Hardened Image general update and upgrade questions

Problem

Solution

The CIS Hardened Images are updated monthly using OS updates provided to CIS directly by the CSP. In addition to the monthly OS updates, some monthly images also contain major, minor, or point revisions to the Benchmark itself.

Here is some additional information about our Hardened Images, updates, and upgrading your HI:

• How are new versions and updates visually represented for each CIS Hardened Images®?

• How can we confirm the Benchmark version from within a Hardened Image?

• Upgrading to a Hardened image with a new OS:

  • Migrate to the newest version of the CIS hardened image available in your cloud provider marketplace. Please reference your cloud provider documentation for specific steps. The migration of your applications will be up to your organization. Some organizations can do this through code deployment that they have developed and maintained. Others manually reinstall applications depending on their internal process and procedure.

To update an existing, deployed CIS HI as opposed to migrating to the newest release, the steps are as follows:

1. Begin by running and applying OS updates to align with the latest bug fixes, security patches, and packages provided by the corresponding vendor/CSP

2. Review the version number you are currently using and the new version you are looking to update to

   1. As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.0.27 – this would mean that the ONLY alterations made to the HI are based on OS updates. This means following only step 1 will satisfy this update

   2. As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.1.0 OR 1.2.0.0 – this would mean that, in addition to the OS updates, there has been an update to the corresponding CIS Benchmark used to harden that CIS HI.

      1. Any change in the first 3 number of the version will indicate a change in the benchmark content used to harden the CIS HI

      2.  If you are a CIS SecureSuite Member, you can leverage CIS-CAT to run on your current (older version) to help with the update

         1. Run CIS CAT PRO Assessor on your HI to find what new recommendations may be failing and account for any potential configuration drift

            1. Note: The version of any given Benchmark in CIS-CAT may not align with the the first 3 digits of the HI. If this is the case, you may need to produce the files on WorkBench, please see the following article: Export OVAL and XCCDF content for a CIS Benchmark® that is no longer integrated into Assessor

         2. Compare the failures on your recently run CIS-CAT report to remediate the recommendations that are with the corresponding CIS Benchmark WORD doc or PDF

      3.  If you are NOT a CIS SecureSuite Member

         1. To do this, go to CIS Workbench and download the corresponding CIS Benchmark PDF

         2. Go to the end of the document where the changelog is located and review what recommendation may have been modified, added or deleted since the previous version

         3. Remediate the CIS HI based on the content in the changelog to update to the latest version

         4. ***Make sure remediation is conducted on changelog items that pertain to the specific level you are using the CIS HI for (Level 1 vs. Level 2 vs. STIG)***

Keywords; Hardened Image HI Migrate

Content by Label