Why do recommendation numbers change in new Benchmark versions?
Product Name
CIS Benchmark™
Product Version
Date
Jun 1, 2022
Problem
My organization creates custom scripts for automation. Benchmark recommendation numbers that change in new Benchmark versions (e.g., RHEL 7 Benchmark v3.0.1 to RHEL 7 Benchmark v3.1.1) creates the need for labor-intensive editing of scripts. Why do recommendation numbers change in new Benchmark versions?
Solution
Benchmark recommendation numbers change from version to version because some recommendations are removed and some are added. This usually only occurs after lengthy expert debate within the CIS WorkBench community.
So, for example, in CIS Red Hat Enterprise Linux 7 Benchmark v3.0.1, the recommendation number is 5.4.1.1 for "Ensure password expiration is 365 days or less." That version of the Benchmark does not have the section "Configure Sudo". However, CIS Red Hat Enterprise Linux 7 Benchmark v3.1.1 added that section at 5.2 - Configure Sudo. The result of the new section is that the “Ensure password expiration is 365 days or less” section increased to 5.4.1.0 and the recommendation number changed from 5.4.1.1 to 5.5.1.1. Thus, changing recommendation numbers is a necessary byproduct of evolving Benchmark recommendations in new Benchmark versions.
Please see the following Knowledge Base article for information on how to track recommendation number changes in the Appendix section of CIS Benchmark PDFs:
https://cisecurity.atlassian.net/l/c/A0aVxP7U
https://cisecurity.atlassian.net/l/c/Sr1gUAco
Here is a helpful way to think of recommendation numbers: do not think of the number as an identifier, but rather as a organizational indicator. It only has meaning within the confines of a single benchmark version release.
Keywords; Benchmark recommendation number
Content by Label