🔄 NIST 800-53 CIS Reference Update (2026-06-28)

shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml

@@ -90,9 +90,9 @@ controls:
       levels:
           - low
       rules:
+          - var_accounts_user_umask=027
           - var_selinux_policy_name=targeted
           - var_pam_wheel_group_for_su=cis
-          - var_accounts_user_umask=027
           - accounts_umask_etc_bashrc
           - accounts_umask_etc_login_defs
           - accounts_umask_etc_profile
@@ -495,8 +495,8 @@ controls:
       levels:
           - low
       rules:
-          - var_accounts_passwords_pam_faillock_root_unlock_time=60
           - var_accounts_passwords_pam_faillock_deny=5
+          - var_accounts_passwords_pam_faillock_root_unlock_time=60
           - var_accounts_passwords_pam_faillock_unlock_time=900
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
@@ -561,8 +561,8 @@ controls:
       levels:
           - moderate
       rules:
-          - inactivity_timeout_value=15_minutes
           - var_screensaver_lock_delay=5_seconds
+          - inactivity_timeout_value=15_minutes
           - dconf_gnome_screensaver_idle_delay
           - dconf_gnome_screensaver_lock_delay
           - dconf_gnome_screensaver_user_locks

shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml

@@ -11,10 +11,16 @@ controls:
       levels:
           - low
       rules:
-          - var_auditd_admin_space_left_action=cis_rhel10
           - var_audit_backlog_limit=8192
+          - var_auditd_admin_space_left_action=cis_rhel10
+          - var_auditd_space_left_action=cis_rhel10
+          - var_auditd_admin_space_left_action=cis_rhel10
+          - var_auditd_space_left_action=cis_rhel10
           - var_auditd_space_left_action=cis_rhel10
           - var_auditd_action_mail_acct=root
+          - var_auditd_admin_space_left_action=cis_rhel10
+          - var_auditd_disk_error_action=cis_rhel10
+          - var_auditd_disk_full_action=cis_rhel10
           - aide_build_database
           - aide_periodic_cron_checking
           - audit_rules_execution_chacl
@@ -59,10 +65,11 @@ controls:
       levels:
           - low
       rules:
-          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-          - var_multiple_time_servers=rhel
           - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - var_accounts_passwords_pam_faillock_dir=run
           - sshd_max_auth_tries_value=4
+          - var_multiple_time_servers=rhel
+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
           - audit_rules_dac_modification_chmod
           - audit_rules_dac_modification_chown
           - audit_rules_dac_modification_fchmod
@@ -160,6 +167,8 @@ controls:
       levels:
           - low
       rules:
+          - var_auditd_disk_full_action=cis_rhel10
+          - var_auditd_disk_error_action=cis_rhel10
           - var_auditd_disk_full_action=cis_rhel10
           - var_auditd_disk_error_action=cis_rhel10
           - auditd_data_disk_error_action
@@ -264,6 +273,7 @@ controls:
       levels:
           - low
       rules:
+          - var_auditd_max_log_file=8
           - var_auditd_max_log_file=8
           - var_auditd_max_log_file_action=keep_logs
           - auditd_data_retention_max_log_file

shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml

@@ -5,12 +5,30 @@ controls:
       levels:
           - low
       rules:
-          - var_user_initialization_files_regex=all_dotfiles
           - var_sshd_set_maxstartups=10:30:60
           - sshd_idle_timeout_value=5_minutes
+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+          - var_user_initialization_files_regex=all_dotfiles
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
           - var_sshd_set_keepalive=1
-          - var_accounts_maximum_age_login_defs=365
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
           - var_sshd_max_sessions=10
+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+          - var_accounts_maximum_age_login_defs=365
+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
           - account_unique_id
@@ -61,7 +79,6 @@ controls:
           - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
           - sysctl_net_ipv4_ip_forward
           - sysctl_net_ipv4_tcp_syncookies
-          - sysctl_net_ipv4_tcp_syncookies_value=enabled
           - sysctl_net_ipv6_conf_all_accept_ra
           - sysctl_net_ipv6_conf_all_accept_redirects
           - sysctl_net_ipv6_conf_all_accept_source_route
@@ -215,29 +232,29 @@ controls:
       levels:
           - low
       rules:
-          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
-          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
           - sysctl_net_ipv4_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - var_accounts_user_umask=027
+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
           - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+          - var_sshd_set_login_grace_time=60
           - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-          - cis_banner_text=cis
-          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-          - var_accounts_user_umask=027
-          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
           - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-          - var_sshd_set_login_grace_time=60
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+          - cis_banner_text=cis
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
           - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
           - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
           - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
           - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
           - accounts_password_pam_modules_in_authselect_profile
           - accounts_password_pam_pwquality_password_auth

shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml

@@ -152,16 +152,20 @@ controls:
       levels:
           - low
       rules:
-          - var_password_hashing_algorithm_pam=cis_rhel10
           - var_password_hashing_algorithm=cis_rhel10
-          - var_accounts_minimum_age_login_defs=1
-          - var_password_pam_maxsequence=3
+          - var_password_pam_difok=2
+          - var_password_hashing_algorithm_pam=cis_rhel10
+          - var_password_pam_minlen=14
           - var_password_pam_maxrepeat=3
+          - var_password_hashing_algorithm=cis_rhel10
           - var_accounts_password_warn_age_login_defs=7
-          - var_password_pam_dictcheck=1
           - var_password_pam_minclass=4
-          - var_password_pam_minlen=14
-          - var_password_pam_difok=2
+          - var_password_hashing_algorithm_pam=cis_rhel10
+          - var_password_hashing_algorithm_pam=cis_rhel10
+          - var_password_pam_maxsequence=3
+          - var_password_pam_dictcheck=1
+          - var_accounts_minimum_age_login_defs=1
+          - var_password_hashing_algorithm=cis_rhel10
           - accounts_minimum_age_login_defs
           - accounts_password_all_shadowed
           - accounts_password_last_change_is_in_past

shared/references/controls/nist_800_53_cis_reference_rhel8/ac.yml

@@ -90,8 +90,8 @@ controls:
       levels:
           - low
       rules:
-          - var_pam_wheel_group_for_su=cis
           - var_accounts_user_umask=027
+          - var_pam_wheel_group_for_su=cis
           - var_selinux_policy_name=targeted
           - accounts_umask_etc_bashrc
           - accounts_umask_etc_login_defs
@@ -499,9 +499,9 @@ controls:
       levels:
           - low
       rules:
-          - var_accounts_passwords_pam_faillock_unlock_time=900
           - var_accounts_passwords_pam_faillock_deny=5
           - var_accounts_passwords_pam_faillock_root_unlock_time=60
+          - var_accounts_passwords_pam_faillock_unlock_time=900
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
           - accounts_passwords_pam_faillock_deny

shared/references/controls/nist_800_53_cis_reference_rhel8/au.yml

@@ -11,9 +11,15 @@ controls:
       levels:
           - low
       rules:
+          - var_auditd_space_left_action=cis_rhel8
+          - var_auditd_space_left_action=cis_rhel8
           - var_auditd_admin_space_left_action=cis_rhel8
+          - var_auditd_disk_error_action=cis_rhel8
+          - var_auditd_disk_full_action=cis_rhel8
           - var_auditd_space_left_action=cis_rhel8
+          - var_auditd_admin_space_left_action=cis_rhel8
           - var_audit_backlog_limit=8192
+          - var_auditd_admin_space_left_action=cis_rhel8
           - aide_build_database
           - aide_periodic_cron_checking
           - audit_rules_execution_chacl
@@ -59,9 +65,10 @@ controls:
           - low
       rules:
           - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-          - sshd_max_auth_tries_value=4
           - var_multiple_time_servers=rhel
           - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - var_accounts_passwords_pam_faillock_dir=run
+          - sshd_max_auth_tries_value=4
           - audit_rules_dac_modification_chmod
           - audit_rules_dac_modification_chown
           - audit_rules_dac_modification_fchmod
@@ -156,6 +163,8 @@ controls:
       rules:
           - var_auditd_disk_error_action=cis_rhel8
           - var_auditd_disk_full_action=cis_rhel8
+          - var_auditd_disk_full_action=cis_rhel8
+          - var_auditd_disk_error_action=cis_rhel8
           - auditd_data_disk_error_action
           - auditd_data_disk_full_action
       status: automated
@@ -260,6 +269,7 @@ controls:
       rules:
           - var_auditd_max_log_file_action=keep_logs
           - var_auditd_max_log_file=8
+          - var_auditd_max_log_file=8
           - auditd_data_retention_max_log_file
           - auditd_data_retention_max_log_file_action
       status: automated

shared/references/controls/nist_800_53_cis_reference_rhel8/cm.yml

@@ -5,12 +5,30 @@ controls:
       levels:
           - low
       rules:
-          - sshd_idle_timeout_value=5_minutes
+          - var_accounts_maximum_age_login_defs=365
+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
           - var_sshd_max_sessions=10
-          - var_sshd_set_keepalive=1
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
           - var_sshd_set_maxstartups=10:30:60
+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+          - var_sshd_set_keepalive=1
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+          - sshd_idle_timeout_value=5_minutes
           - var_user_initialization_files_regex=all_dotfiles
-          - var_accounts_maximum_age_login_defs=365
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
           - account_unique_id
@@ -61,7 +79,6 @@ controls:
           - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
           - sysctl_net_ipv4_ip_forward
           - sysctl_net_ipv4_tcp_syncookies
-          - sysctl_net_ipv4_tcp_syncookies_value=enabled
           - sysctl_net_ipv6_conf_all_accept_ra
           - sysctl_net_ipv6_conf_all_accept_redirects
           - sysctl_net_ipv6_conf_all_accept_source_route
@@ -215,31 +232,31 @@ controls:
       levels:
           - low
       rules:
-          - var_sshd_set_login_grace_time=60
-          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-          - cis_banner_text=cis
-          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
-          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+          - var_authselect_profile=sssd
           - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-          - var_accounts_user_umask=027
+          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
           - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-          - var_authselect_profile=sssd
-          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
           - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-          - sysctl_net_ipv4_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
           - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
-          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - var_accounts_user_umask=027
           - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+          - cis_banner_text=cis
           - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+          - sysctl_net_ipv4_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+          - var_sshd_set_login_grace_time=60
+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
           - accounts_password_pam_modules_in_authselect_profile
           - accounts_password_pam_pwquality_password_auth
           - accounts_password_pam_pwquality_system_auth

shared/references/controls/nist_800_53_cis_reference_rhel8/ia.yml

@@ -152,13 +152,17 @@ controls:
       levels:
           - low
       rules:
-          - var_password_pam_maxrepeat=3
+          - var_accounts_password_warn_age_login_defs=7
+          - var_password_hashing_algorithm_pam=cis_rhel8
+          - var_password_pam_dictcheck=1
           - var_password_pam_minlen=14
           - var_password_hashing_algorithm=cis_rhel8
-          - var_password_hashing_algorithm_pam=cis_rhel8
+          - var_password_hashing_algorithm=cis_rhel8
           - var_password_pam_maxsequence=3
-          - var_accounts_password_warn_age_login_defs=7
-          - var_password_pam_dictcheck=1
+          - var_password_hashing_algorithm=cis_rhel8
+          - var_password_hashing_algorithm_pam=cis_rhel8
+          - var_password_pam_maxrepeat=3
+          - var_password_hashing_algorithm_pam=cis_rhel8
           - var_password_pam_difok=2
           - accounts_password_all_shadowed
           - accounts_password_last_change_is_in_past

shared/references/controls/nist_800_53_cis_reference_rhel9/ac.yml

@@ -90,8 +90,8 @@ controls:
       levels:
           - low
       rules:
-          - var_accounts_user_umask=027
           - var_pam_wheel_group_for_su=cis
+          - var_accounts_user_umask=027
           - var_selinux_policy_name=targeted
           - accounts_umask_etc_bashrc
           - accounts_umask_etc_login_defs
@@ -516,8 +516,8 @@ controls:
       levels:
           - low
       rules:
-          - dconf_login_banner_contents=cis_default
           - dconf_login_banner_text=cis_banners
+          - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
       status: automated