CIS Policy Ubuntu 24.04

mmur_gt4e · October 18, 2024, 7:18am

Hey,

Anyone knows why Ubuntu 24.04 CIS Complice is not avaliable yet? It´s LTS and the guide is already avaliable on cisecurity.org

We tend to use it for some compliances we are under.

Regards

nick000 · October 23, 2024, 5:43pm

That was published a month ago. I’m going to imagine it will take Rapid7 many more months to get this added. I’d suggest you opened a support ticket asking if Rapid7 has an ETA.

emeijer · October 24, 2024, 11:34am

We had the same question and made a ticket about this. It has been logged internally in IDEA-19633.

I have asked when to expect this to be implemented but I have no information yet.

Eelco

mmur_gt4e · October 24, 2024, 1:49pm

IDEA-S never turn into reallity tbh

emeijer · October 28, 2024, 8:12am

Yeah, that is the feeling I have also… Thats why I mentioned in the ticket that I think this should not be an IDEA but a normal update… Will try to keep you posted

Matthew_Cavaco · December 31, 2024, 9:34pm

Hi @mmur_gt4e, @nick000, & @emeijer,

Matt Cavaco from the Rapid7 Customer Success team here!

From what I’m seeing in the system we use to track our customers’ Request For Enhancements (RFEs), we’re tracking this request via RFEs #: IDEA-20788, IDEA-21126, & IDEA-19633.

While I can’t guarantee Rapid7 will add this to Nexpose / InsightVM, your dedicated Customer Success Manager can submit a Prioritization Request to our Product Management team advocating on your behalf.

If you or anyone else in the Rapid7 Discuss Community would like to see this added to Nexpose / InsightVM, I recommend opening a Support Ticket to get tagged to these RFEs. After that, I’d recommend sharing the business impact with your dedicated Customer Success Manager. If you don’t know who that contact is, I’m happy to get you in contact with them.

Matt Cavaco

emeijer · January 2, 2025, 9:48am

Hi Matt,

My main concern here is that this should not need these actions from customers. Policy scanning is an existing feature of the product which needs updates when policies change.

I already was in contact with our CSR about this.

Kind regards,
Eelco

dfriedlander · January 2, 2025, 5:31pm

I agree with Eelco that Rapid7 should be treating policy maintenance like they do vulnerability database maintenance.

When updates to existing or new baselines for already-supported framework benchmarks come out (CIS,STIG,etc), it should automatically be slotted into Rapid7’s internal development team backlog for release. IMHO, its only logical that a customer would appreciate updates to a baseline they’re already using, or that OS upgrades are likely and that testing hardening compliance is a requirement to move that forward.(a logical progression of Ubuntu 22.04 to 24.04, as is say Windows 10 to Windows 11)

If Rapid7 wants IDEA’s or some other sort of voting process for brand new frameworks that are not already in InsightVM, then sure.

I get it takes a bit more effort to release a policy than a one-off zero-day CVE scan that just came out, but it also wouldn’t hurt to provide some sort of customer front-end showing acknowledgement of vendor-published updates (such as CIS Ubuntu 24.04), tentative timeline, etc. for any updates surrounding policies.

To provide Rapid7 management with a frame of reference, I just googled to see if other VM companies were this slow with releasing hardening policies and they’re not. A big name competitor released their initial Ubuntu 24.04 policy scan back on October 16, 2024.

Reaching out to our CSM about this as well as this needs improvement.

Matthew_Cavaco · January 3, 2025, 6:28pm

Hi @emeijer & @dfriedlander,

Thank you for your feedback! I can confirm that I’ve shared it with our Product Management team. A timeline estimate for CIS Policy Benchmark Ubuntu 24.04 has not been determined yet.

Over the last few months, we’ve added the following CIS & DISA STIG Policy Benchmark coverage to Nexpose and InsightVM:

CIS Rocky Linux 8 Version 2.0.0
CIS Rocky Linux 9 Version 2.0.0
CIS Fortigate 7.0.x
DISA STIG Red Hat Enterprise Linux 8 Version 1, Release 14
DISA STIG Red Hat Enterprise Linux 9 Version 1, Release 3

From a vulnerability coverage perspective, we’ve been working on the following over the last few months:

Modernizing our Oracle Linux coverage to include AppStreams
New recurring vulnerability coverage for Arista EOS
Improving recurring vulnerability coverage for:
a.) RedHat JBoss Enterprise Application Platform (EAP)
b.) JetBrains TeamCity
c.) Veeam Backup and Replication
d.) Zimbra Collaboration Suite
e.) Fortinet FortiClient EMS
f.) Atlassian Bitbucket Server and Data Center

Matt Cavaco

Matthew_Cavaco · January 7, 2025, 12:49pm

Hi @emeijer & @dfriedlander,

The Product Management team is targeting the release for Request For Enhancement (RFE) #: IDEA-21126 Coverage Policy Request for CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 for sometime in February 2025.

Matt Cavaco

emeijer · January 7, 2025, 1:22pm

Hi Matt,

Thanks for this update! Could you also take a look at Red Hat Enterprise Linux 9 (2.0.0) ?
I think that is part of IDEA-18957

Kind regards,
Eelco

Matthew_Cavaco · January 7, 2025, 2:20pm

Hi @emeijer,

The Nexpose / InsightVM Product Management team is tracking CIS Policy Benchmark Red Hat Enterprise Linux 9 Version 2.0.0 via Request For Enhancements (RFEs) #: IDEA-18957 & IDEA-18888. Earlier today a Product Manager commented that these RFEs are under review. We do not have a timeline for this CIS Policy Benchmark yet.

Matt Cavaco

emeijer · January 7, 2025, 3:57pm

Hi Matt,

Thanks for checking. Will wait fir that one then.

Do you know how the implementation of new CIS benchmarks is prioritised? The Ubuntu 24 benchmark was released by CIS on August 26th 2024 but the RHEL 9 v2 was released June 24th.

Kind regards,
Eelco

Matthew_Cavaco · January 7, 2025, 7:47pm

Hi @emeijer,

Here are some of the different aspects our Product Management team takes into consideration when evaluating Request For Enhancements (RFEs):

Alignment to Rapid7 & Practice Vision
How much does this request contribute to the overall vision / goals / focus areas?
Breadth and Depth of Customer Impact
What ratio of customers does this impact?
How much does it impact customers?
Customer Increase / Differentiation Increase
Does this open up a new segment of customers by providing solutions to previously unmet needs?
Will this provide new ways to help customers achieve their outcomes?
Customer Retention / Weakness Removal
Does this help customers grow their security programs and / or realize more value with their current implementation?
Does this make it easier for customers to use existing functionality?
Ease of Implementation
What is the level of difficulty to design, build, and support?

Matt Cavaco

Matthew_Cavaco · January 23, 2025, 3:52pm

Hi @emeijer,

The estimated timeline for CIS Policy Benchmark coverage for Red Hat Enterprise Linux 9 Version 2.0.0 will be February 2025.

Matt Cavaco

mmur_gt4e · March 24, 2025, 10:32am

Still waiting for Ubuntu 24.04

Matthew_Cavaco · March 31, 2025, 12:24pm

Hi @mmur_gt4e,

I connected with one of our Product Managers about your question. He said that for CIS Policy Benchmark coverage for Ubuntu Linux 24.04 LTS we’re targeting a release for early Q2.

Matt Cavaco