandatory Access Control
+-- Section 2: Services
| +-- 2.1 Time Synchronization
| +-- 2.2 Special Purpose Services
| `-- 2.3 Service Clients
+-- Section 3: Network Configuration
| +-- 3.1 Network Parameters (Host)
| +-- 3.2 Network Parameters (Host/Router)
| +-- 3.3 IPv6
| `-- 3.4 Uncommon Protocols
+-- Section 4: Logging and Auditing
| +-- 4.1 System Accounting (auditd)
| `-- 4.2 Logging Configuration
+-- Section 5: Access, Authentication, Authorization
| +-- 5.1 Cron Configuration
| +-- 5.2 SSH Configuration
| +-- 5.3 PAM Configuration
| +-- 5.4 User Accounts
| +-- 5.5 Root Login Restrictions
| `-- 5.6 su Command Restrictions
`-- Section 6: System Maintenance
+-- 6.1 System File Permissions
`-- 6.2 User and Group Settings
- Purpose: Basic security with minimal impact
- Characteristics: Low risk, practical for most systems
- Impact: Minimal service disruption
- Recommendation: All production systems
Example Controls:
- Disable unused filesystems
- Configure software updates
- Set secure file permissions
- Enable basic auditing
- Configure SSH securely
- Purpose: Defense-in-depth with higher security
- Characteristics: More restrictive, potential operational impact
- Impact: May affect functionality
- Recommendation: High-security environments
Example Controls:
- Separate partitions for all sensitive directories
- Comprehensive audit logging
- Strict access controls
- Advanced network hardening
- Mandatory Access Control (MAC)
CIS provides distribution-specific benchmarks:
Ubuntu Linux:
- CIS Ubuntu Linux 20.04 LTS Benchmark
- CIS Ubuntu Linux 22.04 LTS Benchmark
- CIS Ubuntu Linux 24.04 LTS Benchmark
Red Hat Enterprise Linux:
- CIS Red Hat Enterprise Linux 7 Benchmark
- CIS Red Hat Enterprise Linux 8 Benchmark
- CIS Red Hat Enterprise Linux 9 Benchmark
Debian Linux:
- CIS Debian Linux 10 Benchmark
- CIS Debian Linux 11 Benchmark
- CIS Debian Linux 12 Benchmark
- Can be automatically verified
- Pass/Fail determination
- Counted in compliance score
- Example: "Ensure SSH root login is disabled"
- Require manual verification
- Organizational policy dependent
- Guidance provided, not enforced
- Example: "Ensure security policies are documented"
Official CIS Resources:
- CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/
- CIS Controls: https://www.cisecurity.org/controls/
- CIS Hardened Images: https://www.cisecurity.org/cis-hardened-images/
Full Name: Cybersecurity and Infrastructure Security Agency Authority: U.S. Department of Homeland Security Focus: Critical infrastructure protection and cybersecurity Applicability: Federal agencies, critical infrastructure, state/local governments
CISA leads the national effort to understand, manage, and reduce risk to cyber and physical infrastructure. It provides cybersecurity guidance, tools, and services for government and private sector organizations.
Compulsory directives for federal civilian executive branch agencies.
BOD 18-01: Enhanced Email and Web Security
- DMARC implementation
- Email authentication (SPF, DKIM)
- Web security headers
- HTTPS enforcement
URL: https://cyber.dhs.gov/bod/18-01/
BOD 19-02: Vulnerability Remediation Requirements
- Critical vulnerability remediation within 15 days
- High vulnerability remediation within 30 days
- Vulnerability scanning requirements
URL: https://cyber.dhs.gov/bod/19-02/
BOD 20-01: Vulnerability Disclosure Policy
- Develop vulnerability disclosure policy
- Create security.txt file
- Establish reporting mechanisms
URL: https://cyber.dhs.gov/bod/20-01/
BOD 22-01: Known Exploited Vulnerabilities
- Remediate KEV catalog vulnerabilities
- Track actively exploited vulnerabilities
- Automated patch management
URL: https://www.cisa.gov/known-exploited-vulnerabilities
BOD 23-01: Asset Visibility and Vulnerability Detection
- Comprehensive asset inventory
- Vulnerability detection capabilities
- Network segmentation verification
URL: https://www.cisa.gov/news-events/directives/bod-23-01
Require immediate action due to known or actively exploited vulnerabilities.
Characteristics:
- Issued for critical threats
- Immediate compliance required
- Time-sensitive actions
- Address zero-day vulnerabilities
Recent Examples:
- ED 21-01: Mitigate Microsoft Exchange vulnerabilities
- ED 22-02: Mitigate Apache Log4j vulnerabilities
- ED 23-02: Mitigate Ivanti vulnerabilities
URL: https://www.cisa.gov/emergency-directives
Purpose: Prioritize vulnerabilities based on active exploitation
Inclusion Criteria:
- Assigned CVE ID
- Known exploited in the wild
- Remediation action available
URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Voluntary baseline cybersecurity practices for critical infrastructure.
Focus Areas:
- Account security
- Device security
- Data security
- Governance and training
- Vulnerability management
- Supply chain security
Regular threat intelligence and mitigation guidance.
Topics:
- Ransomware guidance
- Phishing defense
- Insider threat mitigation
- Supply chain security
- Cloud security
URL: https://www.cisa.gov/insights
CISA provides sector-specific guidance for:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors
- Transportation Systems
- Water and Wastewater
Key CISA Resources:
- CISA Homepage: https://www.cisa.gov/
- Alerts & Advisories: https://www.cisa.gov/news-events/cybersecurity-advisories
- Free Cybersecurity Services: https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools
- Shields Up: https://www.cisa.gov/shields-up
Full Name: European Union Agency for Cybersecurity Authority: European Union Focus: EU-wide cybersecurity policy and standards Applicability: EU member states, organizations operating in EU
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes, and cooperates with EU member states and institutions to develop a culture of network and information security.
URL: https://www.enisa.europa.eu/
Core security measures for all organizations.
Categories:
- Organizational security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
- Compliance
URL: https://www.enisa.europa.eu/topics/cybersecurity-policy
Annual report on cybersecurity threats affecting the EU.
ENISA Threat Landscape (ETL) Topics:
- Ransomware
- Malware
- Social engineering
- Data-related threats
- DDoS attacks
- Supply chain attacks
- Identity theft
URL: https://www.enisa.europa.eu/topics/cyber-threats
Secure Software Development:
- Secure coding practices
- Security testing integration
- DevSecOps guidelines
- Supply chain security
Cloud Security:
- Cloud security certification schemes
- Secure cloud adoption
- Multi-cloud security
- Cloud incident response
IoT Security:
- IoT security baseline
- Secure lifecycle management
- IoT risk assessment
- Device certification
URL: https://www.enisa.europa.eu/topics/
Network and Information Security Directive (revised).
Requirements:
- Risk management measures
- Business continuity
- Supply chain security
- Incident handling
- Vulnerability disclosure
URL: https://www.enisa.europa.eu/topics/nis-directive
General Data Protection Regulation security requirements.
Security Principles:
- Security of processing (Article 32)
- Data protection by design and default
- Personal data breach notification
- Data protection impact assessment
URL: https://gdpr.eu/
EU-wide certification framework for ICT products and services.
Assurance Levels:
- Basic
- Substantial
- High
URL: https://www.enisa.europa.eu/topics/eu-cybersecurity-certification-framework
Cybersecurity Guide for SMEs:
- Practical security measures
- Budget-conscious solutions
- Risk-based approach
- Step-by-step implementation
5G Cybersecurity Standards:
- 5G network security
- Edge computing security
- Network slicing security
Incident Response Guidelines:
- Incident classification
- Response procedures
- Information sharing
- Recovery strategies
Key ENISA Resources:
- ENISA Homepage: https://www.enisa.europa.eu/
- Publications: https://www.enisa.europa.eu/publications
- Threat Landscape: https://www.enisa.europa.eu/topics/cyber-threats/threats-and-trends
- Good Practices: https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/good-practices
Full Name: ISO/IEC 27001:2022 Information Security Management Authority: International Organization for Standardization (ISO) Version: ISO/IEC 27001:2022 (current), ISO/IEC 27001:2013 (previous) Applicability: Global - all organizations implementing ISMS
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.
URL: https://www.iso.org/isoiec-27001-information-security.html
Clauses 4-10: ISMS Requirements
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
Annex A: Information Security Controls
- 93 controls organized into 4 themes
- Controls are derived from ISO/IEC 27002:2022
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Supplier relationships
Example Controls:
- A.5.1: Policies for information security
- A.5.7: Threat intelligence
- A.5.23: Information security for cloud services
- A.5.37: Documented operating procedures
- Pre-employment screening
- Terms and conditions of employment
- Information security awareness
- Disciplinary process
Example Controls:
- A.6.1: Screening
- A.6.2: Terms and conditions of employment
- A.6.3: Information security awareness, education, and training
- A.6.8: Information security event reporting
- Physical security perimeters
- Physical entry controls
- Securing offices, rooms, and facilities
- Protecting against threats
- Equipment security
Example Controls:
- A.7.1: Physical security perimeters
- A.7.2: Physical entry
- A.7.4: Physical security monitoring
- A.7.7: Clear desk and clear screen
- User endpoint devices
- Privileged access rights
- Information access restriction
- Secure authentication
- Cryptographic controls
- Network security
- Secure development
Example Controls:
- A.8.1: User endpoint devices
- A.8.2: Privileged access rights
- A.8.3: Information access restriction
- A.8.5: Secure authentication
- A.8.9: Configuration management
- A.8.24: Use of cryptography
Companion Standard: Code of practice providing implementation guidance for ISO 27001 Annex A controls.
Structure:
- Detailed implementation guidance
- Purpose and control objective
- Guidance sections
- Additional information
URL: https://www.iso.org/standard/75652.html
Steps to ISO 27001 Certification:
- Gap analysis against standard
- ISMS implementation
- Internal audit
- Management review
- Stage 1 audit (documentation review)
- Stage 2 audit (implementation verification)
- Certification decision
- Surveillance audits (annual)
- Recertification (every 3 years)
ISO/IEC 27000 Family:
- 27000: Vocabulary and overview
- 27001: Requirements (certifiable)
- 27002: Code of practice
- 27003: ISMS implementation guidance
- 27004: Monitoring, measurement, analysis, and evaluation
- 27005: Information security risk management
- 27017: Cloud services information security
- 27018: Cloud privacy
- 27701: Privacy information management
Key ISO Resources:
- ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
- ISO 27002: https://www.iso.org/standard/75652.html
- ISO/IEC JTC 1/SC 27: https://www.iso.org/committee/45306.html
Full Name: National Institute of Standards and Technology Authority: U.S. Department of Commerce Focus: Federal information security standards and guidelines Applicability: Federal agencies, contractors, critical infrastructure
NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.
URL: https://www.nist.gov/cybersecurity
Full Title: Security and Privacy Controls for Information Systems and Organizations
Purpose: Comprehensive catalog of security and privacy controls for federal information systems and organizations.
URL: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Access Control (AC): Account management, access enforcement, least privilege Awareness and Training (AT): Security awareness, role-based training Audit and Accountability (AU): Audit logging, review, retention Assessment, Authorization, and Monitoring (CA): Security assessments, continuous monitoring Configuration Management (CM): Baseline configurations, change control Contingency Planning (CP): Incident response, disaster recovery Identification and Authentication (IA): User and device identification Incident Response (IR): Incident handling, reporting Maintenance (MA): System maintenance, tools Media Protection (MP): Media access, storage, transport Physical and Environmental Protection (PE): Physical access, monitoring Planning (PL): Security planning, rules of behavior Program Management (PM): Security program management Personnel Security (PS): Position categorization, screening PII Processing and Transparency (PT): Privacy controls Risk Assessment (RA): Risk assessment, vulnerability scanning System and Services Acquisition (SA): Acquisition process, supply chain System and Communications Protection (SC): Application partitioning, boundary protection System and Information Integrity (SI): Flaw remediation, malicious code protection Supply Chain Risk Management (SR): Supply chain security
Low Impact: Basic protection (53 controls) Moderate Impact: Moderate protection (325 controls) High Impact: High protection (421 controls)
- Base control
- Enhancements (1), (2), (3), etc.
- Example: AC-2(1), AC-2(2)
Full Title: Framework for Improving Critical Infrastructure Cybersecurity
Purpose: Voluntary framework for managing cybersecurity risks.
URL: https://www.nist.gov/cyberframework
Govern (GV): NEW in CSF 2.0
- Organizational context
- Risk management strategy
- Roles, responsibilities, and authorities
- Policy
- Oversight
- Cybersecurity supply chain risk management
Identify (ID):
- Asset Management (ID.AM)
- Risk Assessment (ID.RA)
- Improvement (ID.IM)
Protect (PR):
- Identity Management, Authentication and Access Control (PR.AA)
- Awareness and Training (PR.AT)
- Data Security (PR.DS)
- Platform Security (PR.PS)
- Technology Infrastructure Resilience (PR.IR)
Detect (DE):
- Continuous Monitoring (DE.CM)
- Adverse Event Analysis (DE.AE)
Respond (RS):
- Incident Management (RS.MA)
- Incident Analysis (RS.AN)
- Incident Response Reporting and Communication (RS.CO)
- Incident Mitigation (RS.MI)
Recover (RC):
- Incident Recovery Plan Execution (RC.RP)
- Incident Recovery Communication (RC.CO)
Tier 1: Partial
- Risk management is ad hoc
- Limited awareness
- Reactive approach
Tier 2: Risk Informed
- Risk management practices approved but not policy
- Awareness exists but not formalized
- Some processes in place
Tier 3: Repeatable
- Risk management practices are formal policy
- Organization-wide awareness
- Consistent implementation
Tier 4: Adaptive
- Proactive risk management
- Continuous improvement
- Advanced and innovative practices
Full Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Purpose: Protect Controlled Unclassified Information (CUI) in non-federal systems.
URL: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- Access Control (AC): 22 requirements
- Awareness and Training (AT): 3 requirements
- Audit and Accountability (AU): 9 requirements
- Configuration Management (CM): 9 requirements
- Identification and Authentication (IA): 11 requirements
- Incident Response (IR): 5 requirements
- Maintenance (MA): 5 requirements
- Media Protection (MP): 7 requirements
- Personnel Security (PS): 2 requirements
- Physical Protection (PE): 6 requirements
- Risk Assessment (RA): 3 requirements
- Security Assessment (CA): 7 requirements
- System and Communications Protection (SC): 17 requirements
- System and Information Integrity (SI): 7 requirements
Required for:
- Federal contractors handling CUI
- Defense Industrial Base (DIB)
- Organizations with Federal Acquisition Regulation (FAR) contracts
- DFARS 252.204-7012 compliance
Key Security Publications:
- SP 800-53: Security controls catalog
- SP 800-171: CUI protection
- SP 800-37: Risk Management Framework
- SP 800-30: Risk assessment guide
- SP 800-61: Incident handling guide
- SP 800-115: Technical security testing
- SP 800-190: Container security
URL: https://csrc.nist.gov/publications/sp
Key NIST Resources:
- NIST Cybersecurity: https://www.nist.gov/cybersecurity
- CSRC Publications: https://csrc.nist.gov/publications
- Cybersecurity Framework: https://www.nist.gov/cyberframework
- National Vulnerability Database: https://nvd.nist.gov/
Full Name: National Security Agency Cybersecurity Directorate Authority: U.S. National Security Agency Focus: Defense-grade security, classified systems, advanced threats Applicability: DoD, Intelligence Community, NSS, defense contractors
NSA Cybersecurity prevents and eradicates threats to U.S. national security systems with an integrated approach that includes strong cyber defense, integrated cyber intelligence, and resilient solutions.
URL: https://www.nsa.gov/What-We-Do/Cybersecurity/
Development: Created by NSA Purpose: Mandatory Access Control (MAC) for Linux Status: Integrated into Linux kernel
Key Features:
- Mandatory access controls
- Role-based access control (RBAC)
- Type enforcement (TE)
- Multi-level security (MLS)
- Multi-category security (MCS)
URL: https://www.nsa.gov/What-We-Do/Research/SELinux/
SELinux Modes:
- Enforcing: Denies access based on policy
- Permissive: Logs but doesn't deny (testing mode)
- Disabled: SELinux not active
SELinux Policies:
- Targeted: Default policy, selected processes confined
- Strict: All processes confined
- MLS: Multi-level security policy
Purpose: NSA-approved commercial products to protect classified information.
Components Program: List of approved products that can be layered for classified protection.
Capability Packages: Guidance on layering commercial products.
URL: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/
Topics:
- System hardening
- Network security
- Cryptography
- Insider threat mitigation
- Supply chain security
Recent CTRs:
- Linux Hardening Guidance
- Kubernetes Hardening Guidance
- Network Infrastructure Security Guidance
- Securing Wireless Devices
- Mitigating Cloud Vulnerabilities
URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
Quick-reference security guidance on specific topics.
Topics:
- Secure communications
- Authentication best practices
- Zero trust principles
- Encrypted DNS
- Software supply chain
URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
Time-sensitive information about cyber threats and vulnerabilities.
Types:
- CVE-based advisories
- Threat actor TTPs
- Mitigation guidance
- Detection signatures
URL: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
- Linux hardening
- Windows hardening
- Network device hardening
- Mobile device security
- Web server security
- Database security
- Email security
- DNS security
- Network segmentation
- Boundary protection
- Secure protocols
- IPsec and VPN
NSA works with NIST on cryptographic standards:
- Suite B Cryptography (legacy): RSA, ECC, SHA, AES
- Commercial National Security Algorithm (CNSA) Suite: Post-quantum preparation
- FIPS 140-2/140-3: Cryptographic module validation
URL: https://www.nsa.gov/Cybersecurity/Cryptographic-Capabilities/
Key NSA Resources:
- NSA Cybersecurity: https://www.nsa.gov/What-We-Do/Cybersecurity/
- Cybersecurity Advisories: https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/
- SELinux Project: https://github.com/SELinuxProject
- CSfC Program: https://www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/
Full Name: Defense Information Systems Agency Security Technical Implementation Guides Authority: U.S. Department of Defense Focus: DoD security requirements for information systems Applicability: DoD systems, defense contractors, federal agencies
The Defense Information Systems Agency (DISA) provides IT and communications support to the President, Vice President, Secretary of Defense, and other DoD components.
URL: https://public.cyber.mil/
STIGs are configuration standards for DoD systems. They contain technical guidance to "lock down" information systems to protect against threats.
URL: https://public.cyber.mil/stigs/
CAT I (High/Critical):
- Severity: High
- Description: Vulnerabilities that allow attacker to compromise system
- Remediation: Immediate
- Impact: Loss of confidentiality, integrity, or availability
- Example: Default passwords, unpatched critical vulnerabilities
CAT II (Medium):
- Severity: Medium
- Description: Vulnerabilities that could result in compromise
- Remediation: Within 30 days
- Impact: Potential loss of confidentiality, integrity, or availability
- Example: Weak authentication, insufficient logging
CAT III (Low):
- Severity: Low
- Description: Vulnerabilities that degrade security
- Remediation: Within 90 days
- Impact: Minor security degradation
- Example: Missing security banners, incomplete documentation
Vulnerability ID (VID): Unique identifier (V-XXXXXX) Rule ID: STIG rule identifier (SV-XXXXXX) STIG ID: Control identifier Severity: CAT I, CAT II, or CAT III Check Text: How to verify compliance Fix Text: How to remediate
Red Hat Enterprise Linux (RHEL):
- RHEL 7 STIG
- RHEL 8 STIG
- RHEL 9 STIG
URL: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
Ubuntu:
- Ubuntu 20.04 LTS STIG
- Ubuntu 22.04 LTS STIG
General Purpose Operating System STIG:
- Applies to various Linux distributions
- Generic Unix/Linux guidance
Access Control:
- Account management
- Access enforcement
- Least privilege
- Remote access
Audit and Accountability:
- Audit generation
- Audit review
- Audit protection
- Clock synchronization
Identification and Authentication:
- User identification
- Device identification
- Authenticator management
- Session controls
System and Information Integrity:
- Flaw remediation
- Malicious code protection
- System monitoring
- Software integrity
Configuration Management:
- Baseline configuration
- Change control
- Least functionality
- Security settings
System and Communications Protection:
- Application separation
- Cryptographic protection
- Network security
- Session management
Purpose: High-level security requirements that STIGs implement.
Hierarchy:
DoD Instruction 8500.01
v
Security Requirements Guide (SRG)
v
Security Technical Implementation Guide (STIG)
URL: https://public.cyber.mil/stigs/srg-stig-tools/
DISA's official STIG compliance scanning tool.
Features:
- Automated STIG compliance checking
- SCAP 1.2/1.3 support
- Results in CKL format
URL: https://public.cyber.mil/stigs/scap/
View and manage STIG checklists.
Features:
- Read XCCDF and CKL files
- Create checklist files
- Export reports
URL: https://public.cyber.mil/stigs/srg-stig-tools/
STIGs are part of the Risk Management Framework (RMF) process:
- Categorize: Determine system impact level
- Select: Choose security controls
- Implement: Apply STIGs
- Assess: Verify STIG compliance
- Authorize: ATO decision
- Monitor: Continuous monitoring
Key DISA Resources:
- Public Cyber: https://public.cyber.mil/
- STIG Downloads: https://public.cyber.mil/stigs/downloads/
- STIG Tools: https://public.cyber.mil/stigs/srg-stig-tools/
- SCAP Compliance: https://public.cyber.mil/stigs/scap/
Focus: Australian Cyber Security Centre Essential 8 + Information Security Manual (ISM) Authority: Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD) Applicability: Australian Government, critical infrastructure, defense
The Essential Eight is a baseline of mitigation strategies for organizations to mitigate cybersecurity incidents. It defines three maturity levels (ML1, ML2, ML3).
- URL: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
The Essential Eight strategies:
- Application Control - allowlist applications
- Patch Applications - keep applications current
- Configure Microsoft Office Macro Settings - restrict macro execution
- User Application Hardening - harden web browsers, PDF readers, etc.
- Restrict Administrative Privileges - least privilege
- Patch Operating Systems - keep OS current
- Multi-Factor Authentication - phishing-resistant where possible
- Regular Backups - tested, isolated, retained
A cyber security framework for Australian Government entities. The ISM is organized into guidelines covering governance, personnel security, physical security, and information technology security (cryptography, system hardening, network hardening, access control, event logging, and more).
- Maturity Level One (ML1) - Mitigations against adversaries using commodity tradecraft and publicly available exploits.
- Maturity Level Two (ML2) - Mitigations against adversaries willing to invest more time and effort, using better tooling and targeting.
- Maturity Level Three (ML3) - Mitigations against adaptive adversaries who are less reliant on public tooling and can exploit weaker controls.
The ACSC module maps host-side technical indicators to the Essential Eight mitigation strategies and the ISM guidelines:
- E8.1 Application Control - allowlisting enforcement via AppArmor, SELinux, or fapolicyd; execution restrictions on user-writable paths.
- E8.2 Patch Applications / E8.6 Patch Operating Systems - unattended security updates, package-manager update posture, and pending-update detection appropriate to the detected distribution.
- E8.4 User Application Hardening - browser/PDF/interpreter hardening indicators and removal of unneeded client software surface.
- E8.5 Restrict Administrative Privileges - sudo configuration, privileged group membership, and separation of administrative accounts.
- E8.7 Multi-Factor Authentication - PAM MFA modules (pam_google_ authenticator, pam_u2f, pam_sss) present in the authentication stack.
- E8.8 Regular Backups - presence and configuration of backup tooling (rsync, borg, restic, duplicity) and, at ML3, immutable/isolated backup indicators.
- ISM Server and Network Hardening - kernel sysctl hardening, service minimization, and network-exposure reduction.
- ISM Cryptography - approved algorithms, TLS/SSH cipher posture, and crypto-policy configuration.
- ISM Event Logging - auditd presence, log retention, and forwarding.
- ISM Access Control, Authentication, Secure Boot, and Session Locking - account policy, boot integrity, and idle session-lock enforcement.
Australian Government entities, state and territory agencies, critical infrastructure operators, and defense-sector suppliers assessing themselves against the Essential Eight and ISM.
The ACSC module evaluates host-side technical indicators of Essential Eight ML1-ML3 controls and the ISM guidelines: allowlisting (AppArmor / SELinux / fapolicyd), patching (unattended-upgrades and per-distro update posture), hardening (kernel sysctls, service minimization), MFA (PAM modules), backups (rsync / borg / restic / duplicity), cryptography, event logging, access control, secure boot, and session locking. Checks are OS-family aware and fire conditionally based on the detected distribution.
- ACSC Essential Eight: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
- ACSC Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
- ACSC Information Security Manual: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
Focus: DoD Cybersecurity Maturity Model Certification 2.0 Authority: U.S. Department of Defense (DoD), CMMC Accreditation Body Applicability: Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI)
Three certification levels:
- Level 1 (Foundational): 17 basic safeguarding requirements (FAR 52.204-21)
- Level 2 (Advanced): 110 NIST SP 800-171 Rev 2 practices
- Level 3 (Expert): NIST SP 800-172 enhanced security requirements
URLs:
- https://dodcio.defense.gov/CMMC/
- https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- https://csrc.nist.gov/publications/detail/sp/800-172/final
- DFARS 252.204-7012 - CUI safeguarding and incident reporting
- DFARS 252.204-7019 - SPRS (Supplier Performance Risk System)
- DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment
URL: https://www.acquisition.gov/dfars
CMMC Level 2 mirrors the 14 control families of NIST SP 800-171:
- AC - Access Control - account management, least privilege, remote-access control, session termination, and separation of duties.
- AT - Awareness and Training - security awareness indicators.
- AU - Audit and Accountability - audit event generation, log content, retention, protection of audit information, and log review capability.
- CM - Configuration Management - baseline configuration, least functionality, and software allow/deny listing.
- IA - Identification and Authentication - unique identification, MFA, password complexity, and cryptographically protected credentials.
- IR - Incident Response - detection, reporting, and response tooling.
- MA - Maintenance - controlled maintenance and tooling.
- MP - Media Protection - media sanitization, removable-media control (USBGuard), and encryption of CUI at rest.
- PS - Personnel Security - screening and access on termination indicators.
- PE - Physical Protection - physical-access indicators.
- RA - Risk Assessment - vulnerability scanning and remediation posture.
- CA - Security Assessment - audit tooling and continuous monitoring.
- SC - System and Communications Protection - boundary protection, cryptographic protection in transit, and key management.
- SI - System and Information Integrity - flaw remediation, malicious-code protection, and monitoring.
Level 3 adds enhanced requirements for penetration-resistant architecture, adversarial protection (threat hunting, deception), and cyber resiliency against advanced persistent threats.
- AC - sudo/privilege configuration, remote-access control, session handling, and separation of administrative accounts.
- AU - auditd ruleset depth, log-file permissions, retention, and failure actions.
- IA - MFA in the PAM stack, password quality (pam_pwquality), and faillock lockout policy.
- CM - secure baseline indicators, least functionality, and software control.
- MP - USBGuard removable-media control, media-sanitization tooling, and LUKS encryption of CUI.
- SC - SSH/TLS cryptographic posture, boundary controls, and key management indicators.
- SI - patch automation, malware/EDR presence, and integrity monitoring.
- SR / L3 - supply-chain risk indicators and adversarial-protection tooling, plus DFARS 7019/7020 SPRS self-assessment factors.
Defense Industrial Base contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and their assessors.
The CMMC module evaluates host-level technical controls aligning to CMMC Level 1 basic safeguarding, Level 2 NIST SP 800-171 controls across the 14 control families, and Level 3 NIST SP 800-172 enhanced practices (penetration resistance, threat hunting, cyber resiliency). It also surfaces DFARS 252.204-7019/7020 SPRS self-assessment factors.
- CMMC Program: https://dodcio.defense.gov/CMMC/
- NIST SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- NIST SP 800-172: https://csrc.nist.gov/publications/detail/sp/800-172/final
- DFARS: https://www.acquisition.gov/dfars
Focus: Distribution-specific hardening baselines for Linux distributions Authority: Distribution maintainers, security teams, vendor hardening guides Applicability: Multi-distribution Linux fleets
- URL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/
The DistBaseline module performs OS-family-aware hardening verification. Checks fire conditionally based on the detected distribution and family:
-
Kernel Features and Security - kernel hardening sysctls,
kernel. modules_disabled, kptr/dmesg restrictions, BPF hardening, and lockdown indicators. -
Account Security - password aging defaults,
login.defspolicy,useradd/skeleton defaults, and inactive-account handling. -
systemd Unit Hardening - unit sandboxing directives
(
ProtectSystem,PrivateTmp,NoNewPrivileges, capability bounding) on exposed services. -
Mount Options -
nodev,nosuid,noexecon/tmp,/var/tmp,/dev/shm, and separate-partition posture. -
Crypto Policies - system-wide crypto policy (
update-crypto-policieson RHEL family) and cipher/protocol posture. - Bootloader and Boot Security - GRUB password/permissions and boot integrity indicators.
- Module Signing / IMA-EVM - kernel module signature enforcement and Integrity Measurement Architecture / Extended Verification Module status.
- PAM Stack - distribution-appropriate PAM configuration.
- Ubuntu USG and Ubuntu Pro/ESM - Ubuntu Security Guide tooling and Expanded Security Maintenance enrollment on Ubuntu.
The module resolves package names, service names, and configuration paths per family (Debian, Red Hat, SUSE, Arch). Checks that do not apply to the detected distribution are skipped rather than reported as failures, so results reflect the actual platform.
Operators of multi-distribution Linux fleets who need a single tool that applies the correct vendor hardening expectations to each host.
The DistBaseline module verifies mount options, systemd unit hardening, boot security, crypto policies, kernel features, account security, module signing, IMA/EVM, PAM configuration, and per-distro extended checks (Ubuntu USG, Ubuntu Pro/ESM, and family-specific baselines), firing conditionally on the detected distribution.
- Debian Securing Manual: https://www.debian.org/doc/manuals/securing-debian-manual/
- RHEL 9 Security Hardening: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/
- Ubuntu Security Guide: https://ubuntu.com/security/certifications/docs/usg
- SUSE Linux Enterprise documentation: https://documentation.suse.com/sles/
- Arch Linux Security: https://wiki.archlinux.org/title/Security
Focus: Endpoint Detection & Response posture and MITRE ATT&CK technique coverage Authority: MITRE Corporation; commercial EDR vendors Applicability: All organizations measuring detection capability
A globally-accessible knowledge base of adversary tactics and techniques.
Covered tactics (selected):
- TA0003 Persistence - T1543 (System Process), T1547 (Boot/Logon Autostart), T1053 (Scheduled Task), T1546 (Event Triggered Execution)
- TA0005 Defense Evasion - T1070 (Indicator Removal), T1562 (Impair Defenses)
- Commercial EDR / Detection Solutions - presence of endpoint detection agents and host-based detection tooling (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Falco, Wazuh, osquery, auditd-based detection).
- ATT&CK Technique Coverage - depth of the auditd/audit ruleset measured against MITRE ATT&CK Linux techniques (execution, persistence, defense evasion, credential access, discovery, and exfiltration).
- Persistence Detection - watches on cron, systemd units, shell profiles, boot/logon autostart, and event-triggered execution paths (T1053, T1543, T1546, T1547).
- Anti-Forensics Detection - indicator-removal and log-tampering resistance (T1070), immutable audit logs, and command-history integrity.
-
Memory Protection and Process Injection - runtime protections and
detection posture for ptrace/
process_vm_writev-based injection (T1055). - Runtime Kernel Visibility / eBPF-LSM - eBPF and Linux Security Module observability (Falco, Tracee, Sysdig) and kernel capability posture.
- Incident Response Readiness - forensic/DFIR tooling availability, centralized log forwarding, and process accounting for reconstruction.
- Threat Intelligence and Network Behavior - IOC/feed indicators and network-behavior monitoring capability.
- TA0002 Execution - T1053 (Scheduled Task/Job)
- TA0003 Persistence - T1543 (Create/Modify System Process), T1547 (Boot or Logon Autostart), T1546 (Event Triggered Execution), T1037 (Boot/Logon Initialization Scripts)
- TA0004 Privilege Escalation - T1548 / T1574 indicators
- TA0005 Defense Evasion - T1070 (Indicator Removal), T1562 (Impair Defenses), T1055 (Process Injection)
- TA0011 Command and Control - T1071 (Application Layer Protocol), T1571 (Non-Standard Port)
Security operations and detection-engineering teams measuring host-level detection and response coverage, and organizations mapping their telemetry to MITRE ATT&CK.
The EDR module evaluates the host's detection posture: presence of EDR products (Defender, CrowdStrike, SentinelOne, Falco, Wazuh, osquery), auditd ruleset depth for ATT&CK technique coverage, persistence and anti-forensics detection, memory-protection and process-injection posture, eBPF/LSM runtime visibility, incident-response readiness, threat-intelligence indicators, and process accounting.
- MITRE ATT&CK: https://attack.mitre.org/
- MITRE ATT&CK for Linux: https://attack.mitre.org/matrices/enterprise/linux/
- NIST SP 800-94: https://csrc.nist.gov/publications/detail/sp/800-94/final
Focus: EU General Data Protection Regulation technical and organizational measures Authority: European Union (Regulation (EU) 2016/679) Applicability: Any organization processing personal data of EU residents
Key articles audited:
- Article 5 - Principles relating to processing of personal data
- Article 17 - Right to erasure ("right to be forgotten")
- Article 25 - Data protection by design and by default
- Article 30 - Records of processing activities
- Article 32 - Security of processing
- Article 33 - Notification of personal data breach to supervisory authority
- Article 44 - General principle for transfers (international)
Because GDPR is a legal regulation rather than a technical standard, the module evaluates host-level technical measures that demonstrably support the "appropriate technical and organisational measures" required by Article 32 and related articles:
- Article 5 - Principles - storage-limitation indicators through bounded log/audit retention and data-minimization posture.
- Article 17 - Right to Erasure - availability of secure-deletion tooling (shred, wipe) and media-sanitization capability.
- Article 24 - Controller Responsibility - demonstrable control posture (logging, monitoring, and configuration management indicators).
- Article 25 - Data Protection by Design and by Default - default- restrictive file permissions, umask, and least-privilege defaults.
- Article 30 - Records of Processing - system-audit and activity-logging capability that supports processing records.
- Article 32 - Security of Processing - encryption at rest (LUKS) and in transit (TLS/SSH), pseudonymization libraries, integrity monitoring, and availability/backup measures ("confidentiality, integrity, availability and resilience").
- Article 33 - Breach Notification - centralized log forwarding and real-time alerting that support timely detection within the 72-hour notification window.
- Article 35 - DPIA Indicators - technical indicators relevant to Data Protection Impact Assessments.
- Article 44 - International Transfers - VPN/encryption tooling supporting safeguarded transfers.
The module verifies host-side technical measures only. GDPR compliance also requires organizational measures (lawful basis, data-subject rights processes, data-processing agreements, DPO appointment where applicable) that a host scan cannot assess. Passing the technical checks is supporting evidence, not a determination of GDPR compliance.
Data controllers and processors handling personal data of individuals in the EU/EEA, and their security and privacy teams gathering technical evidence.
The GDPR module audits host-level technical controls supporting GDPR compliance: bounded log retention (Article 5), secure deletion (Article 17), default-restrictive permissions and umask (Article 25), audit logging (Article 30), pseudonymization libraries and encryption at rest/in transit (Article 32), log forwarding and alerting for breach detection (Article 33), and VPN/encryption tooling for international transfers (Article 44).
- Regulation (EU) 2016/679 (official text): https://eur-lex.europa.eu/eli/reg/2016/679/oj
- GDPR article reference: https://gdpr-info.eu/
- European Data Protection Board guidance: https://www.edpb.europa.eu/
Focus: US HIPAA Security Rule (45 CFR Part 164) Authority: U.S. Department of Health and Human Services (HHS) Applicability: Covered entities and business associates handling PHI
Subparts audited:
-
Subpart C - 164.302-318 - Security Standards for the Protection of EPHI
- 164.308 Administrative Safeguards
- 164.310 Physical Safeguards
- 164.312 Technical Safeguards
- 164.314 Organizational Requirements
- 164.316 Policies and Procedures Requirements
- Subpart D - 164.400-414 - Notification in the Case of Breach of Unsecured Protected Health Information
The HIPAA Security Rule organizes required and addressable implementation specifications into three safeguard categories, plus documentation and breach notification:
- Administrative Safeguards (164.308) - security management process, risk analysis, workforce security, information-access management, security awareness and training, and contingency planning.
- Physical Safeguards (164.310) - facility access controls, workstation use and security, and device/media controls.
- Technical Safeguards (164.312) - access control (unique user identification, automatic logoff, encryption/decryption), audit controls, integrity, person/entity authentication, and transmission security.
- Policies, Procedures and Documentation (164.316) - documentation retention and availability indicators.
- Breach Notification (Subpart D, 164.400-414) - detection and reporting readiness for breaches of unsecured EPHI.
- 164.308 Administrative - account lifecycle and workforce-access indicators, security-awareness posture, and contingency/backup readiness.
- 164.310 Physical - USB/removable-media control and device-access indicators available at the host level.
- 164.312(a) Access Control - unique user IDs, automatic logoff (idle session timeout), and encryption at rest.
- 164.312(b) Audit Controls - auditd presence, ruleset depth, log-file permissions, and retention.
- 164.312(c) Integrity - file-integrity monitoring baseline.
- 164.312(d) Authentication - authentication strength and MFA indicators.
- 164.312(e) Transmission Security - TLS/SSH encryption in transit.
- 164.316 Documentation - policy/procedure indicators.
- Breach Notification - centralized log forwarding supporting incident reconstruction and timely notification.
The module assesses host-level technical and administrative-safeguard indicators. Full HIPAA compliance additionally requires organizational measures (risk analysis documentation, business associate agreements, workforce training records, and policies) outside the scope of a host scan.
Covered entities (health plans, healthcare clearinghouses, and healthcare providers) and their business associates that create, receive, maintain, or transmit electronic protected health information (EPHI).
The HIPAA module audits host-level technical and administrative safeguards: account lifecycle and workforce access (164.308), USB/physical-access controls (164.310), unique user IDs, automatic logoff, encryption, audit controls and integrity (164.312), policy/procedure indicators (164.316), and breach notification readiness (Subpart D). It also references the 405(d) Health Industry Cybersecurity Practices (HICP) for network management and data protection.
- HIPAA Security Rule (45 CFR Part 164): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- NIST SP 800-66 Rev 2: https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final
- HHS HIPAA Security Rule guidance: https://www.hhs.gov/hipaa/for-professionals/security/
Focus: Payment Card Industry Data Security Standard v4.0 Authority: PCI Security Standards Council (PCI SSC) Applicability: Any entity that stores, processes, or transmits cardholder data
The 12 Requirements:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need-to-know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
The 12 requirements are organized into six control objectives:
- Build and Maintain a Secure Network and Systems - Requirements 1-2
- Protect Account Data - Requirements 3-4
- Maintain a Vulnerability Management Program - Requirements 5-6
- Implement Strong Access Control Measures - Requirements 7-9
- Regularly Monitor and Test Networks - Requirements 10-11
- Maintain an Information Security Policy - Requirement 12
- Req 1 - Network Security Controls - firewall/nftables presence and posture, default-deny indicators, and traffic restrictions.
- Req 2 - Secure Configuration - removal of vendor defaults, service minimization, and secure system-hardening indicators.
- Req 3 - Protect Stored Account Data - LUKS encryption at rest, key- management indicators, and FIPS mode.
- Req 4 - Strong Cryptography in Transit - TLS 1.2+/1.3 posture and SSH cipher/MAC/KEX hardening.
- Req 5 - Anti-Malware - antivirus/EDR presence and update posture.
- Req 6 - Secure Systems and Software - patch automation and secure-SDLC indicators.
- Req 7 - Least Privilege - need-to-know access and privileged-account restriction.
- Req 8 - Identify and Authenticate - MFA, faillock lockout, and password policy.
- Req 9 - Physical Access - removable-media (USB) controls available at the host level.
- Req 10 - Logging and Monitoring - auditd with a ruleset, log-file protection, time synchronization, and remote log forwarding.
- Req 11 - Security Testing - vulnerability scanning and file-integrity monitoring (FIM).
- Req 12 - Organizational Policy - technical indicators supporting policy and program requirements.
The module assesses host-level technical controls only, and only for the host it runs on. PCI DSS assessment additionally requires network-level validation (segmentation testing, ASV scans), cardholder-data-environment scoping, and organizational controls handled through a Qualified Security Assessor (QSA) or Self-Assessment Questionnaire (SAQ).
Merchants, service providers, and any entity that stores, processes, or transmits cardholder data, plus their QSAs and internal security assessors.
The PCI-DSS module audits host-level technical controls aligning to all 12 PCI DSS v4.0.1 requirements: firewall (Req 1), secure configuration (Req 2), LUKS and FIPS (Req 3), TLS 1.2+ and SSH cipher hardening (Req 4), AV/EDR (Req 5), patch automation (Req 6), least privilege (Req 7), MFA and faillock (Req 8), USB controls (Req 9), auditd with a ruleset and remote forwarding (Req 10), vulnerability scanning and FIM (Req 11), and policy indicators (Req 12).
- PCI Security Standards Council: https://www.pcisecuritystandards.org/
- PCI DSS Document Library: https://www.pcisecuritystandards.org/document_library/
Focus: AICPA Trust Services Criteria for SOC 2 reports Authority: American Institute of Certified Public Accountants (AICPA) Applicability: Service organizations subject to SOC 2 Type II
Trust Services Criteria:
- Security (Common Criteria) - CC1 through CC9
- Availability (A1)
- Confidentiality (C1)
- Processing Integrity (PI)
- Privacy (P)
The Security category (Common Criteria) is mandatory for every SOC 2 engagement; the other four categories are included based on the service commitments in scope:
- CC1 - Control Environment - integrity, ethics, and governance indicators.
- CC2 - Communication and Information - security-relevant information flow.
- CC3 - Risk Assessment - vulnerability identification and risk posture.
- CC4 - Monitoring Activities - continuous monitoring and auditd/logging.
- CC5 - Control Activities - configuration and control implementation.
- CC6 - Logical and Physical Access - authentication, authorization, least privilege, and access provisioning/deprovisioning.
- CC7 - System Operations - detection, incident handling, and change detection.
- CC8 - Change Management - controlled change indicators.
- CC9 - Risk Mitigation - risk-mitigation and vendor-risk indicators.
- A1 - Availability - backups, capacity, and recovery indicators.
- C1 - Confidentiality - encryption and confidentiality controls.
- PI1 - Processing Integrity - file-integrity monitoring and data-integrity controls.
- P - Privacy - pseudonymization, secure erasure, and privacy indicators.
- CC6 Logical Access - SSH/PAM authentication posture, MFA, sudo/privilege configuration, and account lifecycle.
- CC7 System Operations - auditd detection depth, log forwarding, and intrusion-detection indicators.
- CC8 Change Management - configuration-tracking indicators (etckeeper and similar).
- CC4 Monitoring - continuous monitoring services and log review.
- A1 Availability - backup tooling and recovery posture.
- C1 Confidentiality - encryption at rest and in transit.
- PI Processing Integrity - file-integrity monitoring baseline.
- P Privacy - secure deletion and pseudonymization tooling.
A SOC 2 Type I report evaluates control design at a point in time; a Type II report evaluates operating effectiveness over a period (commonly 3-12 months). The module provides point-in-time technical evidence that supports either.
Service organizations (SaaS, hosting, managed services) that need to demonstrate control over customer data to their customers and auditors, and the CPA firms performing the examination.
The SOC2 module audits host-level technical controls supporting all five trust service categories. Common Criteria coverage: control environment (CC1), communication (CC2), risk assessment (CC3), monitoring (CC4), control activities (CC5), logical access (CC6), system operations (CC7), change management (CC8), and risk mitigation (CC9). Additional coverage: backups and recovery (A1), encryption (C1), file-integrity monitoring (PI1), and pseudonymization and secure erasure (P).
- AICPA Trust Services Criteria: https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022
- AICPA SOC 2: https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
| Framework | Prescriptive | Risk-Based | Certification | Global | U.S. Federal | Defense/Intel |
|---|---|---|---|---|---|---|
| Core | Low | High | No | Yes | No | No |
| CIS | Medium | Medium | No | Yes | No | No |
| CISA | Medium | High | No | Yes | Yes | Partial |
| ENISA | Low | High | No | EU | No | No |
| ISO 27001 | Medium | High | Yes | Yes | No | No |
| NIST 800-53 | High | Medium | No | No | Yes | Yes |
| NIST CSF | Low | High | No | Yes | Partial | No |
| NSA | High | Medium | No | No | Yes | Yes |
| STIG | Very High | Low | No | No | Yes | Yes |
For General Organizations:
Start with: Core + CIS
Add for certification: ISO 27001
Add for best practices: NIST CSF
For U.S. Federal Agencies:
Required: NIST 800-53 + CISA directives
Add: NIST CSF
Defense: Add STIG + NSA
For Defense Contractors:
Required: STIG + NIST 800-171
Recommended: NSA + CISA
Foundation: Core + CIS
For EU Organizations:
Required: ENISA (if critical infrastructure)
Add for certification: ISO 27001
Foundation: Core + CIS
For Critical Infrastructure:
U.S.: CISA + NIST CSF + CIS
EU: ENISA + ISO 27001 + CIS
Defense: Add NSA + STIG
Common security controls across frameworks:
| Framework | Control ID | Requirement |
|---|---|---|
| Core | Password Policy | Complexity, aging, history |
| CIS | 5.4.1 | Password expiration <= 365 days |
| ISO 27001 | A.5.17 | Authentication information |
| NIST 800-53 | IA-5 | Authenticator management |
| STIG | V-204392 | Password minimum length 15 chars |
| Framework | Control ID | Requirement |
|---|---|---|
| Core | Audit Logging | Logging enabled |
| CIS | 4.1 | auditd installed and enabled |
| ISO 27001 | A.8.15 | Logging |
| NIST 800-53 | AU-2 | Audit events |
| NIST CSF | DE.CM | Continuous monitoring |
| STIG | V-204486 | Audit events for account access |
| Framework | Control ID | Requirement |
|---|---|---|
| Core | Data Protection | Encryption at rest and in transit |
| CIS | Multiple | Cryptographic configuration |
| ENISA | Cryptographic Controls | Strong cryptography |
| ISO 27001 | A.8.24 | Use of cryptography |
| NIST 800-53 | SC-8 | Transmission confidentiality |
| NSA | Crypto Standards | CNSA Suite algorithms |
Organizations often need to attest compliance to multiple frameworks:
Example: Financial Services Company
- Required: ISO 27001 (certification)
- Required: SOX (Sarbanes-Oxley)
- Industry: PCI-DSS
- Foundation: CIS Benchmarks
Implementation: Use Core + CIS as baseline, implement ISO 27001 ISMS, map to PCI-DSS
Example: Defense Contractor
- Required: NIST 800-171 (CUI protection)
- Required: DFARS 252.204-7012
- Required: STIGs (contract-specific)
- Recommended: NSA guidance
Implementation: Implement STIGs fully, verify NIST 800-171 compliance, add NSA hardening
Framework Documentation:
- Module Documentation: Technical implementation of frameworks
- Usage Guide: Running framework-specific audits
- Development Guide: Extending framework coverage
Standards Organizations:
- CIS: https://www.cisecurity.org/
- CISA: https://www.cisa.gov/
- ENISA: https://www.enisa.europa.eu/
- ISO: https://www.iso.org/
- NIST: https://www.nist.gov/
- NSA: https://www.nsa.gov/
- DISA: https://public.cyber.mil/
<- Back to Module Documentation | Home | Next: Development Guide ->
Linux Security Audit Project - Version 3.9 - MIT License
Repository - Releases - Issues - Pull Requests
Changelog - Contributing - Security Policy - License
Frameworks: Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG - ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Coverage: 16 Modules - 2,297 Automated Security Checks - 5 Native Output Formats - Zero External Dependencies
This documentation reflects Linux Security Audit Project v3.9 (cross-framework remediation consistency via the canonical remediation registry, PCI-DSS module rename, compliance-scoring fix, attack-surface assessment, per-framework split reports, cross-module correlation, 18 distribution profiles, rollup metrics, OS-aware remediation library). For older versions, see the release tags.
Version 3.9 - 16 modules - 2,297 checks
Original modules (v2.0 baseline + v3.3 expansion)
Core - CIS - CISA - ENISA - ISO 27001 - NIST - NSA - STIG
New modules (v3.0+ Phase 3)
ACSC - CMMC - DistBaseline - EDR - GDPR - HIPAA - PCI-DSS - SOC2
Output Formats
HTML - JSON - CSV - XML - Console
Status Values
Pass - Fail - Warning - Info - Error
Severity Levels
Critical - High - Medium - Low - Informational