I've been assigned a lot of responsibilities related to Linux hardening lately, focusing on compliance standards like CIS and STIG. I'm really curious to see how others are managing this in their environments. Are most of you using tools like OpenSCAP for scanning, Ansible roles for remediation, or even custom scripts? Our current solution seems to function, but it feels quite disjointed with a mix of manual processes and various scripts based on shared knowledge. Is this a common challenge, or are we just making things too complicated? What parts do you find most troublesome? Is it the initial setup, maintaining compliance over time, preparing for audits, or something else?
5 Answers
It seems like most setups end up being a bit of a patchwork, ours included. We run CIS benchmarks for about 20 different client environments, using Ansible for making changes and OpenSCAP for scanning. It sounds tidy, but we often find that our playbooks break after even minor OS updates due to default changes. Surprisingly, the hardest part for us isn’t the initial configuration, but keeping everything compliant over time. Tweaks can happen during late-night troubleshooting that never get reversed, so we switched to weekly scans that feed any failures into a ticket queue. It’s a continuous struggle post-setup, for sure!
That drift issue is something we all face, I think. It’s definitely tough to maintain compliance long-term.
I’ve tinkered with adding a few custom settings to our bash rc file, but that’s about it.
We're in the same boat, using a blend of OpenSCAP for the checks and Ansible for enforcing some rules. Still, there’s a significant amount of manual cleanup needed. While it functions, it’s definitely not the neatly automated system we aim for. Are you mostly automating your processes, or are there parts that remain manual?
We do use Ansible and some scripts to enforce an initial subset, but there are still manual steps involved. It feels quite disjointed, and as the system drifts from the baseline, it just becomes more complex and time-consuming.
We use Ansible on a schedule and have multiple third-party tools to check for compliance drift. The results from those tools, along with our playbooks, serve as our audit proof. It’s a layered approach for sure!
What specific tools do you use for auditing drift? That sounds interesting!
Honestly, we’re not doing much hardening at all right now.
Why’s that? Do you have a particular reason for not focusing on it?
Totally agree! Drift is a real headache. I’m fortunate that there are only a few of us making changes, and we keep a close eye on things. I can't imagine how chaotic it must be in larger environments!