Likewise, coming at it from a customer’s prospective, I['d be interested in collaborating as audition and compliance is a big part of our project.
From: Stuart Preston [mailto:firstname.lastname@example.org]
Sent: 28 September 2015 16:13
Subject: [chef] RE: CIS (Windows) Benkmarks
The Chef community already has started down the path with CIS - you should check out the following for background:
As far as I know there is no single community-maintained version of the Windows variant of CIS benchmarks yet.
Like you, we have spoken to a number of customers interested in creating something but the reality is that a decent compliance and auditing approach is something that needs to carefully designed with the customer’s own regulatory requirements and feedback mechanisms in mind. I would be interested in collaborating on a shared approach, the current mechanism uses Serverspec and Rspec as its approach, there may be alternative approaches that are more suitable depending on the type of test taking place.
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Chris McClimans
Sent: 28 September 2015 15:43
Subject: [chef] CIS (Windows) Benkmarks
CIS puts out security benchmarks and guides to ensure compliance to a ‘hardened’ os from the base put out by the OS vendors. Is anyone seen any efforts within the chef community to create a security policy cookbook that checks for compliance against these (or similar) standards? I’m thinking of picking something like this up, but it’s a large undertaking and would interest from more than just one customer to fund it.
(One of my current customers would benefit from Windows 2012r2 + MSSQL security policy cookbooks)