Running CIS benchmarks tools is no substitute for knowing what you are doing…

Ran into an interesting item today at work.

My employer, as a matter of standard security practices, runs CIS “benchmarks” against potential machines.  Generally, I find the CIS benchmarks to be “just okay”, in that they tend to catch stupid shit and is a good bare minimum to start working from.

But it is a pretty sorry substitute for having a sysadmin who knows what the fuck they are doing, security wise.

I ran into this in action today.  Specifically, in CIS 5.2.15.  This little gem considers if your SSH server process is configured in such a way as it is not “so loose its brains fall out” by requiring a sensible configuration of the /etc/ssh/sshd_config file,  By sensible, the implications is that you don’t leave “root” and similar logins enabled over SSH.  Perfectly sensible.

But HOW it checks for compliance on this one is the gasser.  I’ll quote chapter and verse:

Think about that for a minute.

So you could have your file have a stupid line like “AllowUsers: root” and it would pass.




Leave a Reply