CIS Security Benchmarks
This one is for the security conscious. If you are performing a hardening procedure for your OS, application/web server, other applications you might wonder how are other people doing that and where can you draw the line by saying that it is secure-enough. A great place of resource in such a case is the CIS Security specifically their resources download page. There you’ll find a form that allows you to choose and download a whole bunch of security benchmarks for various products like Apache HTTP server, Tomcat, Apple OSX, FreeBSD, Windows OSes, Firefox, MySQL, Oracle and various others. When presented with a list make sure to download a copy that’s relevant to the version of the product you’re using. There are archives for some products which include older versions that are less popular now. Newer documents have a very nice layout that include the following
- description - short explanation of the problem
- rationale - the effect that the remedy will provide
- remediation - instructions what to do to fix the problem
- audit - procedure allowing you to check whether the issue is relevant for your environment
Of course you would be right to think that with a large enough number of issues doing this by hand is tedious to say the least. CIS Security does have a tool for this and provide you with a teaser screencast but it’s available only for the registered CIS certification members. So unless you plan on becoming or already are one, you’ll have to do with the PDFs benchmarks they provide. If you’re still on the fence thinking whether you should spend time looking at the benchmarks let me reassure you that there’s some really good stuff in there. You may have some kind of security standards of your own or a corporate policy, but that’s why they’re called benchmarks - you can see what issues are applicable to the product you’re using and then decide what to fix. Security was and will always be a cat & mouse game where the security specialists are trying to stay one step ahead of the perpetrator and the bad guys are trying to do the same. Although a lot of people say that security is just an illusion, but it doesn’t mean that you have to stop trying to secure your environment. It just means that security is a path, not a destination.