Center for Internet Security (CIS) Azure Linux 3.0 benchmark

Important

This article applies only to Azure Linux 3.0 and the Azure Linux 3.0 Container Host image used by AKS. The recommendation statuses and guidance reflect the CIS Azure Linux 3.0 Benchmark v1.0 and a point-in-time Azure Linux 3.0 image (released July 2 2025). They might not apply to other Azure Linux releases (for example Azure Linux 2.0). Verify the OS version and benchmark version before applying guidance.

The security OS configuration applied to the Azure Linux Container Host for AKS image is based on the Azure Linux security baseline, which aligns with the CIS benchmark. As a secure service, AKS complies with SOC, ISO, PCI DSS, and HIPAA standards. For more information about the Azure Linux Container Host security, see Security concepts for clusters in Azure Kubernetes Service (AKS).

Recommendations

The table has four sections:

  • CIS ID: The associated rule ID with each of the baseline rules.
  • Recommendation description: A description of the recommendation issued by the CIS benchmark.
  • Level: L1, or Level 1, recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Status:
    • Pass - The recommendation has been applied.
    • Fail - The recommendation hasn't been applied.
    • N/A - The recommendation relates to manifest file permission requirements that aren't relevant to AKS.
    • Depends on Environment - The recommendation is applied in the user's specific environment and isn't controlled by AKS.
    • Equivalent Control - The recommendation has been implemented in a different equivalent manner.
  • Reason:
    • Potential Operation Impact - The recommendation wasn't applied because it would have a negative effect on the service.
    • Covered Elsewhere - The recommendation is covered by another control in Azure cloud compute.

Azure Linux 3.0 Benchmarks

The following are the results from the CIS Azure Linux 3.0 Benchmark v1.0 recommendations based on the CIS rules:

CIS ID Recommendation description Status Reason
1.1.1.1 Ensure cramfs kernel module is not available Pass
1.1.1.2 Ensure freevxfs kernel module is not available Pass
1.1.1.3 Ensure hfs kernel module is not available Pass
1.1.1.4 Ensure hfsplus kernel module is not available Pass
1.1.1.5 Ensure jffs2 kernel module is not available Pass
1.1.1.6 Ensure unused filesystems kernel modules are not available N/A
1.1.2.1.1 Ensure /tmp is a separate partition Pass
1.1.2.1.2 Ensure nodev option set on /tmp partition Pass
1.1.2.1.3 Ensure nosuid option set on /tmp partition Pass
1.1.2.2.1 Ensure /dev/shm is a separate partition Pass
1.1.2.2.2 Ensure nodev option set on /dev/shm partition Pass
1.1.2.2.3 Ensure nosuid option set on /dev/shm partition Pass
1.2.1.1 Ensure GPG keys are configured N/A
1.2.1.2 Ensure gpgcheck is configured Pass
1.2.1.3 Ensure TDNF gpgcheck is globally activated Pass
1.2.1.4 Ensure package manager repositories are configured N/A
1.3.1 Ensure address space layout randomization is enabled Fail CIS ID 1.3.1 requires the OS to explicitly set a configuration to enable ASLR. In Azure Linux 3.0, this is the default behavior. However, to meet this benchmark and ensure the OS is resilient against upstream default changes, this configuration will be explicitly set in an upcoming release.
1.3.2 Ensure ptrace_scope is restricted Pass
1.3.3 Ensure core dump backtraces are disabled Pass
1.3.4 Ensure core dump storage is disabled Pass
1.4.1 Ensure local login warning banner is configured properly Pass
1.4.2 Ensure remote login warning banner is configured properly Pass
1.4.3 Ensure access to /etc/motd is configured Pass
1.4.4 Ensure access to /etc/issue is configured Pass
1.4.5 Ensure access to /etc/issue.net is configured Pass
2.1.1 Ensure time synchronization is in use Pass
2.1.2 Ensure chrony is configured Pass
2.2.1 Ensure xinetd is not installed Pass
2.2.2 Ensure xorg-x11-server-common is not installed Pass
2.2.3 Ensure avahi is not installed Pass
2.2.4 Ensure a print server is not installed Pass
2.2.5 Ensure a dhcp server is not installed Pass
2.2.6 Ensure a dns server is not installed Pass
2.2.7 Ensure FTP client is not installed Pass
2.2.8 Ensure an ftp server is not installed Pass
2.2.9 Ensure a tftp server is not installed Pass
2.2.10 Ensure a web server is not installed Pass
2.2.11 Ensure IMAP and POP3 server is not installed Pass
2.2.12 Ensure Samba is not installed Pass
2.2.13 Ensure HTTP Proxy Server is not installed Pass
2.2.14 Ensure net-snmp is not installed or the snmpd service is not enabled Pass
2.2.15 Ensure NIS server is not installed Pass
2.2.16 Ensure telnet-server is not installed Pass
2.2.17 Ensure mail transfer agent is configured for local-only mode Pass
2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked Pass
2.2.19 Ensure rsync-daemon is not installed or the rsyncd service is masked Pass
2.3.1 Ensure NIS Client is not installed Pass
2.3.2 Ensure rsh client is not installed Pass
2.3.3 Ensure talk client is not installed Pass
2.3.4 Ensure telnet client is not installed Pass
2.3.5 Ensure LDAP client is not installed Pass
2.3.6 Ensure TFTP client is not installed Pass
3.1.1 Ensure packet redirect sending is disabled Pass
3.1.2 Ensure bogus icmp responses are ignored Pass
3.1.3 Ensure broadcast icmp requests are ignored Pass
3.1.4 Ensure icmp redirects are not accepted Pass
3.1.5 Ensure secure icmp redirects are not accepted Pass
3.1.6 Ensure reverse path filtering is enabled Pass
3.1.7 Ensure source routed packets are not accepted Pass
3.1.8 Ensure suspicious packets are logged Pass
3.1.9 Ensure tcp syn cookies is enabled Pass
3.1.10 Ensure ipv6 router advertisements are not accepted Pass
4.1.1 Ensure iptables is installed Pass
4.1.2 Ensure nftables is not in use Pass
4.1.3 Ensure firewalld is not in use Pass
5.1.1 Ensure cron daemon is enabled Pass
5.1.2 Ensure permissions on /etc/crontab are configured Pass
5.1.3 Ensure permissions on /etc/cron.hourly are configured Pass
5.1.4 Ensure permissions on /etc/cron.daily are configured Pass
5.1.5 Ensure permissions on /etc/cron.weekly are configured Pass
5.1.6 Ensure permissions on /etc/cron.monthly are configured Pass
5.1.7 Ensure permissions on /etc/cron.d are configured Pass
5.1.8 Ensure cron is restricted to authorized users Pass
5.1.9 Ensure at is restricted to authorized users Pass
5.2.1 Ensure access to /etc/ssh/sshd_config is configured Pass
5.2.2 Ensure access to SSH private host key files is configured Pass
5.2.3 Ensure access to SSH public host key files is configured Pass
5.2.4 Ensure sshd Ciphers are configured Pass
5.2.5 Ensure sshd KexAlgorithms is configured Pass
5.2.6 Ensure sshd MACs are configured Pass
5.2.7 Ensure sshd access is configured Pass
5.2.8 Ensure sshd Banner is configured Pass
5.2.9 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured Pass
5.2.10 Ensure sshd HostbasedAuthentication is disabled Pass
5.2.11 Ensure sshd IgnoreRhosts is enabled Pass
5.2.12 Ensure sshd LoginGraceTime is configured Pass
5.2.13 Ensure sshd LogLevel is configured Pass
5.2.14 Ensure sshd MaxAuthTries is configured Pass
5.2.15 Ensure sshd MaxStartups is configured Pass
5.2.16 Ensure sshd MaxSessions is configured Pass
5.2.17 Ensure sshd PermitEmptyPasswords is disabled Pass
5.2.18 Ensure sshd PermitRootLogin is disabled Pass
5.2.19 Ensure sshd PermitUserEnvironment is disabled Pass
5.2.20 Ensure sshd UsePAM is enabled Pass
5.3.1 Ensure sudo is installed Pass
5.3.2 Ensure re-authentication for privilege escalation is not disabled globally Pass
5.3.3 Ensure sudo authentication timeout is configured correctly Pass
5.4.1 Ensure password creation requirements are configured Pass
5.4.2 Ensure lockout for failed password attempts is configured Pass
5.4.3 Ensure password hashing algorithm is SHA-512 Pass
5.4.4 Ensure password reuse is limited Pass
5.5.1.1 Ensure password expiration is 365 days or less Pass
5.5.1.2 Ensure minimum days between password changes is configured Pass
5.5.1.3 Ensure password expiration warning days is 7 or more Pass
5.5.1.4 Ensure inactive password lock is 30 days or less Pass
5.5.1.5 Ensure all users last password change date is in the past Pass
5.5.2 Ensure system accounts are secured Pass
5.5.3 Ensure default group for the root account is GID 0 Pass
5.5.4 Ensure default user umask is 027 or more restrictive Pass
6.1.1.1.1 Ensure journald service is active Pass
6.1.1.1.2 Ensure journald log file access is configured N/A
6.1.1.1.3 Ensure journald ForwardToSyslog is configured Pass
6.1.1.1.4 Ensure systemd-journal-remote service is not in use Pass
6.1.1.1.5 Ensure journald Storage is configured Pass
6.1.1.1.6 Ensure journald Compress is configured Pass
6.1.2.1 Ensure rsyslog service is enabled and active Pass
6.1.2.2 Ensure rsyslog log file creation mode is configured Pass
6.1.2.3 Ensure rsyslog is not configured to receive logs from a remote client Pass
6.1.3.1 Ensure access to all logfiles has been configured Pass
6.2 Ensure logrotate is configured N/A
7.1.1 Ensure access to /etc/passwd is configured Pass
7.1.2 Ensure access to /etc/passwd- is configured Pass
7.1.3 Ensure access to /etc/group is configured Pass
7.1.4 Ensure access to /etc/group- is configured Pass
7.1.5 Ensure access to /etc/shadow is configured Pass
7.1.6 Ensure access to /etc/shadow- is configured Pass
7.1.7 Ensure access to /etc/gshadow is configured Pass
7.1.8 Ensure access to /etc/gshadow- is configured Pass
7.1.9 Ensure access to /etc/shells is configured Pass
7.1.10 Ensure access to /etc/security/opasswd is configured Pass
7.1.11 Ensure world writable files and directories are secured Pass
7.1.12 Ensure no files or directories without an owner and a group exist Pass
7.2.1 Ensure accounts in /etc/passwd use shadowed passwords Pass
7.2.2 Ensure /etc/shadow password fields are not empty Pass
7.2.3 Ensure all groups in /etc/passwd exist in /etc/group Pass
7.2.4 Ensure no duplicate UIDs exist Pass
7.2.5 Ensure no duplicate GIDs exist Pass
7.2.6 Ensure no duplicate user names exist Pass
7.2.7 Ensure no duplicate group names exist Pass
7.2.8 Ensure local interactive user home directories are configured Pass
7.2.9 Ensure local interactive user dot files access is configured Pass

Next steps

For more information about Azure Linux Container Host security, see the following article: