CIS Controls v8¶
Classification: CONFIDENTIAL — Internal Use Only
CIS Controls v8 implementation is at 100% across all four WDC servers. The table below maps each applicable control to its implementation on the relevant server pair.
Implementation Matrix¶
| CIS Control | Control Name | SKY/RAIN | SUN/WIND |
|---|---|---|---|
| CIS 1.1 | Asset Inventory | DHCP lease tracking; DNS A/PTR for all hosts | Kibana dhcp-leases-* index; Prometheus asset labels |
| CIS 1.2 | Software Inventory | Minimal RPM install; dnf history | Minimal RPM install; dnf history |
| CIS 2.2 | Authorized Software | Server base only; no GUI | Server base only; ELK + Prometheus packages only |
| CIS 3.11 | Data Encryption | DNSSEC zone signing; Webmin TLS | Webmin TLS; management network restriction |
| CIS 3.14 | Sensitive Data | DNSSEC private keys chmod 600; encrypted backups | Elasticsearch data on dedicated partition |
| CIS 4.1 | Secure Configuration | CIS Benchmark Rocky Linux 8; named/dhcpd hardening | CIS Benchmark Rocky Linux 8; service hardening |
| CIS 4.4 | Firewall | firewalld drop zone; DNS/DHCP rules only | firewalld drop zone; management-only rules |
| CIS 5.1 | Account Inventory | dnsadmin only; service accounts nologin | monitadmin only; service accounts nologin |
| CIS 5.2 | Privileged Access | sudo with logging; SSH no root | sudo with logging; SSH no root |
| CIS 5.4 | Password Policy | 14-char min, 90-day max, 5-attempt lockout | Same policy |
| CIS 6.1 | Access Control | SELinux enforcing; BIND chroot | SELinux enforcing; service isolation |
| CIS 7.1 | Vulnerability Management | dnf-automatic security updates | dnf-automatic security updates |
| CIS 8.2 | Audit Log Management | auditd with DNS/DHCP rules; rsyslog → WIND | auditd; Elasticsearch 90-day retention |
| CIS 8.3 | Log Storage | Dedicated /var/log on sdb | Dedicated /var/log and /var/lib/elasticsearch on sdb |
| CIS 8.5 | Log Analysis | Kibana dashboards on WIND | Kibana dashboards; Grafana panels |
| CIS 8.9 | Centralized Logging | rsyslog → WIND:5140 | Logstash pipeline; Elasticsearch indexing |
| CIS 10.1 | Malware Defenses | AIDE daily integrity check | AIDE daily integrity check |
| CIS 11.1 | Data Recovery | Daily cron backup; ESXi snapshots | Daily cron backup; ESXi snapshots |
| CIS 11.2 | Automated Backup | /etc/cron.daily/dns-dhcp-backup | /etc/cron.daily/mon-backup + log-backup |
| CIS 12.1 | Network Defense | firewalld drop default; explicit rich rules | firewalld drop default; explicit rich rules |
| CIS 12.4 | Network Topology | Dual NIC (prod/mgmt); DNS zone segregation | Dual NIC (prod/mgmt) |
| CIS 13.1 | Network Monitoring | node_exporter + bind_exporter | Prometheus scrape; Grafana dashboards |
| CIS 13.4 | Alert Management | Grafana alert rules (P1–P4) | Grafana alert rules; Kibana alerts |
| CIS 16.7 | Application Security | Webmin TLS; management-only access | Webmin TLS; Grafana auth; Kibana on mgmt network |
| CIS 17.1 | IR Designation | DNS Admin + Security Ops | Monitoring Admin + Security Ops |
| CIS 17.7 | IR Exercises | Quarterly failover + DR drills | Quarterly snapshot + pipeline tests |
| CIS 17.9 | IR Thresholds | P1–P4 severity matrix; RTO/RPO defined | P1–P4 severity matrix; RTO/RPO defined |
GCP Controls Mapping¶
| CIS Control | GCP Implementation |
|---|---|
| CIS 3.11 | Cloud VPN AES-256-GCM; GCS encryption at rest; HTTPS on Cloud Run |
| CIS 4.4 | VPC firewall deny-all-ingress default; explicit rules for VPN + internal |
| CIS 8.3 | VPC Flow Logs; Cloud Audit Logs |
| CIS 11.1 | GCS backup bucket with 90-day retention and versioning |
| CIS 12.4 | Separate VPC (172.16.0.0/24); only VPN traffic from on-prem permitted |
Compliance Testing Schedule¶
| Test | Frequency | Owner |
|---|---|---|
| CIS compliance check (all servers) | Monthly | Security Ops |
| AIDE integrity check | Daily (automated) | All servers |
| Backup archive verification | Weekly | Backup Admin |
| Full DR drill | Annually | IT Manager + Full Team |
Cis Controls · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only