BLACKGLASS

Use case

CIS benchmark monitoring for Linux with Blackglass

Note: Blackglass is not a certified CIS benchmark assessment tool and does not provide formal compliance certification. It tracks the configuration state that CIS controls typically address and alerts when that state drifts — giving you continuous posture visibility rather than a point-in-time pass/fail report.

The CIS Benchmarks for Linux (Ubuntu, RHEL, Debian, Amazon Linux) define several hundred recommendations. Most teams implement a subset, pass an initial audit, and then struggle to maintain posture as the fleet evolves. Blackglass helps by continuously monitoring the configuration areas CIS benchmarks care about most.

Why point-in-time audits are not enough

  • CIS assessments are typically run quarterly or pre-audit. Drift between runs is invisible until someone asks.
  • Benchmark tools like CIS-CAT or OpenSCAP report state at a moment in time — they do not alert when state changes after the scan.
  • Teams that achieve a high CIS score during a hardening sprint often regress within weeks due to package upgrades, emergency changes, or new hosts from stale images.

Blackglass complements point-in-time assessment tools by tracking the change dimension — when did this configuration value change, from what to what, and who was on the team when it happened?

CIS-relevant areas Blackglass monitors

SSH server configuration (CIS 5.x)

  • PermitRootLogin no or prohibit-password
  • PasswordAuthentication no
  • MaxAuthTries ≤ 4
  • IgnoreRhosts yes
  • Approved cipher suites and MAC algorithms only
  • LoginGraceTime ≤ 60 seconds

Network parameters (CIS 3.x sysctl)

  • net.ipv4.ip_forward = 0 (unless acting as a router)
  • net.ipv4.conf.all.send_redirects = 0
  • net.ipv4.tcp_syncookies = 1
  • net.ipv6.conf.all.disable_ipv6 = 1 (if IPv6 not required)

Listening services

  • No unexpected TCP/UDP services open beyond the approved baseline
  • Firewall rules present and active

Typical workflow for teams using CIS benchmarks

  1. Run your CIS assessment tool (CIS-CAT, OpenSCAP, or a manual audit). Remediate findings.
  2. Capture the post-hardening state as a Blackglass baseline. This records the values you deliberately set.
  3. Connect Blackglass scheduled scans. Any subsequent change to a monitored directive raises a drift event with severity and before/after values.
  4. Respond and document. Acknowledge expected changes (approved patches), investigate unexpected ones, and remediate regressions. Blackglass records the full lifecycle.
  5. Export evidence before the next audit. Demonstrate continuous monitoring with a dated evidence bundle showing every drift event and its resolution.

Scope and limitations

Blackglass does not:

  • Perform a full CIS benchmark assessment (hundreds of checks including filesystem permissions, PAM, audit daemon configuration, etc.).
  • Issue a CIS compliance score or certificate.
  • Replace a dedicated assessment tool for initial hardening.

It is a continuous monitoring layer for the configuration dimensions that change most often and matter most to SSH posture and kernel hardening — with a drift detection and evidence workflow on top.

Related use cases

Explore demoStart free trialFull product tour →

14-day trial · up to 10 hosts · no card required