January 27, 2017

AWS CentOS: New CIS Hardened Images

Operating Systems

By

It's important to use STIG and CIS hardened images for CentOS on AWS. In this blog, we give you an overview of our new AWS CentOS images, which are STIG and CIS hardened.

FAQ: New AWS CentOS Images

In addition to the CentOS 6.8 and 7.3 images that we released earlier in January 2017, we are happy to announce updated images for our security-hardened offerings. These enhanced security images include the same support that is included with our other images that are available in the AWS Marketplace.

What Does OpenLogic Mean by Security-Hardened Images?

We have taken our standard images and modified them to increase the security of the images by minimizing your system’s exposure to outside threats and taking full advantage of mature solutions like SELinux and auditing.

Are Security-Hardened Images Difficult to Use?

Not at all! You can have an instance of any of our images up and running in minutes. 

As with our standard images, our security-hardened AWS images are minimal by design, taking up as little space as is necessary to provide a fully-functional AWS instance. This maximizes the available space for you to customize the instance to meet your specific needs.

Get the CentOS AWS Images

Download any of the OpenLogic CentOS images — standard or security-hardened — on the AWS marketplace.

AWS MARKETPLACE

STIG & CIS Hardened Images: What This Means

Our AWS CentOS images are STIG and CIS hardened. This includes the CIS Level 1, CIS Level 2, and STIGs security profiles.

There are certain security measures that cannot be applied to CentOS AWS images — or are not appropriate for CentOS AWS images. The complete exclusion list is detailed below.

AWS CentOS Images: Exclusions

Our AWS images consist of a single partition, excluding the following:

  • CIS 1.1.1 – Separate Partition for /tmp
  • CIS 1.1.2 – Add nodev Option to /tmp
  • CIS 1.1.3 – Add nosuid Option to /tmp
  • CIS 1.1.4 – Add noexec Option to /tmp
  • CIS 1.1.5 – Separate Partition for /var
  • CIS 1.1.7 – Separate Partition for /var/log
  • CIS 1.1.8 – Separate Partition for /var/log/audit
  • CIS 1.1.9 – Separate Partition for /home

AWS images do not have removable media, excluding the following:

  • CIS 1.1.11 – Add nodev Option to Removable Media Partitions
  • CIS 1.1.12 – Add noexec Option to Removable Media Partitions
  • CIS 1.1.13 – Add nosuid Option to Removable Media Partitions

AWS instances do not allow access to the bootloader or console when the instance is started, excluding the following:

  • CIS 1.5.3 – Set Boot Loader Password
  • STIGs – Encrypt Partitions

Our AWS images are fresh installs from official media, excluding the following:

  • CIS 1.2.3 – Ensure Software Patches are Installed
  • CIS 1.2.4 – RPM Package Integrity
  • CIS 9.1.1 – Verify System File Permissions
  • STIGs - Ensure No Device Files are Unlabeled by SELinux

Our AWS images include the chrony package and do not include the NTP package, excluding the following:

  • CIS 3.6 – Configure NTP

AWS images do not have wireless interfaces:

  • CIS 4.3.1 – Deactivate Wireless Network Interfaces

Our AWS images do not use TCP Wrappers (since it is impossible to know where our customers will connect to the instances from), excluding the following:

  • CIS 4.5.4 – Create /etc/hosts.deny

AWS images are firewalled by the EC2 security groups, excluding the following:

  • CIS 4.7 – Enable iptables/firewalld
  • CIS 4.8 – Enable ip6tables
  • STIGs – Set Default iptables Policy for Forwarded Packets
  • STIGs – Set Default iptables/ip6tables Policy for Incoming Packets

CIS and STIGs conflict, excluding the following:

  • CIS 5.2.1.2 – Configure auditd admin_space_left Action on Low Disk Space
  • STIGs - Configure auditd admin_space_left Action on Low Disk Space
  • STIGs – Configure LDAP Client To Use TLS For All Transactions

Our AWS images only have a single user account (centos) created by the CentOS installer, so we do not restrict user access, excluding the following:

  • CIS 6.2.13 – Limit Access via SSH
  • CIS 9.2.16 – Check That Reserved UIDs Are Assigned to System Accounts

Our AWS images are explicitly configured to not display a SSH banner, excluding the following:

  • CIS 6.2.14 – Set SSH Banner

Our AWS images do not contain any non-open source software, excluding the following:

Even with these exceptions, our images pass well over 200 security tests prescribed in the CIS 1, CIS 2, and STIGs profiles. The results of the tests is available within the instances in the /var/log/hardened/ directory.

Why Use OpenLogic STIG and CIS Hardened Images?

Our automated image hardening process enables us to replicate our image building process with both speed and accuracy. Before we automated the process, it would take us over 8 hours to manually apply the security hardening recommendations to each image that we built, which was then put through rigorous quality assurance (QA) to ensure that we did not miss any steps and that each step was correctly applied.

Even after automating our hardening process, we still put our images through the same rigorous QA to ensure that each image that we release is complete, functional, and hardened the same way.

Sure, you could spend hours performing all of these steps yourself each time a new CentOS release is announced, but why would you want to? Our images are vetted, available and, best of all, include support from our team of Tier 3/4 open source architects and engineers.

Need Additional Assistance?

The AWS images include 9x5 support which may very well cover your support needs. 

But if you need 24x7 support, you're better off getting in touch with the OpenLogic CentOS experts. Our experts can help you ensure security with CentOS on AWS — and so much more.

In fact, when you choose CentOS supported by OpenLogic, you'll get:

  • 50% cost-savings.
  • Long-term support.
  • Backporting.
  • Guaranteed SLAs.
  • Architectural minimization.
  • Multi-platform support.
  • CentOS distributions.
  • Expert guidance.
  • Supported CentOS options in Microsoft Azure and Amazon Web Services (AWS).

Get in touch with a CentOS expert today to learn how we can help you.

Talk to an Expert

 

Related Content:

headshot-rich-alloway

Rich Alloway

Enterprise Linux Developer, OpenLogic by Perforce

Rich Alloway has over 25 years of professional Linux experience in academic, Internet service provider and telco carrier environments. He has filled many production roles: SysAdmin, Systems/Network/RF Engineer and CTO. He is currently a member of the Enterprise Linux Team at OpenLogic by Perforce, and serves as a contributor on the Rocky Linux QA and Testing Team.