But CIS check not based on osquery right ? Just took quick look and seems it uses openscap.
s
stefanmaerz
03/01/2018, 2:06 PM
yeah, for me the value propisition would be that I don't have to maintain yet another tool, instead use osquery which helps us kill two birds with one stone. openSCAP has all sorts of support for compliance profiles like CIS.
u
8p8c
03/01/2018, 3:40 PM
it's not based on osquery (or openscap afaik).
from my understanding of cis benchmarks checking some of the file contents wouldn't be possible with osquery
s
stefanmaerz
03/01/2018, 4:02 PM
could augeas be used to parse out the content?
u
8p8c
03/01/2018, 5:12 PM
yes it can in some cases, but what if you will hit a file what you don't have a lens for?
have you tried writing an augeas lens?
in some cases it's better to check if a configuration is active, rather than what's written in a file.