Do NOT use Linux hardening checklists for your servers
Quality is an interesting word. It describes, well, the quality of something. Quality is just another word for how well can you repeat something. The goal is to get each time exactly the same result. Whenever it’s a physical product, or rolling out a new Linux system, you want great quality. One method to increase quality is using checklists. However we strongly advice against using Linux hardening checklists..
But checklists are good, right?
People forget to do things, which is the reason checklists were invented. By forcing yourself to check individual items on a checklist, the quality of the work is greatly improved. Checklists would be very useful in IT as well. Surprisingly, many IT departments still don’t use them.
While we would promote checklists in IT, they are better to be used during administrative tasks. For example when on-boarding a new employee. This includes providing a desk, phone, company handbook, account creation and a personal badge. However for your Linux servers we suggest to use automation.
Automation part 1: Configuration Management
Use configuration management tools like Chef, Cfengine or Puppet. This enables you to quickly roll-out new systems and putting the basic premises in place. No longer check if a system is in the CMDB (Configuration Management Database), but make it mandatory before a system can be rolled out at all. Any exception (e.g. a manually created virtual machine) should be discovered by scanning the network.
Automation part 2: Auditing
Never trust on automation tools alone. Perform regular auditing, with yes, automated tools. Additionally perform manual tests. This ensures you that both your automated tools and your control tools, are doing what they are supposed to do.
Auditing comes in many forms and many can be applied in your environment as well.
Examples:
- Scanning for rogue WiFi access points
- Testing security defenses
- Check CMDB data with the results from network management tools
- Perform vulnerability scanning
- Test time synchronization
By performing regular tests, outliers and exceptions can be greatly reduced. The big issue is that people usually wait too long, until it goes wrong. Then monitoring is reconfigured, until the next issue occurs. IT system administrators should be wearing the hat of the IT auditor more often: question everyone and everything.
Some questions to ask yourself (and your colleagues):
- Why is this working this way?
- Does it really work so and how do you know?
- Can you show the proof?
Conclusion
Checklists are a fine tool to improve quality. But with focus on automation we can achieve much more than filling in some administrative forms. Apply configuration management tools and auditing to improve quality and keep checklists for less technical areas. And.. become an IT auditor yourself. Start challenging things, including your own work!