Educause Security Discussion mailing list archives

Re: System Hardening Standards

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 15 Nov 2016 03:32:11 -0500

On Mon, 14 Nov 2016 12:44:43 -0800, Jessica Odom said:

We use CIS (https://benchmarks.cisecurity.org/downloads/#free) and tweak to
our environment.  They provide a nice checklist and the technical detail of
how to perform the control, which is helpful since their standards our very
comprehensive.  We definitely cannot do everything they recommend and we
annotate that in our documentation, but it serves as a useful learning
exercise.  --Jess


Speaking as one of the unindicted co-conspirators who started the benchmarks,
there was never any intent that every system apply every single control listed.

You should apply all those controls that don't break the particular machine's
reason for existence - and then document the ones you weren't able to turn
off, and apply compensating controls (for instance, firewall/iptable rulesets
that restrict access to only machines that need it, or additional logging/alert
systems set up, possibly SNORT rulesets, etc etc).

Attachment: _bin
Description:

Current thread:

System Hardening Standards Justin Harwood (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
  - Re: System Hardening Standards Jessica Odom (Nov 14)
    - Re: System Hardening Standards Valdis Kletnieks (Nov 15)
    - Re: System Hardening Standards Harry Hoffman (Nov 15)
    - Re: System Hardening Standards Eric Lukens (Nov 15)
  - Re: System Hardening Standards Taylor Randle (Nov 14)
- <Possible follow-ups>
- Re: System Hardening Standards Shankar, Anurag (Nov 14)