ovh/debian-cis

Update README.md to Represent Actual Hardening Abilities

jessejcollins opened this issue · 1 comments

jessejcollins commented

The README.md of this project (along with the "About" section, etc.) is misleading because it conveys that this project performs Debian 10, Debian 11, and Debian 12 CIS Benchmark hardening.

But, it doesn't do that and instead only performs Debian 10 CIS Benchmark hardening with the ability to run the Debian 10 hardening scripts on Debian 11 and Debian 12. That's a big difference!

For Debian 11, others have already noted that the numbers/recommendations in this project do not match the CIS Benchmark for Debian 11 (e.g. #201). But I haven't seen anyone point out that even though some recommendations overlap between Debian 10 and Debian 11 (some with the same recommendation number [e.g. 1.2.1] and others with different recommendation numbers [e.g. Debian 10 1.1.1.5 and Debian 11 1.1.1.2], many new recommendations were introduced with the Debian 11 CIS Benchmark. Therefore, there is hardening that is being missed for Debian 11 when using this project, and a false sense of being fully compliant with the Debian 11 CIS Benchmark is being given.

For Debian 12, a CIS Benchmark for Debian 12 doesn't even exist yet, so obviously, it's impossible to harden Debian 12 servers following the Debian 12 CIS Benchmark. Again, this gives a false sense of being fully compliant with the (non-existent) Debian 12 CIS Benchmark.

Please fix the README.md and project description to avoid this confusion and clarify that this project is for Debian 10 CIS Benchmark hardening. I suspect and worry that many users who have used this project for Debian 11 and Debian 12 think they are hardening the servers with the associated CIS Benchmark recommendation for Debian 11 / Debian 12.

ThibaultDewailly commented

Hello Jesse and welcome to this repository!

I understand you concerns and added mentions of it inside the README file to clarify things.
You'll find there the reason behind the numbering drift, as well as why this repository is tagged Debian 12 compliant.
More over, most of the new checks introduced in Debian 11 are implemented, some auditd checks are missing, and still in todo.
(See PR : #176)
Shall you find something irrelevant (outdated) or missing (not implemented, not inventoried), do not hesitate to open a pull request to fix this.