It's what we use the CIS Benchmarks for. It's for employing hardening rules and keeping them up to date when things happen on our systems. So it's really configurations and stuff that harden and report back.
Now, some of the hardening we have in our configuration, so there's some overlap there, but actually running the benchmarks and enforcing the benchmarks as security rules, they don't have much built for that. They got nothing for AIX, and Linux is not where the CIS benchmarks are. So they're way behind on partnering.
We had proof of concept at one point before the VMware purchase of SaltStack. And it had some merit, but the reality was it was under-implemented. And the merits were all in Linux. It was a good first stab at it, but it didn't have enough to implement in our environment, and then AIX kind of washed it right out, and they made a statement that they weren't going to support it. So it's been ruled out for us for a number of months.
SecOps does not work for us. Their SecOps is so infant, and it doesn't support AIX that we just can't use it.
Unusable is unusable. So if someone gives it to me for free. I can't use it. The only good thing is they've thought about it, but to me, they've underwritten it and haven't given it the attention to be a real product.
We use CIS (Center for Internet Security) Benchmark. It's actually a membership-type thing. And they have hardening rules and benchmarks, and it's a very common standard.
They have products out there that Syscat is an older one, and they have a newer one, which I can't remember the name of. But it runs on your system, and they have benchmarks in there, and it scores your system based on hardening.
We maintain a matrix of our hardened systems on a daily basis and know whether that score changed or not and alert if it does change. And then, in our environment, we have a whole lot of other tools out there.
I would rate my experience with the initial setup a three out of ten, where one is a complex process, and ten is a difficult setup process.
This solution is really unusable from my perspective at this point. Overall, I would rate the solution a one of ten.
We use so little of Red Hat Satellite. We use it for patching only. And I liked it better when it was the spacewalk equivalent, the informant thing. They're putting too much effort into the Virtu utilization and not enough into the day-to-day operations, for patching and stuff. Patching is a plugin as opposed to, like, the main product. Which is what we use it for.
So we're actually writing our own at this point because it's so heavy right now. The old satellite was good. Not great, but good. This one is just way too much overhead and focused on stuff we don't use.