HarryHarcourt
commented
4 years ago Hi Jens Sorry for the delay in commenting, I took the original framework for this from Anthony Courtney who based it on the CIS Benchmarks for AWS Linux. I do need to redo some of the numbering to align it with RHEL / CentOS. I was looking to do this with RHEL8, but have not gotten round to it. If you have a CSV comparing sections with the roles it would help me see how many changes need to be made. Best Ben
Not sure whether logging an issue is the correct way, just let me know, I'm new to GitHub :)
I have compared the implementation with the CIS document "CIS_CentOS_Linux_7_Benchmark_v2.2.0.pdf"
I've spotted the following discrepancies in section 2 (Services)
2.2.1.2 (ntp) and 2.2.1.3 (chrony) are marked as "scored" in CIS, but as "not scored" in the ansible role
2.2.19 (telnet), 2.2.20 (tftp) and 2.2.21 (rsync) are not implemented. I didn't look into it yet, but it should not be too complicated, is there a reason besides lack of time that these are missing?
In section 5, the original 5.2.11 is about "approved ciphers", which is still implemented in the ansible role (looks important :) ) but it was removed from the CIS document, resulting in all checks starting with 5.2.12 to be numbered with a lower number (minus 1).
I didn't find any information and CIS did not reply about it, but the most recent CIS implementation with AWS Inspector still keeps the old numbering too. What is the reason and what is the plan? Keep the numbering and check 5.2.11 or remove it and renumber?
Section 1.4 is way more confusing.
As a workaround I have implemented the missing 1.4.2, renumbered 1.4.2 to 1.4.3 and 1.4.3 to 1.4.4, I will add this to my branch once I found out how, but I'm not sure what is the right way. But since CIS and AWS have identical numbering, this seems correct. Just curious about 1.4.4, why it is gone
Again, sorry for the mess in case all I did is wrong, I'm new to this but would like to help :) Cheers, Jens.