MTG: Linux Remediation — Kickoff & Scope Alignment

Lack of standardized Linux credentials (local accounts, SSH keys, service accounts)

Need for a Linux standard in general

No reliable or complete inventory of Linux systems

Significant gaps for research-hosted systems

Inconsistent or missing ownership capture at system creation

Limited automation for Linux onboarding/offboarding

Systems not consistently enrolled in:

Credential standardization and lifecycle

Authoritative inventory

Automated enrollment into monitoring, patching, CMDB, and vulnerability scanning

Owner captured at system inception

Standardized credentials across all Linux systems

Authoritative, auditable inventory

Automated enrollment pipeline (monitoring, patching, CMDB, Tenable)

Owner captured and validated at system inception

How Linux systems are provisioned today (enterprise vs. research)

Where onboarding/offboarding breaks down

How systems end up missing from CMDB, Tenable, monitoring, or patching

Known failure points and inconsistencies

Current credential patterns in use (or lack thereof)

Gaps in standardization and lifecycle control

Expectations for credential creation, rotation, and removal

Linux platforms

Credential management

Inventory / CMDB accuracy

Vulnerability scanning enrollment

Applicable Azure automation/runbooks

CMDB and monitoring capabilities

Tenable onboarding expectations

What can be reused vs. what is missing

Build, rebuild, decommission

Joiner, mover, leaver

Owner capture

Credential setup

Enrollment into monitoring, patching, CMDB, Tenable

Are Linux systems enrolled in NAC for posture assessment?

Unenrolled systems are invisible to policy enforcement

Should 802.1X machine authentication be part of the enrollment baseline?

Who inventories authorized_keys across hosts?

Are there orphaned keys from departed staff?

Is there a CA-signed SSH certificate model vs. static key distribution?

Key rotation policy — does one exist? Is it enforced?

Are Linux hosts using machine certificates for authentication?

Who manages issuance, renewal, and revocation?

Integration with enterprise PKI or separate CA?

Are systems baselined against CIS benchmarks or DISA STIGs?

How is configuration drift detected? (AIDE, OSSEC, Ansible diff)

Research systems especially tend to skip hardening — define a minimum viable profile

Is there a standard image or golden build?

Who has root or sudo, and how is that reviewed?

PAM integration with AD/LDAP for centralized authorization

Break-glass account procedures

Systems missing from monitoring are likely missing from SIEM

Syslog/journald forwarding should be part of the enrollment checklist

Audit logging (auditd) configuration standards

Research needs flexibility, but "exception" ≠ "invisible"

Define a lightweight compliance tier with mandatory minimums:

Exception request and review process

How do you confirm a system is actually gone?

Cleanup checklist: DNS records, DHCP leases, firewall rules, CMDB entries, Tenable agents, monitoring agents, SSH keys, certificates

Who triggers decom and who validates completion?

What does "remediated" mean? Define measurable outcomes:

Reporting cadence and ownership of metrics