Security Analysis and Controls Implementation
You will assess a system against CIS Controls and NIST SP 800-53, produce a gap analysis, then implement and re-verify the hardening. By the end you will have measurable before/after compliance with evidence.
Learning Objectives
- Baseline a host with an automated audit (Lynis/OpenSCAP).
- Map findings to CIS Controls and NIST families.
- Remediate and re-scan to prove improvement.
- Time: ~14 hours · Difficulty: Advanced · Prereqs: the security labs.
Architecture Overview
graph LR
Scan[Audit scan] --> Gap[Gap analysis vs CIS/NIST]
Gap --> Rem[Remediate controls]
Rem --> Re[Re-scan]
Re -->|score up| Report[Evidence report]
Environment Setup
- A target Linux host and Lynis or OpenSCAP.
- The CIS Benchmark and relevant NIST 800-53 controls.
- A place to record findings and evidence.
Step-by-Step Execution
01
Baseline scan
sudo lynis audit system --quickProduces a hardening index and a findings list.
02
Remediate prioritized findings
Map each finding to a control (for example SSH hardening to AC-7, firewall to SC-7) and fix it.
sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload sshd03
Re-scan to measure improvement
# lynis audit system --quick | grep "Hardening index"
Hardening index : 58 -> 81 (after remediation)
Progress So Far
graph LR
A[01 Baseline] -->|done| B[02 Remediate]
B -->|done| C[03 Re-scan]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
lynis show report | grep -i warning | wc -lThe warning count should drop and the hardening index should rise versus the baseline. Document before/after with control mappings as evidence.
Troubleshooting
- Index did not improve: remediate the highest-impact findings first, then re-scan.
- Change broke a service: test hardening in a staging copy before production.
- Unclear control mapping: reference the CIS Benchmark control IDs directly.
Extension Ideas
- Automate remediation with Ansible across many hosts.
- Extend to cloud with CSPM.
- Tie findings to the IR Playbook.
Key Results
- Baselined the host with an automated audit.
- Mapped findings to CIS Controls and NIST families.
- Raised the hardening index from 58 to 81.
- Produced before/after evidence with control mappings.