These notes are valid as of the CIS Red Hat Enterprise Linux & CentOS 6 benchmark version 2.0.1 and RHEL & CentOS 7 benchmark version 2.1.0.
General comments: This playbook follows the CIS benchmark as close as possible and is very restrictive. Modifications will be required if the server(s) will play a specific role such as web server.
Mount points need to be created manually
Existing mounts will be modified with benchmark options. Mount points are not created if not pre-existing.
Skipped: Not relevent to virtual machines. If physical machines will be used then this will need to be enabled.
Skipped: May be too destructive on systems. Implement manually if required.
Skipped: Run systemctl unmask tmp.mount and systemctl enable tmp.mount manually.
Skipped: Check manually.
Skipped: Checking for unconfined daemons should be done via cron jobs or via manual inspection
Skipped: Patches should be pushed during a planned maintenance window or via Blue/Green deployment methodology.
ntp.conf should be configured to use desired ntp servers.
Default deny policy should be set manually.
Configure firewall rules manually as required to support each workload.
Servers should be configured to ship logs to central logging server.
Skipped: Only applied if using syslog-ng. Assumption is that rsyslog is used.
Server must be configured to push log files to designated log collector.
This task appears to be causing the warning banner to appear twice on login.
Configure manually. PAM configuration task in section 5.3.1 breaks ssh login on RHEL 6, but works on CentOS and is therefore skipped for RHEL 6 for now.
Skipped: Restricting root access only to the system console is a bit too restrictive for most environments.
Existing user password age is not modified.
Skipped: To do later.