CIS puts out security benchmarks and guides to ensure compliance to a
’hardened’ os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I’m thinking of picking something like this up, but it’s a
large undertaking and would interest from more than just one customer
to fund it.
CIS puts out security benchmarks and guides to ensure compliance to a
'hardened' os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I'm thinking of picking something like this up, but it's a
large undertaking and would interest from more than just one customer
to fund it.
CIS puts out security benchmarks and guides to ensure compliance to a
'hardened' os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I'm thinking of picking something like this up, but it's a
large undertaking and would interest from more than just one customer
to fund it.
As far as I know there is no single community-maintained version of the Windows variant of CIS benchmarks yet.
Like you, we have spoken to a number of customers interested in creating something but the reality is that a decent compliance and auditing approach is something that needs to carefully designed with the customer’s own regulatory requirements and feedback mechanisms in mind. I would be interested in collaborating on a shared approach, the current mechanism uses Serverspec and Rspec as its approach, there may be alternative approaches that are more suitable depending on the type of test taking place.
CIS puts out security benchmarks and guides to ensure compliance to a ‘hardened’ os from the base put out by the OS vendors. Is anyone seen any efforts within the chef community to create a security policy cookbook that checks for compliance against these (or similar) standards? I’m thinking of picking something like this up, but it’s a large undertaking and would interest from more than just one customer to fund it.
Likewise, coming at it from a customer’s prospective, I['d be interested in collaborating as audition and compliance is a big part of our project.
Cheers
Sean.
As far as I know there is no single community-maintained version of the Windows variant of CIS benchmarks yet.
Like you, we have spoken to a number of customers interested in creating something but the reality is that a decent compliance and auditing approach is something that needs to carefully designed with the customer’s own regulatory requirements and feedback mechanisms in mind. I would be interested in collaborating on a shared approach, the current mechanism uses Serverspec and Rspec as its approach, there may be alternative approaches that are more suitable depending on the type of test taking place.
CIS puts out security benchmarks and guides to ensure compliance to a ‘hardened’ os from the base put out by the OS vendors. Is anyone seen any efforts within the chef community to create a security policy cookbook that checks for compliance against these (or similar) standards? I’m thinking of picking something like this up, but it’s a large undertaking and would interest from more than just one customer to fund it.