|
|
|
|
|
|
by viraptor
592 days ago
|
|
|
CIS itself may have good ideas, but the implementation is mostly bullshit. Compare the actual differences between a CIS Ubuntu docker images and a plain one. There's 3 valid changes you can do by hand and the rest is snake oil that makes the image larger as a bonus. |
|
|
I don't know about the Ubuntu CIS image but I had to go through the whole CIS PDF for a job once, and implement it all with Ansible on RHEL. I can guarantee that it makes useful changes, and it truly makes a difference to how you use the system.
But in general this type of hardening is mostly used to fulfill some contract, and it's designed around how Linux was used 20 years ago.
My personal preference is to 1) treat linux servers as appliances and stop letting people login, 2) use containers, MACs, MCS and other such isolation tailored for specific services, 3) network ACL and segmentation up the wazoo, 4) MFA access control and 5) encrypt all the things.