So, "what does this mean" is "it means you can tender to sell services to people who put CIS obligations in the contract"
As for whether they actually harden your servers, that's up for you to decide if you think that CIS actually helps. It certainly does reduce attack surface.
"""The CIS Benchmarks® are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently."""
Official Ubuntu cis docker images in AWS:
- change the sysctls which do not apply to containers
- install a file consistency checker, which likely makes no sense in a dedicated container
- install tcpwrappers which you'll probably never use... for compliance reasons
- adjust system user password policies which you're probably not using at all
Unless you need to tick some compliance boxes in the quickest and most silly way, go for CIS. If you don't, schedule some time with a security person at your company to create a real threat model and change the things that will make an impact.
I haven't run into any situations where container images need to have CIS benchmarks applied, only VMs.
For SSH it's basically a list of default values with a comment saying "change this if you must". Some summary as to what is hardened compared to a stock SSH install would be nice.
The changelogs contain a summary of actions and changes, and full changelogs go into detail.
What’s your workflow for writing tested playbooks?
We keep our roles very simple and they will not do anything complicated. Ansible is for configuring a machine, that’s it.
If we need to do anything more complicated, we’ll write it in a testable program (usually in Go).
I have a playbook for my dotfiles/rebuilding a personal machine from scratch. So I test that the files end up where they're supposed to be, the permissions, the packages, that whatever software I installed from source are indeed setup correctly and running, etc.
Same for roles that need to provably configure a piece of software.
```
[customizations.openscap]
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml"
profile_id = "xccdf_org.ssgproject.content_profile_cis"
custom_remediate_script_path = "/your/custom/script.sh"
```
yjftsjthsd-h•3w ago
observationist•3w ago
They're following CIS guidelines, so if you're in a situation where that matters, it's probably a solid starting point for building things you need to have compliant and predictable. Could probably save weeks of effort, depending on the size of the team.
schurzi•3w ago