Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

CIS debian 11 benchmarked

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
antoniotuninprado
Posts: 3
Joined: 2022-06-29 18:15

CIS debian 11 benchmarked

#1 Post by antoniotuninprado »

I have been trying to find a debian11 that is CIS benchmarked without much success. Anybody know if there is one, or only up to debian 10?

-or-

do you know where i can have a debian 11 image that is CIS vetted that does not come from CIS itself (I just checked there we will find only debian10).

thank you,
./antonio/.

anticapitalista
Posts: 428
Joined: 2007-12-14 23:16
Has thanked: 12 times
Been thanked: 13 times

Re: CIS debian 11 benchmarked

#2 Post by anticapitalista »

"CIS vetted" - what does that mean?
antiX with runit - lean and mean.
https://antixlinux.com

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2029
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 139 times
Been thanked: 206 times

Re: CIS debian 11 benchmarked

#3 Post by Hallvor »

I think he means this: https://www.cisecurity.org/cis-benchmarks/

OP: Perhaps install Debian 10 if it's so important. It has LTS support for another two years.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: CIS debian 11 benchmarked

#4 Post by LE_746F6D617A7A69 »

antoniotuninprado wrote: 2022-06-29 18:19 I have been trying to find a debian11 that is CIS benchmarked without much success.
CIS == Comodo Internet Security? - it's a a bad idea - don't trust them.

Just use an official ISO images from Debian website - and check the image signature if You're paranoid. When You instal the OS it's possible to also check the individual files using f.e. the debsums program.

Anyway, this topic looks like an advertisement of CIS services, which are useless for Linux users and IMO this topic should be locked.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

antoniotuninprado
Posts: 3
Joined: 2022-06-29 18:15

Re: CIS debian 11 benchmarked

#5 Post by antoniotuninprado »

replying to you all here:
vetted is a validation based on the benchmarks of the image that is posted for example into gcp or aws. At least this is what both (cloud and cis) claims;
nope, i am NOT advertising for cis services in any shape or form.

on using an official ISO is fine, but it comes with many security features not enabled. For example, grub is not protected on reboots, lots of kernel modules are can altered, etc.
unfortunately i had to go one-by-one of the 190 items of the benchmark.

anyway, thank you all for responding and if i find anything that might answer my question i will post here.

./a/.

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 461 times

Re: CIS debian 11 benchmarked

#6 Post by sunrat »

antoniotuninprado wrote: 2022-06-29 22:39anyway, thank you all for responding and if i find anything that might answer my question i will post here.
You still haven't clarified what you mean by "CIS vetted". This is a user forum so most of us are only peripherally familiar with enterprise topics.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
NorthEast
Posts: 349
Joined: 2018-11-18 04:35
Has thanked: 12 times
Been thanked: 30 times

Re: CIS debian 11 benchmarked

#7 Post by NorthEast »

grub is not protected on reboots
grub can be configured with password protection.

antoniotuninprado
Posts: 3
Joined: 2022-06-29 18:15

Re: CIS debian 11 benchmarked

#8 Post by antoniotuninprado »

hi,

one more clarification:
by "CIS vetted" = a CIS benchmarked OS.
CIS does issue a list of approx 190 benchmark fixes. Because these benchmarks are mostly based on on-premise environment, a cloud benchmark image is downloadable into public clouds. I am working on gcp, so, if you go into cis and select gcp, you are able to download a benchmarked image that is designed for google-gcp.
Unfortunately, I am not able to ssh into any of these images, I have tried debian, redhat, centos, etc.

benchmarks comes in three types: level1, level2, and stig whcih provides different levels of hardening for the OS.

Google support cannot help much, because even if comes from marketplace (gcp), it is a 3rd party product.

The only way i can connect to any image is, if i make a connection via serial port - console; however, i have no idea on the root password.


hope this helps you to help me...


thank you all for your time

./antonio/.

CwF
Global Moderator
Global Moderator
Posts: 2636
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: CIS debian 11 benchmarked

#9 Post by CwF »

antoniotuninprado wrote: 2022-07-05 23:59 one more clarification:
Why do we care?

Post Reply