It doesn't need to be update constantly, it might be an idea to pin/sticky it so that it stays at the top of the forum category that way it's easier to find and update if someone does think of something to add.that thread is sadly dead - i tried to revive it a couple of times, but the interest in our community to contribute was sadly low.
In relation to openscap and lynis, both are available in debian:Is openscap available for Debian? I know it is for most major Distro's.
I typically run this to see what fails. Then I run ansible scripts to fix the holes.
Ansible Galaxy
galaxy.ansible.comAnsible Galaxy
galaxy.ansible.com
These cover about 95% of what openscap finds.
Also is "lynis" available for Debian?
[tom@min ~]$ apt-cache show openscap-<TAB>
openscap-common openscap-scanner
openscap-doc openscap-utils
[tom@min ~/notes]$ apt-cache show lynis<TAB>
lynis
@JasKinasis that thread is sadly dead - i tried to revive it a couple of times, but the interest in our community to contribute was sadly low. I have hence written a blogpost about it (a LONG) one and posted it at the top of the thread. This way the thread still has value to users.
In Azure and AWS, there are marketplace Linux images that come "pre-hardened".
Thats not how it works and just marketing nonsense. You restrict services to the bare minimum of permissions it requires to run and then, if you're paranoid, monitor if it tries to break the rules. That only works if you know the application, which cloud providers of course don't - they can not estimate how I wrote my application.