You will assess a system against CIS Controls and NIST SP 800-53, produce a gap analysis, then implement and re-verify the hardening. By the end you will have measurable before/after compliance with evidence.

Learning Objectives

  • Baseline a host with an automated audit (Lynis/OpenSCAP).
  • Map findings to CIS Controls and NIST families.
  • Remediate and re-scan to prove improvement.
  • Time: ~14 hours · Difficulty: Advanced · Prereqs: the security labs.

Architecture Overview

Environment Setup

  • A target Linux host and Lynis or OpenSCAP.
  • The CIS Benchmark and relevant NIST 800-53 controls.
  • A place to record findings and evidence.

Step-by-Step Execution

01
Baseline scan
sudo lynis audit system --quick
Produces a hardening index and a findings list.
02
Remediate prioritized findings

Map each finding to a control (for example SSH hardening to AC-7, firewall to SC-7) and fix it.

sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload sshd
03
Re-scan to measure improvement
# lynis audit system --quick | grep "Hardening index"
Hardening index : 58 -> 81 (after remediation)

Progress So Far

Testing & Validation

lynis show report | grep -i warning | wc -l

The warning count should drop and the hardening index should rise versus the baseline. Document before/after with control mappings as evidence.

Troubleshooting
  • Index did not improve: remediate the highest-impact findings first, then re-scan.
  • Change broke a service: test hardening in a staging copy before production.
  • Unclear control mapping: reference the CIS Benchmark control IDs directly.

Extension Ideas

  • Automate remediation with Ansible across many hosts.
  • Extend to cloud with CSPM.
  • Tie findings to the IR Playbook.

Key Results

  • Baselined the host with an automated audit.
  • Mapped findings to CIS Controls and NIST families.
  • Raised the hardening index from 58 to 81.
  • Produced before/after evidence with control mappings.