Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6.  This means you can now use Rapid7's integrated vulnerability and configuration management solution to assess the configuration of your RHEL desktops and servers.

The CIS RHEL policies are included by default in the CIS scan template (as shown below). RHEL 5 & 6 have two polices, "Level One" and "Level Two". The distinction is that a "Level One" policy is intended to be practical without negatively impacting usability, whereas "Level Two" is designed to provide a "defence-in-depth" resilience but may impact the usability of the server. The correct one to evaluate your systems against will depend on the host being assessed, but there is no harm in running both against a host to see how you measure up.

The screenshot below was captured from the device view of an asset scanned with all the RHEL policies. In this case, the host is RHEL 4, so the 5 & 6 policies report as Not Applicable (N/A). The RHEL 4 host is apparently reasonably well configured, as it is 98.59% in compliance with the CIS RHEL 4 benchmark.

Drilling down into the detailed policy results view (below) for that target we can see that the vast majority of rules were compliant. The rules in these benchmarks cover a broad range of system configuration items, including required and prohibited packages, services which must be disabled on enabled, file permissions on specific executables, and application specific configuration items.

And if we drill down into a rule (again, below) you can see the outcome with a detailed proof. In this case, the rule requires that Network Information Service(NIS) server is disabled, and we have concluded that the host is compliant because neither the ypserv or yppasswdd packages are installed.

For more information on Nexpose 5.6, you can look at the release notes.