Remediate - FAQ
Does this role work only with RHEL9?
No – it works on multiple distributions!
The CIS guidance is designed to ONLY apply to RedHat Enterprise Linux 9 systems. If you are using this role in a regulated organization you should be aware that applying these settings to distributions other than those listed is unsupported and may run afoul of your organization or regulatory bodies guidelines during a compliance audit. Due diligence is YOUR BURDEN to understand your organization’s requirements, laws, and regulations you must adhere to before applying for this role.
See Which systems are covered? below for more details on applying this role to non-RedHat Enterprise Linux 9.
Why should this role be applied to a system?
There are three main reasons to apply this role to production Linux systems:
- Improve security posture
The configurations from the CIS add security and rigor around multiple components of a Linux system, including user authentication, service configurations, and package management. All of these configurations add up to an environment that is more difficult for an attacker to penetrate and use for lateral movement.
- Meet compliance requirements
Some deployers may be subject to industry compliance programs, such as PCI-DSS, ISO 27001/27002, or NIST 800-53. Many of these programs require hardening standards to be applied to systems.
- Deployment without disruption
Security is often at odds with usability. The role provides the greatest security benefit without disrupting production systems. Deployers have the option to opt out or opt in for most configurations depending on how their environments are configured.
Which systems are covered?
This role and the CIS guidance it implements are fully applicable to servers (physical or virtual) and containers running the following Linux distributions:
RedHat Enterprise Linux 9
The role is tested against each distribution to ensure that tasks run properly. It is idempotent, and an Audit is used to run a compliance scan after the role is applied to test compliance with the CIS standard.
Which systems are not covered?
This role will run properly against a container (docker or other), however this is not recommended and is only useful during the development and testing of this role (ie most CI systems provide containers and not full VMs), so this role must be able to run on and test against containers.
Again for those in the back …applying this role against a container to secure it is generally a BAD idea. You should be applying this role to your container’s hosts and then using other hardening guidance that is specific to the container technology you are using (docker, lxc, lxd, etc).