Work / Enterprise & Security / Compliant VM

FormCV-001 · Hardening Template

StandardCIS-aligned

OutputAudit-ready bundle

No. 33 · Enterprise · Compliance · Auto-evidence

The audit folder
builds itself.

Compliance audits are theatre until the auditor asks for proof and the team has none. Three weeks vanish chasing logs. This template ends that. CIS-aligned controls applied on first boot. Evidence collected automatically. Attestations signed. By the time the auditor arrives, the folder is already there.

View source Control checklist The bundle

CISAligned baseline

AutoEvidence collection

SignedAttestations · per check

3 weeks → 0Audit prep cycle

Day 1First evidence pack

Act I · The Problem

Three weeks. Every audit.

"Send me the firewall log from March, the SSH config from before the change, and proof that disk encryption was on the whole time."

Day 1: The auditor's checklist arrives. Nobody knows where half the evidence lives.
Day 4: An engineer rebuilds the SSH config history from git blame. The history is wrong.
Day 8: The firewall log got rotated. The retention bucket has gaps. Evidence is missing.
Day 14: A spreadsheet titled "EVIDENCE FINAL FINAL v3" is in someone's email.
Day 21: The audit closes with three findings. None are real. All are paperwork.

Act II · The Promise

Twelve controls. All ticked.

Every control on this list is applied on first boot, re-verified on every run, and documented in the evidence bundle. There are no manual steps. There is no spreadsheet.

CIS 1.1Applied

Filesystem partitioning & mount options

Separate /var, /tmp, /home. nodev, nosuid, noexec where appropriate.

CIS 2.2Applied

Unused services removed

Default-deny on services. Only explicitly allowed daemons run on boot. Everything else uninstalled.

CIS 3.4Applied

Host firewall · default deny

UFW or nftables baseline. Inbound deny by default. Outbound deny by default. Allowlist documented.

CIS 4.1Applied

Auditd with full ruleset

Privileged commands, time changes, auth events, mount events, file integrity. Logs shipped off-host.

CIS 5.2Applied

SSH hardened

Key-only auth. No root login. Modern KEX and ciphers. Login-grace and max-auth-tries clamped.

CIS 5.4Applied

Password policy & PAM hardening

Strong PAM rules. Lockout on brute force. Sudo audited. NOPASSWD denied except for evidence collectors.

CIS 6.1Applied

File integrity monitoring

AIDE baseline taken on first boot. Drift report shipped daily. Hash deltas signed for the evidence bundle.

CIS 6.2Applied

System log integrity

Logs forwarded to off-host sink. Local rotation locked. Loss of forwarder paged immediately.

CIS 7.1Applied

Kernel hardening & sysctl

ASLR on. kernel.kptr_restrict, kernel.dmesg_restrict, net.ipv4.conf.*.rp_filter. Locked.

CIS 8.3Applied

fail2ban on auth surfaces

SSH, sudo, anywhere brute force is plausible. Bans logged and shipped. Re-baselined per environment.

CIS 9.1Applied

Disk encryption verification

LUKS or cloud-provider equivalent attested at boot. Key location and rotation policy recorded in evidence.

CIS 10.1Applied

Time sync & NTP authentication

chrony with authenticated time sources. Drift logged. Off-host anchor for time integrity.

Act III · The Bundle

One tarball. One signature.

Every run produces a self-describing evidence bundle. Each file is hashed. The hash list is signed. The auditor reads the manifest, verifies the signature, walks the files, and is done.

/var/lib/compliant-vm/evidence/2026-05-04T11:42Z.tar.gz SIGNED

01manifest.jsonfile list with sha-256, generated-at, host, control mappingEd25519
02sshd_config.snapshotSSH daemon config at the moment of attestationCaptured
03firewall.rulesUFW or nftables rule listing with default-deny verificationCaptured
04auditd.reportrule count, dropped events, last-rotation timestampCaptured
05aide.difffile-integrity drift since last baselineCaptured
06sysctl.snapshotall kernel parameters relevant to hardening, exact valuesCaptured
07disk-encryption.attestLUKS / cloud-disk encryption status at bootCaptured
08time-sync.reportchrony source authentication, drift, last syncCaptured
09openscap.xmloptional CIS / STIG SCAP scan output (when enabled)Optional
10manifest.sigEd25519 detached signature over manifest.jsonSigned

Act IV · Proof

What the auditor actually wants.

First evidence pack on day one

Boot the VM. Apply the template. Within minutes, the first signed evidence bundle is on disk. There is no preparation phase.

CIS-aligned defaults, not interpretations

Each control maps to a specific CIS Benchmark item. The mapping lives in the manifest. Auditors read it directly.

Tamper-evident attestation chain

Every bundle is hashed. The hash list is Ed25519 signed. Bundles chain across time so that any retroactive change is visible.

Off-host evidence shipping

Bundles ship to retention-locked object storage. The host can be wiped tomorrow. Yesterday's evidence remains.

Optional OpenSCAP integration

When enabled, the bundle includes the SCAP 1.3 XML output. Useful where a regulator already speaks SCAP fluently.

Drop-in for any cloud or bare metal

The template is shell. There is nothing magical. It works on Ubuntu and Debian today, with hooks for RHEL-family extension.

If audit prep eats three weeks every quarter, stop preparing.

I build hardened baselines that produce their own evidence on a schedule. The audit folder is always current. The compliance team is never the bottleneck. The team that owned the engineering owns the proof.

Hire me Back to work