Security Tools

CIS Linux Benchmark Checklist

Review CIS Linux hardening checks interactively.

beginner5 minRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only
0/6

CIS hardening review

Selected checks from CIS Linux Benchmark — verify on target hosts

0 of 6 complete0%
Run corresponding audit commands on each host — this tool tracks review progress, not live system state.

Documentation

How to use this tool, practical use cases, and technical notes.

The CIS Linux Benchmark Checklist is a review-tracking tool — not an automated scanner. You run the audit commands on your Linux hosts, evaluate the output against the expected state, and mark each control complete in the checklist. Here is the full step-by-step workflow.

Step 1 — Open the Tool

Navigate to the checklist at pentesterworld.com. The tool loads instantly in your browser with 0/6 items complete and a 0% hardening review score. No login, no installation, and no extensions required.

Step 2 — Prepare Your Linux Host for Review

Before working through each item, ensure you have terminal access to the target host with sufficient privileges to run audit commands. Most checks require either root access or sudo rights.

Access methods by environment:

Environment

Recommended Access Method

Physical / bare-metal server

Direct console or SSH session

Virtual machine (VMware, VirtualBox)

SSH or VM console

Cloud instance (AWS EC2, GCP VM, Azure VM)

SSH via key pair; use Session Manager for keyless access

Container (Docker, LXC)

docker exec -it <container> bash

Kubernetes pod

kubectl exec -it <pod> -- /bin/bash

Step 3 — Work Through Each Domain Tab

The tool organizes checks across six tabs. You can work through all items on the "All" tab or focus on one domain at a time:

Tab

Check

Audit Command to Run

Filesystem

cramfs disabled

modprobe cramfs 2>&1 | grep -i 'not found|no such' or check /etc/modprobe.d/ for install cramfs /bin/true

Permissions

/etc/passwd mode 644

stat /etc/passwd — look for Access: (0644/-rw-r--r--)

SSH

PermitRootLogin no

sshd -T | grep permitrootlogin — expected: permitrootlogin no

Authentication

PAM password quality

cat /etc/security/pwquality.conf — verify minlen, dcredit, ucredit etc.

Logging

auditd enabled

systemctl is-enabled auditd && systemctl is-active auditd

Network

Firewall active

ufw status (Ubuntu) or nft list ruleset (nftables) or firewall-cmd --state (RHEL/CentOS)

Step 4 — Interpret Audit Command Output

For each check, compare your command output against the expected compliant state:

Check

Non-Compliant Output

Compliant Output

cramfs disabled

Module loads without error

modprobe: FATAL: Module cramfs not found or config entry install cramfs /bin/true

/etc/passwd permissions

Mode 0777, 0755, 0664 or higher

Mode 0644 (-rw-r--r--) with owner root:root

SSH PermitRootLogin

permitrootlogin yes or permitrootlogin prohibit-password

permitrootlogin no

Password requirements

No pwquality.conf or all defaults

minlen=14, dcredit=-1, ucredit=-1, lcredit=-1, ocredit=-1 configured

auditd status

inactive or disabled

active (running) and enabled

Firewall status

Status: inactive or no rules

Status: active with deny-by-default policy and explicit allow rules

Step 5 — Mark Items Complete

Only mark an item complete when your audit command output confirms the compliant state on the target system. The progress bar updates in real time:

Score

Hardening Posture Interpretation

0 / 6 (0%)

No hardening in place — default OS install state; high-risk

1–2 / 6 (17–33%)

Minimal hardening — significant attack surface exposed

3–4 / 6 (50–67%)

Partial hardening — common misconfigurations remain

5 / 6 (83%)

Strong hardening — one gap remaining; typically low risk

6 / 6 (100%)

All selected controls verified — strong CIS baseline posture

Step 6 — Remediate Non-Compliant Items

For any item marked incomplete, apply the remediation below before re-running the audit command:

Check

Remediation Command / Action

Disable cramfs

echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf then rmmod cramfs 2>/dev/null

Fix /etc/passwd permissions

chmod 644 /etc/passwd && chown root:root /etc/passwd

Disable SSH root login

Edit /etc/ssh/sshd_config: set PermitRootLogin no then systemctl restart sshd

Set password requirements

Install libpam-pwquality and configure /etc/security/pwquality.conf with minlen=14 and complexity rules

Enable auditd

apt install auditd -y && systemctl enable auditd && systemctl start auditd (Debian/Ubuntu) or yum install audit && systemctl enable auditd && systemctl start auditd (RHEL/CentOS)

Activate firewall

Ubuntu: ufw enable && ufw default deny incoming — RHEL: systemctl enable firewalld && systemctl start firewalld

Step 7 — Export Your Report

Click "Copy report" to export your review state to the clipboard. Paste the output into:

  • An internal wiki, Confluence page, or Notion doc as evidence of your hardening review

  • A GRC platform evidence attachment for your CIS benchmark compliance documentation

  • A ticketing system (Jira, ServiceNow) to track open remediation items

  • An audit evidence package for an external auditor or customer security review

Step 8 — Repeat Per Host

This checklist tracks the review state for a single host session. For environments with multiple Linux servers, repeat the process per host. Consider creating a simple naming convention in your exported report to distinguish servers (e.g., "web-prod-01", "db-prod-02", "bastion").