System Configuration and Hardening Standards

Why it matters

Unpatched systems, open ports, and overpermissioned service accounts create direct attack vectors—a single misconfigured server can compromise your entire environment. Without enforced hardening baselines, attackers exploit low-hanging fruit like default passwords, unnecessary services, and excessive IAM permissions. This control reduces mean time to breach and limits lateral movement after initial compromise.

Evidence to collect

• Hardening baseline document (e.g., PDF or wiki linking each system type to specific CIS Benchmark version and customizations)
• IaC code repository commit history showing hardening rules deployed (Terraform variables, security groups, IAM policies)
• Monthly compliance scan reports (e.g., from Nessus, CloudMapper, or cloud-native tools) with timestamps and deviation remediation tickets
• Change log or audit trail showing deviations detected and closure dates (JIRA tickets, spreadsheet, or CMDB records)

Testing procedure

1) Request and verify the hardening baseline document exists and maps to CIS Benchmarks or equivalent (version numbers, deviations justified). 2) Sample 3–5 production systems across different types (Linux server, Windows server, Kubernetes node, RDS instance) and run live compliance scans, comparing results to baseline. 3) Audit the last 2–3 months of scan reports and confirm every detected deviation has a remediation ticket with close date within 30 days. 4) Verify IaC code enforces the baseline (spot-check firewall rules, sudoers config, service account permissions).

Common gotchas