Email or username:

Password:

Forgot your password?
Top-level
The Uberduck

@carnage4life CIS benchmarks get used this way a lot. The example bits of code are simplified for the sake of clarity, and are neither complete nor in some cases safe to run unaltered on production systems.

For example, the sshd configuration checks do not check how sshd is actually configured (trivial, since sshd will happily spit out a full running config), but rather that certain keywords are present in the main config file. Easy to induce false results.

1 comment
The Uberduck

@carnage4life and the "check for ownerless files" type checks (of which there are at least six) walk and stat the entire filesystem. On large deployments, this can take days and seriously impact system performance.

I've seen both of these checks included in vendor benchmarks verbatim.

Go Up