INF-002 Configuration Baseline and Hardening
Description
All production systems — including operating systems, hypervisors, containers, and cloud services — are deployed against a documented hardening baseline. The baseline disables unused ports, protocols, services, and accounts. Deviations from the baseline are detected automatically and reviewed.
Rationale
Default-insecure configurations expand the attack surface. A verified hardening baseline ensures systems are deployed in a known, minimal-privilege state from day one.
Framework Mappings (7)
| CCC-06 | Change Management Baseline | full |
| CCC-07 | Detection of Baseline Deviation | full |
| I&S-04 | OS Hardening and Base Controls | full |
| 8.9 | Configuration management | full |
| CM-6 | Configuration Settings | full |
| CM-7 | Least Functionality | full |
| CC7.1 | Detection and Monitoring Procedures | partial |
Evidence (2)
Hardening baseline configuration applied to production systems, showing disabled services, ports, protocols, and default accounts in line with a published benchmark.
Example: CIS Benchmark compliance scan output (e.g., AWS Inspector, Lynis report, or InSpec profile run) for a representative sample of production servers, containers, or cloud services
Test: Run hardening compliance scan against a representative sample of production workloads. Verify: (1) a baseline document exists referencing a named benchmark (e.g., CIS Level 1/2); (2) unused ports, protocols, and default accounts are disabled or removed; (3) scan results show a pass rate meeting the organisation's defined threshold; (4) deviations are flagged and assigned for remediation.
Configuration drift detection alert history showing automated detection and assignment of deviations from the hardening baseline.
Example: AWS Config Rules non-compliance events, GCP SCC findings, or equivalent CSPM tool alert log for the preceding 90 days
Test: Query the CSPM or configuration compliance tool for baseline deviation alerts in the last 90 days. Verify: (1) alerting is enabled and actively firing for baseline deviations; (2) each alert has a documented review or remediation action; (3) mean time to remediation is within the organisation's defined SLA by severity.
Questions (2)
Are all production systems (operating systems, containers, hypervisors, and cloud services) deployed against a documented hardening baseline that disables unused ports, protocols, services, and default accounts?
The baseline should reference a named benchmark (e.g. CIS Level 1/2, DISA STIG) and apply to all production workload types, not just servers.
Which approach is used to enforce the hardening baseline and detect deviations?
Automated enforcement at build time combined with runtime drift detection provides the strongest assurance. Periodic scans are a minimum acceptable approach.