[photonthug]

Any details on what compliance regime specifically requires it for Linux tho, and whether it differentiates static servers from ephemeral? I’m just curious since you always hear “compliance” but I’ve never actually seen the requirement coming from anywhere except windows sysadmins who are out of their element

[whalesalad]

Part of the issue is that compliance is so broad and will vary from industry to industry, state to state and country to country. If you’re in defense and work with the government you’re requirements will be different versus healthcare or the education sector.

The baseline is NIST guidelines but even that is a huge can of worms. It’s difficult to simply say “yes we’re compliant” especially in large organizations. https://www.cuicktrac.com/nist-compliance/nist-800-171-compl...

A lot of orgs get overwhelmed by this, and so they outsource the effort to a third party.

[1970-01-01]

Here's one

https://www.stigviewer.com/stig/canonical_ubuntu_16.04_lts/2...