Skip to content

SCA: Add CIS Benchmark policy for Arch Linux #32780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

SCA: Add CIS Benchmark policy for Arch Linux #32780

wants to merge 2 commits into from

Conversation

@TheSL18
Copy link

@TheSL18 TheSL18 commented Oct 21, 2025

CIS Benchmark for Arch Linux (Wazuh SCA Policy)

Author

Kevin David Muñoz (MrHacker)
Wazuh Ambassador

Overview

This repository introduces the CIS Benchmark for Arch Linux (Rolling Release), implemented as a Security Configuration Assessment (SCA) policy for Wazuh.

Since Arch Linux lacks an official CIS benchmark, this policy aims to bring compliance and security auditing capabilities aligned with CIS Level 1, PCI-DSS, and Linux hardening best practices.

The policy is tailored for rolling-release environments, ensuring it remains functional across constant system updates and compatible with both official Arch and Arch-based distributions.

⚙️ Tested Environments

Validated across multiple kernel and distribution variants:

  • Arch Linux (vanilla kernel)
  • CachyOS (performance-tuned kernel)
  • Arch Linux ZEN kernel

Environment details:

  • Kernel versions: 6.17.x (Zen / CachyOS / Vanilla)
  • systemd 256+
  • pacman 7.0.x
  • OpenSSH 9.7p1
  • auditd 4.x

⚡ Fully compatible with any Arch-based distribution, including Manjaro, Garuda, EndeavourOS, CachyOS, and others.

Requirements

To properly execute the SCA policy:

  • /etc/arch-release or /etc/os-release must exist and contain ID=arch
  • pacman must be installed and available in /usr/bin/pacman
  • Root or elevated privileges are required for all checks

Summary of Checks

System and Kernel

  • CIS 3.1.1 – Disable unused network protocols (dccp, sctp, rds, tipc)
  • CIS 3.2.1 – Disable IP forwarding
  • CIS 1.5.1 / 1.5.3 / 1.5.4 – Restrict core dumps, enable ASLR, and ensure prelink is disabled

Package Management and Updates

  • CIS_ARCH 7.1 – Require package signature verification (SigLevel = Required)
  • CIS_ARCH 7.2 – Ensure the system is fully updated (pacman -Syu)
  • CIS_ARCH 7.3 – Remove orphaned packages
  • CIS_ARCH 7.4 – Protect the bootloader with a password or enable Secure Boot
  • CIS_ARCH 7.5 – Validate proper configuration of tmpfiles.d

Critical File Permissions

  • CIS 6.1.2/etc/passwd permissions
  • CIS 6.1.3/etc/shadow permissions
  • CIS 6.1.4/etc/group permissions
  • CIS 6.1.5/etc/gshadow permissions

Network Services

  • CIS 2.1.1 / 2.1.2 – Ensure xinetd and inetd are not installed
  • CIS 3.x – Disable unnecessary or insecure network protocols

Systemd and Auditing

  • Restrict systemd-coredump behavior
  • Validate journald.conf and auditd.conf configurations
  • Enforce secure temporary file cleanup with systemd-tmpfiles

Compatibility

✔️ Wazuh 4.x and 5.x
✔️ x86_64 and aarch64 architectures
✔️ Arch-based distributions: Manjaro, Garuda, EndeavourOS, CachyOS, etc.

References

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheSL18