Re: System Hardening Standards

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

To add to that I believe the CIS is coming out with the ability to select
which of the controls you test and score.

This will make it so you have a subset of the controls that make sense for
you environment.

If you run Nessus, Security Center, has CIS implemented as compliance tests.

Cheers,
Harry

On Nov 15, 2016 3:32 AM, <Valdis.Kletnieks () vt edu> wrote:

> On Mon, 14 Nov 2016 12:44:43 -0800, Jessica Odom said:
>
> > We use CIS (https://benchmarks.cisecurity.org/downloads/#free) and
> tweak to
> > our environment.  They provide a nice checklist and the technical detail
> of
> > how to perform the control, which is helpful since their standards our
> very
> > comprehensive.  We definitely cannot do everything they recommend and we
> > annotate that in our documentation, but it serves as a useful learning
> > exercise.  --Jess
>
> Speaking as one of the unindicted co-conspirators who started the
> benchmarks,
> there was never any intent that every system apply every single control
> listed.
>
> You should apply all those controls that don't break the particular
> machine's
> reason for existence - and then document the ones you weren't able to turn
> off, and apply compensating controls (for instance, firewall/iptable
> rulesets
> that restrict access to only machines that need it, or additional
> logging/alert
> systems set up, possibly SNORT rulesets, etc etc).