undefined | Better HN

0 pointsviraptor1y ago0 comments

CIS itself may have good ideas, but the implementation is mostly bullshit. Compare the actual differences between a CIS Ubuntu docker images and a plain one. There's 3 valid changes you can do by hand and the rest is snake oil that makes the image larger as a bonus.

0 comments

INTPenis1y ago

I wouldn't say it's mostly BS, it's mostly common sense stuff that distros should have done already.

I don't know about the Ubuntu CIS image but I had to go through the whole CIS PDF for a job once, and implement it all with Ansible on RHEL. I can guarantee that it makes useful changes, and it truly makes a difference to how you use the system.

But in general this type of hardening is mostly used to fulfill some contract, and it's designed around how Linux was used 20 years ago.

My personal preference is to 1) treat linux servers as appliances and stop letting people login, 2) use containers, MACs, MCS and other such isolation tailored for specific services, 3) network ACL and segmentation up the wazoo, 4) MFA access control and 5) encrypt all the things.

j / k navigate · click thread line to collapse

0 pointsviraptor1y ago0 comments

0 comments

INTPenis1y ago

I wouldn't say it's mostly BS, it's mostly common sense stuff that distros should have done already.

But in general this type of hardening is mostly used to fulfill some contract, and it's designed around how Linux was used 20 years ago.

j / k navigate · click thread line to collapse