Kensa Rules Catalog
One rule, every framework it satisfies
Browse the Kensa hardening rule corpus. Every rule carries the frameworks it satisfies — STIG, NIST 800-53, CIS, PCI-DSS — as metadata, so one rule maps to many frameworks.
Sample preview · the full signed corpus syncs from the Kensa repository
9 rules
Audit uses of the shutdown command
All uses of the shutdown command must be recorded by the audit subsystem so privileged availability-affecting actions are attributable.
Disable SSH root login
Direct root login over SSH must be disabled so administrative access is attributable to an individual account.
Enable ASLR (kernel.randomize_va_space)
Address space layout randomization must be set to the fully randomized value to mitigate memory-corruption exploitation.
Enable the auditd service
The audit daemon must be enabled at boot so that security-relevant events are captured from system start.
Ensure the telnet server is not installed
The telnet server transmits credentials in cleartext and must not be present on the system.
Forward logs to a remote log host
System logs must be forwarded to a central log host so audit records survive compromise of the originating system.
Lock accounts after failed authentication attempts
Accounts must be locked after a defined number of consecutive failed logon attempts to slow credential brute-forcing.
Mount /tmp with nodev
The /tmp filesystem must be mounted with the nodev option so device files cannot be created in a world-writable directory.
Set SELinux to enforcing mode
SELinux must run in enforcing mode so mandatory access control policy is applied rather than merely logged.