Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
CIS Benchmarks are consensus configuration baselines for every common OS, app, and cloud service. Level 1 is the practical baseline (most things on, low operational cost); Level 2 is the hardened baseline (some features off, higher operational cost). They're the closest thing to 'do this and you've covered 80% of host hardening'.
Pick the CIS Ubuntu 22.04 benchmark. ~250 controls. Examples: 'ensure password expiration is 365 days or less', 'ensure /tmp is mounted with nodev,nosuid', 'ensure auditd is enabled'. Each has a rationale, audit command, and remediation.
Use these three in order. Each builds on the one before.
In one paragraph, explain the CIS Benchmarks.
Walk me through running OpenSCAP against a host and reading the report.
Design CIS compliance for a heterogeneous fleet — when do you exempt a host?