5.1.1. Secure Baselines

💡 First Principle: A secure baseline is the documented, approved configuration standard for a specific system role. It defines the expected state — which services run, which ports are open, which permissions are set — and serves as the reference point for detecting configuration drift. Without a baseline, there's no way to know if a system's current configuration is intentional or the result of unauthorized changes.

Establishing baselines starts with industry standards: CIS Benchmarks, DISA STIGs, or vendor hardening guides provide tested configurations for common platforms. Organizations customize these to their requirements and document the result as their standard. A web server baseline differs from a database server baseline — each role has different required services, ports, and permissions. Documenting these differences ensures that hardening one role doesn't break another.

Configuration management uses tools (Ansible, Puppet, Chef, Group Policy) to enforce baselines automatically. When a system drifts from its baseline — whether through unauthorized changes, failed updates, or misconfiguration — the tool detects the drift and can automatically remediate it. Infrastructure as Code (IaC) takes this further by defining entire environments in version-controlled templates, ensuring every deployment starts from the approved baseline.

Baseline validation means regularly scanning systems against the baseline to verify compliance. Vulnerability scanners and configuration auditing tools report deviations that need attention. Compliance scanning tools like OpenSCAP automate this by checking system configurations against SCAP-formatted baselines and generating compliance reports.

The lifecycle matters: baselines must be updated when new vulnerabilities are discovered, when software versions change, or when business requirements evolve. A baseline review should be part of every major change and occur at least quarterly.

⚠️ Exam Trap: Baselines aren't set-and-forget. They must be reviewed and updated when new vulnerabilities are discovered, when software is updated, or when business requirements change. A baseline from three years ago may contain configurations that are now considered insecure.