{ "version": 6, "updated_at": "2026-05-27T14:00:00Z", "policies": [ { "external_id": "32f8e6e9835838c61b8969dbea87709b", "name": "Container Configuration Hardening - Level 1", "version": "1.1.1", "author": "OpenSCM", "description": "Per-container and per-host container hardening checks evaluated by the agent against its local container inventory. Covers image identity (tag pinning, registry source, prod-vs-dev image names), network configuration (host-network isolation, mode sanity), and runtime configuration (privileged flag, run-as user, Docker-socket mount, exposed ports, read-only filesystem, HEALTHCHECK). 11 tests mapping to the most-cited CIS Docker controls plus a few drift-detection extras. Requires OpenSCM >= 0.5.0 and Linux agents with Docker or Podman.", "category": "Containers", "test_count": 11, "file": "cis-container-config-l1.json" }, { "external_id": "59cb097fe9d08c661178d1da4ddbf7b8", "name": "CIS Microsoft Defender Antivirus Benchmark v1.0.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Microsoft Defender Antivirus. Cloud protection, real-time protection, exploit guard, attack surface reduction, and tamper protection — all registry-backed. Applies to any Windows host with Defender enabled.", "category": "Antivirus", "test_count": 55, "file": "cis-defender-l1.json" }, { "external_id": "6fe508b5f697b3750e52b9198c8c48a5", "name": "CIS Apache Cassandra 4.0 Benchmark v1.3.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache Cassandra 4.0. Version checks (Java / Python / Cassandra), nodetool logging level, inter-node encryption, client encryption. Assign to a system group of Cassandra hosts. Requires cmd_enabled = true on the agent.", "category": "Database", "test_count": 6, "file": "cis-cassandra-4.0-l1.json" }, { "external_id": "32ea3aabace700078a3b7dc793b0d1e2", "name": "CIS Amazon Linux 2 Benchmark v4.0.0 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Amazon Linux 2 (the AL2 line — predecessor to Amazon Linux 2023). The AL2 CIS PDF uses an older format without (Automated)/(Manual) tags; this conversion treats every Level 1 - Server section as Automated and emits a check where one is extractable.", "category": "Linux", "test_count": 224, "file": "cis-amazon-2-l1-server.json" }, { "external_id": "8bdcb1d9698171a10519ddd6296e0f5d", "name": "CIS Amazon Linux 2023 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Amazon Linux 2023. Kernel modules, mount options, package presence, services, sysctl, file permissions, and audit policy — tuned for AWS EC2 / ECS workloads.", "category": "Linux", "test_count": 79, "file": "cis-amazon-2023-l1-server.json" }, { "external_id": "8803830a32663cfece5dd706fbc79cf1", "name": "CIS Debian Linux 11 Benchmark v2.0.0 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Debian Linux 11 (Bullseye) and apt/dpkg-based Debian derivatives.", "category": "Linux", "test_count": 129, "file": "cis-debian-11-l1-server.json" }, { "external_id": "c0f17f7ec510c2f61e593c77746078e5", "name": "CIS Debian Linux 12 Benchmark v1.1.0 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Debian Linux 12 (Bookworm) and apt/dpkg-based Debian derivatives.", "category": "Linux", "test_count": 134, "file": "cis-debian-12-l1-server.json" }, { "external_id": "e0a8f1f0f08e9dbde01bb6507b95152b", "name": "CIS Debian Linux 13 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Debian Linux 13 and apt/dpkg-based Debian derivatives (Devuan, Kali).", "category": "Linux", "test_count": 141, "file": "cis-debian-13-l1-server.json" }, { "external_id": "901c7e0c5a68511f9321f9bb689fde30", "name": "CIS Linux Mint 22 Benchmark v1.0.0 - Level 1 Workstation", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 workstation hardening profile for Linux Mint 22 — apt-based desktop distro derived from Ubuntu. Workstation profile only (Mint does not ship a Server profile).", "category": "Linux", "test_count": 111, "file": "cis-mint-22-l1-workstation.json" }, { "external_id": "a1cc7bf9932e937d90259e00d9cb8c92", "name": "CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Red Hat Enterprise Linux 9 and rpm-based downstream rebuilds (CentOS Stream 9, Rocky Linux 9, AlmaLinux 9).", "category": "Linux", "test_count": 123, "file": "cis-rhel-9-l1-server.json" }, { "external_id": "6c17e977e3e133a6bac3b30b10311a80", "name": "CIS Red Hat Enterprise Linux 10 Benchmark v1.0.1 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Red Hat Enterprise Linux 10 and rpm-based downstream rebuilds (CentOS Stream, Rocky Linux, AlmaLinux).", "category": "Linux", "test_count": 135, "file": "cis-rhel-10-l1-server.json" }, { "external_id": "ea9eb29153c8989596f694a8d0c673e0", "name": "CIS Rocky Linux 10 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Rocky Linux 10 — RHEL-derived rpm distro.", "category": "Linux", "test_count": 135, "file": "cis-rocky-10-l1-server.json" }, { "external_id": "a9c8e51484b25d676a1bf345bb611f94", "name": "CIS SUSE Linux Enterprise 15 Benchmark v2.0.1 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for SUSE Linux Enterprise 15 and compatible openSUSE Leap 15 variants.", "category": "Linux", "test_count": 131, "file": "cis-suse-15-l1-server.json" }, { "external_id": "1a523ff6847063a2025ddd1bbdce6a13", "name": "CIS SUSE Linux Enterprise 16 Benchmark v1.0.0 - Level 1 Server", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for SUSE Linux Enterprise 16 and compatible openSUSE Leap variants. rpm-based — same converter family as RHEL / Amazon Linux.", "category": "Linux", "test_count": 133, "file": "cis-suse-16-l1-server.json" }, { "external_id": "53dc9e8cb72adc64683dd925b309d5bb", "name": "CIS Ubuntu 24.04 LTS Benchmark v1.0.0 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Ubuntu 24.04 LTS. Kernel modules, mount options, package presence, services, sysctl, file permissions, and audit policy.", "category": "Linux", "test_count": 135, "file": "cis-ubuntu-2404-l1-server.json" }, { "external_id": "b437cc05510bf69c04562336da0767c3", "name": "CIS Ubuntu Linux 22.04 LTS Benchmark v3.0.0 - Level 1 Server", "version": "1.0.2", "author": "Center for Internet Security", "description": "CIS Level 1 server hardening profile for Ubuntu 22.04 LTS (Jammy).", "category": "Linux", "test_count": 133, "file": "cis-ubuntu-2204-l1-server.json" }, { "external_id": "6b1b8b2c42fb3b8146aca641de1ca3f5", "name": "Ubuntu 24.04 LTS STIG V1R5", "version": "1.0.1", "author": "DISA", "description": "DISA Security Technical Implementation Guide — Ubuntu 24.04 LTS V1R5. Derived from NIST SP 800-53. Use this profile to harden Ubuntu 24.04 servers against U.S. DoD policy.", "category": "Linux", "test_count": 194, "file": "stig-ubuntu-2404-v1r5.json" }, { "external_id": "b564a1afc4b6009ec0f32d1daa8a1913", "name": "Patch Management", "version": "1.0.0", "author": "OpenSCM Team", "description": "Reports missing security patches on every supported Linux platform (Ubuntu, RHEL/Fedora, openSUSE, Arch) and macOS. Requires cmd_enabled = true on the agent.", "category": "Utility", "test_count": 5, "file": "patch-management.json" }, { "external_id": "16bb798444b1bd0b06e1970b2bd700dd", "name": "CIS Apache HTTP Server 2.4 Benchmark v2.3.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache HTTP Server 2.4. Cross-distro module and config-directive checks. Assign to a system group of Apache hosts.", "category": "Web", "test_count": 15, "file": "cis-apache-2.4-l1.json" }, { "external_id": "dbd9025663582875d84f0bddf1ce1d91", "name": "CIS Apache HTTP Server 2.2 Benchmark v3.6.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache HTTP Server 2.2 (legacy / archive benchmark). Same cross-distro module and config-directive checks as the 2.4 profile, with section numbering adjusted for the 2.2 PDF. Assign to a system group of legacy Apache 2.2 hosts.", "category": "Web", "test_count": 15, "file": "cis-apache-2.2-l1.json" }, { "external_id": "221075636980f835be3b8d9d4fe9c21e", "name": "CIS Microsoft Windows 10 Enterprise Benchmark v4.0.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 (L1) hardening profile for Microsoft Windows 10 Enterprise. Registry-backed Group Policy settings — account / lockout / audit policy, user rights assignment, security options, administrative templates. Applies only to Windows 10 hosts.", "category": "Windows", "test_count": 343, "file": "cis-windows-10-enterprise-l1.json" }, { "external_id": "68cd8ad121edf9a88bf34dd59e908ddc", "name": "CIS Microsoft Windows 11 Enterprise Benchmark v5.0.1 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 (L1) hardening profile for Microsoft Windows 11 Enterprise. Registry-backed Group Policy settings — account / lockout / audit policy, user rights assignment, security options, administrative templates. Applies only to Windows 11 hosts.", "category": "Windows", "test_count": 348, "file": "cis-windows-11-enterprise-l1.json" }, { "external_id": "25a1acbc182afb49364032bddf83de66", "name": "Windows Server 2019 STIG V3R8", "version": "1.0.0", "author": "DISA", "description": "DISA Security Technical Implementation Guide — Microsoft Windows Server 2019 V3R8. Registry, audit policy, service, and Group Policy checks for U.S. DoD-grade Windows Server hardening.", "category": "Windows", "test_count": 171, "file": "stig-windows-server-2019-v3r8.json" }, { "external_id": "39a6b1412d386eb774e13e9d2a9f7cb2", "name": "CIS NGINX Benchmark v3.0.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for NGINX. Module loading, non-root worker user, file ownership, server_tokens, TLS hardening, security response headers (HSTS / X-Content-Type-Options / CSP / Referrer-Policy). Assign to a system group of NGINX hosts. Config-file checks expand to /etc/nginx/nginx.conf and /etc/nginx/conf.d/*.conf.", "category": "Web", "test_count": 12, "file": "cis-nginx-3.0.0-l1.json" }, { "external_id": "a96d7a658aafa804fec93f5fba282d47", "name": "CIS MongoDB 6 Benchmark v1.0.0 - Level 1", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for MongoDB 6.x on Linux. Authentication, non-root service account, TLS configuration, audit/verbose logging, non-default port, keyfile permissions. Linux-only checks; assumes /etc/mongod.conf.", "category": "Database", "test_count": 10, "file": "cis-mongodb-6.0-l1.json" }, { "external_id": "0038975191f7916390da9efca9576c11", "name": "CIS MongoDB 7 Benchmark v1.2.0 - Level 1", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for MongoDB 7.x on Linux. Same set of automatable checks as the 6.x profile, refreshed for the v1.2.0 PDF.", "category": "Database", "test_count": 10, "file": "cis-mongodb-7.0-l1.json" }, { "external_id": "1e0ee52dc5bf9485a088623593523c51", "name": "CIS MongoDB 8 Benchmark v1.0.0 - Level 1", "version": "1.0.1", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for MongoDB 8.x on Linux. Same set of automatable checks as the 6.x and 7.x profiles.", "category": "Database", "test_count": 10, "file": "cis-mongodb-8.0-l1.json" }, { "external_id": "20588f0c067821ca7f35dbd0d35b1495", "name": "CIS Microsoft IIS 10 Benchmark v1.2.1 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Microsoft IIS 10 on Windows Server 2016/2019/2022. Directory browsing, WebDAV, forms-auth cookies, debug off, error page leakage, TRACE method, HSTS, SCHANNEL TLS protocol registry settings. Requires PowerShell with WebAdministration module on the agent.", "category": "Web", "test_count": 12, "file": "cis-iis-10-l1.json" }, { "external_id": "d4a6acae98dd3e71ae541189f9f9f0ce", "name": "CIS MariaDB 10.11 Benchmark v1.0.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for MariaDB 10.11 on Linux. Disable client history, datadir permissions, secure server-side flags (allow-suspicious-udfs, symbolic links, secure_file_priv, sql_mode strict), audit logging, legacy auth plugin removed, TLS-only transport, replication cert verification. Requires the agent to authenticate as a user with SELECT on mysql.* and SHOW VARIABLES privileges.", "category": "Database", "test_count": 10, "file": "cis-mariadb-10.11-l1.json" }, { "external_id": "26250199667d4261c271c0447207c6f8", "name": "CIS Docker Benchmark v1.8.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Docker on Linux hosts. Audit rules for dockerd and /etc/docker, no-insecure-registries, TLS-protected daemon socket, file/directory ownership and permissions for the systemd unit, /etc/docker, /var/run/docker.sock, and daemon.json, and runtime checks for non-root container users + no privileged containers. Assumes a host with auditd installed and the agent running with permission to query the Docker socket.", "category": "Container", "test_count": 15, "file": "cis-docker-1.8.0-l1.json" }, { "external_id": "452936171df597bf99ed0eb9e1b26f53", "name": "CIS Apache Tomcat 8 Benchmark v1.1.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache Tomcat 8 on Linux. Server-banner suppression, TRACE off, nondeterministic shutdown command, CATALINA_HOME permissions, LockOutRealm, accurate connector scheme, package.access restrictions, auto/startup deploy disabled, bounded connection timeout, allowLinking false. server.xml lookups expand across /etc/tomcat*, /opt/tomcat*, /usr/share/tomcat*, /var/lib/tomcat*.", "category": "Web", "test_count": 12, "file": "cis-tomcat-8-l1.json" }, { "external_id": "f420d32f469630efaf431c3869a049f4", "name": "CIS Apache Tomcat 9 Benchmark v1.2.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache Tomcat 9 on Linux. Same automatable checks as the Tomcat 8 profile, refreshed for v1.2.0 PDF.", "category": "Web", "test_count": 12, "file": "cis-tomcat-9-l1.json" }, { "external_id": "9dbacdc7530e564f81277beeaa5e0597", "name": "CIS Apache Tomcat 10 Benchmark v1.1.0 - Level 1", "version": "1.0.0", "author": "Center for Internet Security", "description": "CIS Level 1 hardening profile for Apache Tomcat 10 on Linux. Same automatable checks as the Tomcat 8/9 profiles; Tomcat 10 moved from javax.* to jakarta.* but the server.xml and catalina.properties surface checked here is unchanged.", "category": "Web", "test_count": 12, "file": "cis-tomcat-10-l1.json" } ] }