Hardening, Baselines, and Drift
A continuous loop: harden to a baseline, enforce it, detect drift, revise the baseline. Hover any node.
flowchart TD
CIS["CIS Benchmarks
external reference
of recommendations"]:::influence VULN["New vulnerabilities
and patches"]:::influence AUD["Auditors and
compliance frameworks"]:::influence BASE["Baseline Configuration
this is what hardened
looks like for us"]:::primary CM["Configuration Management
enforces baseline
on every host"]:::primary DRIFT["Drift Detection
measures gap vs baseline,
reports findings"]:::drift CIS --> BASE VULN -->|baseline must evolve| BASE AUD -->|regulatory requirements| BASE BASE -->|applied via Ansible / Puppet / IaC| CM CM -->|scanners verify: InSpec, OpenSCAP| DRIFT DRIFT -->|exceptions approved, baseline updated,
or host remediated| BASE classDef primary fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef influence fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef drift fill:#ffa000,stroke:#b26a00,stroke-width:3px,color:#3e2723,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:12px
external reference
of recommendations"]:::influence VULN["New vulnerabilities
and patches"]:::influence AUD["Auditors and
compliance frameworks"]:::influence BASE["Baseline Configuration
this is what hardened
looks like for us"]:::primary CM["Configuration Management
enforces baseline
on every host"]:::primary DRIFT["Drift Detection
measures gap vs baseline,
reports findings"]:::drift CIS --> BASE VULN -->|baseline must evolve| BASE AUD -->|regulatory requirements| BASE BASE -->|applied via Ansible / Puppet / IaC| CM CM -->|scanners verify: InSpec, OpenSCAP| DRIFT DRIFT -->|exceptions approved, baseline updated,
or host remediated| BASE classDef primary fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef influence fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef drift fill:#ffa000,stroke:#b26a00,stroke-width:3px,color:#3e2723,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:12px
Primary cycle
Outside influences
Drift Detection (where ops attention concentrates)