They've got a red-team type process they apply repeatedly, you have to piece things together from the changelogs to get a grasp on what they're doing. They've built a positive feedback loop on which to iterate improvements in security, and bundled it in a way to be used effectively with Ansible.
They're following CIS guidelines, so if you're in a situation where that matters, it's probably a solid starting point for building things you need to have compliant and predictable. Could probably save weeks of effort, depending on the size of the team.
The Linux hardening list lists quite some modifications but what hardening is made to SSH compared to a stock config? For Linux they summarize the list of hardened changes but for SSH I couldn't find it.
For SSH it's basically a list of default values with a comment saying "change this if you must". Some summary as to what is hardened compared to a stock SSH install would be nice.
These playbooks apply the CIS benchmarks, very very useful for compliance. I use them at $dayjob to build our base AMIs.
As for whether they actually harden your servers, that's up
for you to decide if you think that CIS actually helps. It certainly does reduce attack surface.
"""The CIS Benchmarks® are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently."""
At my $DAYJOB, we have a bunch in-house saltstack states for applying the CIS benchmarks for Ubuntu, Debian, and CentOS. I never looked into it, but I always wondered if I'd be allowed to publish them publicly.
If you have compliance for contractual reasons (e/g you are the supply chain for an entity which has been declared to be a national-strategic service delivery) then this would probably help get you over the line to meet minimum proofs you have tried to comply with the obligations.
So, "what does this mean" is "it means you can tender to sell services to people who put CIS obligations in the contract"
"battle tested" how? Widely deployed? Red teamed and shown to actually help?
They've got a red-team type process they apply repeatedly, you have to piece things together from the changelogs to get a grasp on what they're doing. They've built a positive feedback loop on which to iterate improvements in security, and bundled it in a way to be used effectively with Ansible.
They're following CIS guidelines, so if you're in a situation where that matters, it's probably a solid starting point for building things you need to have compliant and predictable. Could probably save weeks of effort, depending on the size of the team.
The Linux hardening list lists quite some modifications but what hardening is made to SSH compared to a stock config? For Linux they summarize the list of hardened changes but for SSH I couldn't find it.
For SSH it's basically a list of default values with a comment saying "change this if you must". Some summary as to what is hardened compared to a stock SSH install would be nice.
https://github.com/dev-sec/ansible-collection-hardening/blob...
The changelogs contain a summary of actions and changes, and full changelogs go into detail.
These playbooks apply the CIS benchmarks, very very useful for compliance. I use them at $dayjob to build our base AMIs.
As for whether they actually harden your servers, that's up for you to decide if you think that CIS actually helps. It certainly does reduce attack surface.
Context: https://www.cisecurity.org/cis-benchmarks, https://www.cisecurity.org/about-us
"""The CIS Benchmarks® are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently."""
At my $DAYJOB, we have a bunch in-house saltstack states for applying the CIS benchmarks for Ubuntu, Debian, and CentOS. I never looked into it, but I always wondered if I'd be allowed to publish them publicly.
Well there is one available for oscap at https://github.com/ComplianceAsCode/content
What does this mean?
If you have compliance for contractual reasons (e/g you are the supply chain for an entity which has been declared to be a national-strategic service delivery) then this would probably help get you over the line to meet minimum proofs you have tried to comply with the obligations.
So, "what does this mean" is "it means you can tender to sell services to people who put CIS obligations in the contract"