Findings
Changes compared with your last approved baseline.
SSH & configuration
- jump-sbx-01PermitRootLoginfailset to 'yes' — baseline requires 'prohibit-password'
- vpn-gateway-01PasswordAuthenticationwarnenabled while MFA boundary expects key-only
- edge-api-01MaxAuthTries / LoginGraceTimepasswithin CIS L1 profile
- legacy-monolith-01HostKeyAlgorithmsfailweak host key algorithm still advertised
Drift queue
- high
sshd PermitRootLogin=yes (expected: prohibit-password)
ssh · New · 2026-05-02T11:12:00Z
- medium
/etc/ssh/sshd_config: MACs line removed CIS-benchmark MACs
ssh · Acknowledged · 2026-05-02T10:44:00Z
- high
New listening TCP 0.0.0.0:9200 (process: java)
network · New · 2026-05-02T10:02:00Z
- medium
User prometheus added to sudo group vs baseline
identity · New · 2026-05-02T09:51:00Z
- low
Kernel sysctl net.ipv4.ip_forward toggled to 1
kernel · Resolved · 2026-05-01T22:18:00Z