Using Open Source Auditing Tools as Alternative for CIS Benchmarks
Using Open Source Auditing Tools
An alternative to CIS Benchmarks and hardening guides
Hardening guides, and the CIS benchmarks in particular, are a great resource to check your system for possible weaknesses and conduct system hardening. But who has the time to read it cover to cover, and apply every single step? In this article we have a look at the alternative: open source auditing tools.
Hardening is a time consuming task. As security specialists, we know that. It involves many small steps, followed by even more testing and troubleshooting. Unfortunately time is something we can spend only once, making it a scarce resource.
To save time on reading extensive hardening guides, we suggest our users to use proper auditing tooling instead. It helps in automating repeating tasks, saving precious time. This time is better spend on the hardening itself, right? Secondly, using tooling we can quicker detecting newly introduced security weaknesses, for example caused by an unaware developer or colleague. After all you want to safeguard your earlier work, avoiding someone performing an “undo” on it.
Back to the friendly people from CIS. They create extensive hardening guides, named CIS benchmarks. These benchmarks are available for most common platforms available, like Windows, several Linux distributions, Solaris and others.
CIS have their own staff and get additional help from seasoned professionals. These professionals are people usually working for multinationals and consultancy firms and commonly named subject matter experts (SME) in their specific field of expertise.
CIS uses “consensus teams”, in other words teams with security professionals who have discussions to decide what kind of advice is suitable for most environments. This clearly improves the quality of the guides, but can also be a flaw. For example if you have different demands for your environment, you still have to consider each item in the guide. Sometimes a control might be too strict, and sometimes it simply is not enough to protect your precious resources. But in the end we believe CIS is one of the few who provide proper quality guides and they definitely help many companies around the world.
Beside the benchmarks and embedded scripts, CIS has their own auditing tool. Unfortunately this is not a free download. With the right membership you are entitled to download their tooling. For smaller companies this license is pretty expensive though. We clearly love open source, so let’s have a look at some alternatives!
Focus on Automation
Companies want to be more agile, using cloud technology, automation tools for configuration. Still, they often forget to implement proper system hardening. As an after-thought, hardening guides are then used to “fix” the security gaps on the system.
Another great way opposed to manuals and guides, is the usage of SCAP (Security Content Automation Protocol) or more specifically OpenSCAP. This open source software helps with automated testing of security controls. While this is a great step in the right direction, there are still some flaws though.
The biggest issues with SCAP are, portability, easy of use and supported platforms. Each “checklist” has to be defined in a policy document. While everything is available as XML based documents, the format and structure is not really friendly for the average user. Easy of use is definitely a characteristic we value high in software solutions.
Another alternative of SCAP is the usage of specialized auditing tools, like our own open source tool Lynis. Freely available, no installation needed and downloaded and used by many professionals, to name just a few benefits. Lynis has been extensively tested on common platforms, including clones (e.g. CentOS, Fedora, Debian based systems).
The big benefit of using an auditing solution is the focus on continuous auditing. This results in improving your environment step by step. Security is not a product, but a delicate process. Instead of doing an one-time hardening excercise, it’s better to look for improvement all year round. This way of working clearly will result in a better security defences in the long run.
We love CIS benchmarks, hardening guides and security tips. However they are time consuming and we love to save time where we can. OpenSCAP is a great alternative, however only works when all Linux distributions would properly embed it by default. If you have the right platform, it might be good fit for your environment.
We believe that for most companies specialized auditing tools are the best option available. That is, when your goal is to secure your IT environment. It is the most extensive and quickest method to perform a security audit. Continuously monitoring your environment is better than “on and off” projects trying to improve your security defences.