We wish to apply checks against a known standard to verify the posture of our machines. Investigate to find a standard that appears as a good or best fit and test it for applicability. Do not hesitate if it isn't the best fit as we will mostly likely have to adjust it to some degree to match how our systems are deployed currently and that's A-OK.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Dwisehaupt | T243110 OKR 2019-2020 Q3: Increase visibility and awareness of Fundraising system health and wellness | |||
| Resolved | Dwisehaupt | T246839 Run authenticated scans of hosts checking against a known standard / benchmark | |||
| Resolved | Dwisehaupt | T246841 Test and choose a benchmark to use for applying a machine standard |
Event Timeline
Comment Actions
From T246839:
Ran the CIS benchmark for debian 9 across all hosts. There were obviously some issues reported since we hadn't run the standard before. Next steps are deciding how to move forward. Current options would be:
- use the current CIS standard and adjust our configs to match their expectations
- use the current CIS standard and mark exceptions that we are not concerned about as false positives
- take the current CIS benchmark audit file and trim/adjust it to have just what we are looking for in a standard
- find another standard to apply
Comment Actions
CIS benchmark for debian 10 is available now. Same discussion points above still apply but we can monitor all hosts as needed.
Comment Actions
All hosts are monitored with CIS benchmark. We are working through what changes we wish to apply to ensure hosts match the expected checks. There are some places where we will opt to not match the check due to the needs of the system or where our requirements are more stringent than the benchmark. Closing this request as the work is ongoing and the choice has been made.