CIS (Windows) Benkmarks


#1

CIS puts out security benchmarks and guides to ensure compliance to a
’hardened’ os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I’m thinking of picking something like this up, but it’s a
large undertaking and would interest from more than just one customer
to fund it.

Windows Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Linux Benchmarks:

Database Benchmarks:

MSSQL Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.servers.database.mssql

(One of my current customers would benefit from Windows 2012r2 + MSSQL
security policy cookbooks)


#2

Chris,

There’s a bunch of work on the audit-cis cookbook. I’d recommend there as
a starting point.

On Mon, Sep 28, 2015 at 10:43 AM, Chris McClimans chef@hippiehacker.org
wrote:

CIS puts out security benchmarks and guides to ensure compliance to a
’hardened’ os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I’m thinking of picking something like this up, but it’s a
large undertaking and would interest from more than just one customer
to fund it.

Windows Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Linux Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.linux

Database Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.servers.database

MSSQL Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.servers.database.mssql

(One of my current customers would benefit from Windows 2012r2 + MSSQL
security policy cookbooks)


#3

Thanks Galen!

Access to the Audit-Tool would be useful during development
http://benchmarks.cisecurity.org/downloads/audit-tools/
I’ll reach out to CIS to see if I can get some assistance there.

On Mon, Sep 28, 2015 at 11:01 AM, Galen Emery galen@chef.io wrote:

Chris,

There’s a bunch of work on the audit-cis cookbook. I’d recommend there as a
starting point.

https://github.com/chef-cookbooks/audit-cis

On Mon, Sep 28, 2015 at 10:43 AM, Chris McClimans chef@hippiehacker.org
wrote:

CIS puts out security benchmarks and guides to ensure compliance to a
’hardened’ os from the base put out by the OS vendors. Is anyone seen
any efforts within the chef community to create a security policy
cookbook that checks for compliance against these (or similar)
standards? I’m thinking of picking something like this up, but it’s a
large undertaking and would interest from more than just one customer
to fund it.

Windows Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Linux Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.linux

Database Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.servers.database

MSSQL Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.servers.database.mssql

(One of my current customers would benefit from Windows 2012r2 + MSSQL
security policy cookbooks)


#4

Hi Chris,

The Chef community already has started down the path with CIS - you should check out the following for background:

https://supermarket.chef.io/cookbooks/audit-cis

As far as I know there is no single community-maintained version of the Windows variant of CIS benchmarks yet.

Like you, we have spoken to a number of customers interested in creating something but the reality is that a decent compliance and auditing approach is something that needs to carefully designed with the customer’s own regulatory requirements and feedback mechanisms in mind. I would be interested in collaborating on a shared approach, the current mechanism uses Serverspec and Rspec as its approach, there may be alternative approaches that are more suitable depending on the type of test taking place.

Stuart

-----Original Message-----
From: chris@hippiehacker.org [mailto:chris@hippiehacker.org] On Behalf Of Chris McClimans
Sent: 28 September 2015 15:43
To: chef@lists.opscode.com
Subject: [chef] CIS (Windows) Benkmarks

CIS puts out security benchmarks and guides to ensure compliance to a ‘hardened’ os from the base put out by the OS vendors. Is anyone seen any efforts within the chef community to create a security policy cookbook that checks for compliance against these (or similar) standards? I’m thinking of picking something like this up, but it’s a large undertaking and would interest from more than just one customer to fund it.

Windows Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Linux Benchmarks:

Database Benchmarks:

MSSQL Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.servers.database.mssql

(One of my current customers would benefit from Windows 2012r2 + MSSQL security policy cookbooks)


#5

Hi,

Likewise, coming at it from a customer’s prospective, I['d be interested in collaborating as audition and compliance is a big part of our project.
Cheers
Sean.

-----Original Message-----
From: Stuart Preston [mailto:stuart@pendrica.com]
Sent: 28 September 2015 16:13
To: chef@lists.opscode.com
Subject: [chef] RE: CIS (Windows) Benkmarks

Hi Chris,

The Chef community already has started down the path with CIS - you should check out the following for background:

https://supermarket.chef.io/cookbooks/audit-cis

As far as I know there is no single community-maintained version of the Windows variant of CIS benchmarks yet.

Like you, we have spoken to a number of customers interested in creating something but the reality is that a decent compliance and auditing approach is something that needs to carefully designed with the customer’s own regulatory requirements and feedback mechanisms in mind. I would be interested in collaborating on a shared approach, the current mechanism uses Serverspec and Rspec as its approach, there may be alternative approaches that are more suitable depending on the type of test taking place.

Stuart

-----Original Message-----
From: chris@hippiehacker.org [mailto:chris@hippiehacker.org] On Behalf Of Chris McClimans
Sent: 28 September 2015 15:43
To: chef@lists.opscode.com
Subject: [chef] CIS (Windows) Benkmarks

CIS puts out security benchmarks and guides to ensure compliance to a ‘hardened’ os from the base put out by the OS vendors. Is anyone seen any efforts within the chef community to create a security policy cookbook that checks for compliance against these (or similar) standards? I’m thinking of picking something like this up, but it’s a large undertaking and would interest from more than just one customer to fund it.

Windows Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.os.windows

Linux Benchmarks:

Database Benchmarks:

MSSQL Benchmarks:

https://benchmarks.cisecurity.org/downloads/browse/?category=benchmarks.servers.database.mssql

(One of my current customers would benefit from Windows 2012r2 + MSSQL security policy cookbooks)