What's New

Hardened Linux Images: Latest Releases

Release Notes and CIS Benchmark Details for Hardened Linux Images for VMs and Containers

What's New in Hardened Linux Images?

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

Our Rocky Linux VM images use a single-partition layout. As such, the following controls, which require dedicated partitions, are excluded:

  • CIS 1.1.2.1.4: Ensure the noexec option is set on /tmp
  • CIS 1.1.2.3.1: Ensure a separate partition exists for /home
  • CIS 1.1.2.3.2: Add the nodev option to /home
  • CIS 1.1.2.3.3: Add the nosuid option to /home
  • CIS 1.1.2.4.1: Ensure a separate partition exists for /var
  • CIS 1.1.2.4.2: Add the nodev option to /var
  • CIS 1.1.2.4.3: Add the nosuid option to /var
  • CIS 1.1.2.5.2: Add the nodev option to /var/temp
  • CIS 1.1.2.5.3: Add the nosuid option to /var/tmp
  • CIS 1.1.2.5.4: Add the noexec option to /var/tmp
  • CIS 1.1.2.6.1: Ensure a separate partition exists for /var/log
  • CIS 1.1.2.6.2: Add the nodev option to /var/log
  • CIS 1.1.2.6.3: Add the nosuid option to /var/log
  • CIS 1.1.2.6.4: Add the nexec option to /var/log
  • CIS 1.1.2.7.1: Ensure a separate partition exists for /var/log/audit
  • CIS 1.1.2.7.2: Add the nodev option to /var/log/audit
  • CIS 1.1.2.7.3: Add the nosuid option to /var/log/audit
  • CIS 1.1.2.7.4: Add the noexec option to /var/log/audit

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies:

VM images:

  • CIS 1.3.1: Ensure the bootloader password is set.
  • CIS 1.3.2: Verify the UEFI GRUB2 bootloader configuration:
    • UEFI Boot Loader grub.cfg group ownership
    • /boot/efi/EFI/redhat/user.cfg group ownership
    • UEFI Boot Loader grub.cfg user ownership
    • /boot/efi/EFI/redhat/user.cfg user ownership
    • UEFI Boot Loader grub.cfg permissions
    • /boot/efi/EFI/redhat/user.cfg permissions
  • CIS 4.2.4: Ensure SSH daemon access is configured

Container images:

  • CIS 5.3.1.2: Ensure the latest version of authselect is installed

Excluded Graphical Image Controls

The following CIS controls are excluded from some hardened Linux VM images. These controls apply to GNOME Display Manager (GDM) and other graphical interface components, which are not included in OpenLogic's virtual machine images. As such, these controls are not applicable in headless or server-based deployments.

  • CIS 1.8: Configure GNOME Display Manager
    • CIS 1.8.1: Ensure GDM is removed
    • CIS 1.8.2: Ensure the GDM login banner is configured
    • CIS 1.8.3: Ensure the GDM disable-user-list option is enabled
    • CIS 1.8.4: Ensure GDM screen locks when the user is idle
    • CIS 1.8.5: Ensure GDM screen locks cannot be overridden
    • CIS 1.8.6: Ensure GDM automatic mounting of removable media is disabled
    • CIS 1.8.7: Ensure GDM disabling automatic mounting of removable media is not overridden
    • CIS 1.8.8: Ensure GDM autorun-never is enabled
    • CIS 1.8.9: Ensure GDM autorun-never is not overridden
    • CIS 1.8.10 Ensure XDCMP is not enabled

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

Container images:

  • CIS 5.3.1.2: Ensure the latest version of authselect is installed

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's Rocky Linux 9.x hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

Our Rocky Linux VM images use a single-partition layout. As such, the following controls, which require dedicated partitions, are excluded:

  • CIS 1.1.2.1.1: Ensure a separate partition exists for /tmp
  • CIS 1.1.2.1.2: Ensure the nodev option is set on /tmp
  • CIS 1.1.2.1.3: Ensure the nosuid option is set on /tmp
  • CIS 1.1.2.1.4: Ensure the noexec option is set on /tmp
  • CIS 1.1.2.3.1: Ensure a separate partition exists for /home
  • CIS 1.1.2.3.2: Add the nodev option to /home
  • CIS 1.1.2.3.3: Add the nosuid option to /home
  • CIS 1.1.2.4.1: Ensure a separate partition exists for /var
  • CIS 1.1.2.4.2: Add the nodev option to /var
  • CIS 1.1.2.4.3: Add the nosuid option to /var
  • CIS 1.1.2.5.2: Add the nodev option to /var/temp
  • CIS 1.1.2.5.3: Add the nosuid option to /var/tmp
  • CIS 1.1.2.5.4: Add the noexec option to /var/tmp
  • CIS 1.1.2.6.1: Ensure a separate partition exists for /var/log
  • CIS 1.1.2.6.2: Add the nodev option to /var/log
  • CIS 1.1.2.6.3: Add the nosuid option to /var/log
  • CIS 1.1.2.6.4: Add the nexec option to /var/log
  • CIS 1.1.2.7.1: Ensure a separate partition exists for /var/log/audit
  • CIS 1.1.2.7.2: Add the nodev option to /var/log/audit
  • CIS 1.1.2.7.3: Add the nosuid option to /var/log/audit
  • CIS 1.1.2.7.4: Add the noexec option to /var/log/audit

Excluded Graphical Image Controls

The following CIS controls are excluded from some hardened Linux VM images. These controls apply to GNOME Display Manager (GDM) and other graphical interface components, which are not included in OpenLogic's virtual machine images. As such, these controls are not applicable in headless or server-based deployments.

  • CIS 1.8: Configure GNOME Display Manager
    • CIS 1.8.1: Ensure GDM is removed
    • CIS 1.8.2: Ensure the GDM login banner is configured
    • CIS 1.8.3: Ensure the GDM disable-user-list option is enabled
    • CIS 1.8.4: Ensure GDM screen locks when the user is idle
    • CIS 1.8.5: Ensure GDM screen locks cannot be overridden
    • CIS 1.8.6: Ensure GDM automatic mounting of removable media is disabled
    • CIS 1.8.7: Ensure GDM disabling automatic mounting of removable media is not overridden
    • CIS 1.8.8: Ensure GDM autorun-never is enabled
    • CIS 1.8.9: Ensure GDM autorun-never is not overridden
    • CIS 1.8.10 Ensure XDCMP is not enabled

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies.

VM images:

  • CIS 1.3.1: Ensure the bootloader password is set.
  • CIS 1.3.2: Verify the UEFI GRUB2 bootloader configuration:
    • UEFI Boot Loader grub.cfg group ownership
    • /boot/efi/EFI/redhat/user.cfg group ownership
    • UEFI Boot Loader grub.cfg user ownership
    • /boot/efi/EFI/redhat/user.cfg user ownership
    • UEFI Boot Loader grub.cfg permissions
    • /boot/efi/EFI/redhat/user.cfg permissions
  • CIS 4.2.4: Ensure SSH daemon access is configured

Container images:

  • CIS 4.4.1.2: Ensure the latest version of authselect is installed

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

Container images:

  • CIS 4.4.1.2: Ensure the latest version of authselect is installed

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's Rocky Linux 8.x hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

Our AlmaLinux VM images use a single-partition layout. As such, the following controls, which require dedicated partitions, are excluded:

  • CIS 1.1.2.1.1: Ensure a separate partition exists for /tmp
  • CIS 1.1.2.1.2: Ensure the nodev option is set on /tmp
  • CIS 1.1.2.1.3: Ensure the nosuid option is set on /tmp
  • CIS 1.1.2.1.4: Ensure the noexec option is set on /tmp
  • CIS 1.1.2.3.1: Ensure a separate partition exists for /home
  • CIS 1.1.2.3.2: Add the nodev option to /home
  • CIS 1.1.2.4.1: Ensure a separate partition exists for /var
  • CIS 1.1.2.4.2: Add the nodev option to /var
  • CIS 1.1.2.5.1: Ensure a separate partition exists for /var/temp
  • CIS 1.1.2.5.2: Add nodev option to /var/tmp
  • CIS 1.1.2.6.1: Ensure a separate partition exists for /var/log
  • CIS 1.1.2.6.2: Add the nodev option to /var/log
  • CIS 1.1.2.7.1: Ensure a separate partition exists for /var/log/audit
  • CIS 1.1.2.7.2: Add the nodev option to /var/log/audit

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies.

Container Images:

  • CIS 4.4.1.2: Ensure the latest version of authselect is installed

Virtual Machine Images:

  • CIS 1.3.1: Ensure the bootloader password is set.
  • CIS 1.3.2: Verify the UEFI GRUB2 bootloader configuration:
    • UEFI Boot Loader grub.cfg group ownership
    • /boot/efi/EFI/redhat/user.cfg group ownership
    • UEFI Boot Loader grub.cfg user ownership
    • /boot/efi/EFI/redhat/user.cfg user ownership
    • UEFI Boot Loader grub.cfg permissions
    • /boot/efi/EFI/redhat/user.cfg permissions
  • CIS 4.2.4: Ensure SSH daemon access is configured

Excluded Graphical Image Controls

The following CIS controls are excluded from some hardened Linux VM images. These controls apply to GNOME Display Manager (GDM) and other graphical interface components, which are not included in OpenLogic's virtual machine images. As such, these controls are not applicable in headless or server-based deployments.

  • CIS 1.8: Configure GNOME Display Manager
    • CIS 1.8.1: Ensure GDM is removed
    • CIS 1.8.2: Ensure the GDM login banner is configured
    • CIS 1.8.3: Ensure the GDM disable-user-list option is enabled
    • CIS 1.8.4: Ensure GDM screen locks when the user is idle
    • CIS 1.8.5: Ensure GDM screen locks cannot be overridden
    • CIS 1.8.6: Ensure GDM automatic mounting of removable media is disabled
    • CIS 1.8.7: Ensure GDM disabling automatic mounting of removable media is not overridden
    • CIS 1.8.8: Ensure GDM autorun-never is enabled
    • CIS 1.8.9: Ensure GDM autorun-never is not overridden
    • CIS 1.8.10 Ensure XDCMP is not enabled

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

Container images:

  • CIS 4.4.1.2: Ensure the latest version of authselect is installed

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's AlmaLinux 8.x hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

Our AlmaLinux VM images use a single-partition layout. As such, the following controls, which require dedicated partitions, are excluded:

  • CIS 1.1.2.1.1: Ensure a separate partition exists for /tmp
  • CIS 1.1.2.1.2: Ensure the nodev option is set on /tmp
  • CIS 1.1.2.1.3: Ensure the nosuid option is set on /tmp
  • CIS 1.1.2.1.4: Ensure the noexec option is set on /tmp
  • CIS 1.1.2.3.1: Ensure a separate partition exists for /home
  • CIS 1.1.2.3.2: Add the nodev option to /home
  • CIS 1.1.2.4.1: Ensure a separate partition exists for /var
  • CIS 1.1.2.4.2: Add the nodev option to /var
  • CIS 1.1.2.5.1: Ensure a separate partition exists for /var/temp
  • CIS 1.1.2.5.2: Add nodev option to /var/tmp
  • CIS 1.1.2.6.1: Ensure a separate partition exists for /var/log
  • CIS 1.1.2.6.2: Add the nodev option to /var/log
  • CIS 1.1.2.7.1: Ensure a separate partition exists for /var/log/audit
  • CIS 1.1.2.7.2: Add the nodev option to /var/log/audit

Excluded Graphical Image Controls

The following CIS controls are excluded from some hardened Linux VM images. These controls apply to GNOME Display Manager (GDM) and other graphical interface components, which are not included in OpenLogic's virtual machine images. As such, these controls are not applicable in headless or server-based deployments.

  • CIS 1.8: Configure GNOME Display Manager
    • CIS 1.8.1: Ensure GDM is removed
    • CIS 1.8.2: Ensure the GDM login banner is configured
    • CIS 1.8.3: Ensure the GDM disable-user-list option is enabled
    • CIS 1.8.4: Ensure GDM screen locks when the user is idle
    • CIS 1.8.5: Ensure GDM screen locks cannot be overridden
    • CIS 1.8.6: Ensure GDM automatic mounting of removable media is disabled
    • CIS 1.8.7: Ensure GDM disabling automatic mounting of removable media is not overridden
    • CIS 1.8.8: Ensure GDM autorun-never is enabled
    • CIS 1.8.9: Ensure GDM autorun-never is not overridden
    • CIS 1.8.10 Ensure XDCMP is not enabled

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

Container images:

  • CIS 5.3.1.2: Ensure the latest version of authselect is installed

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies.

VM images:

  • CIS 1.3.1: Ensure the bootloader password is set.
    • CIS 1.3.2: Verify the UEFI GRUB2 bootloader configuration:
    • UEFI Boot Loader grub.cfg group ownership
    • /boot/efi/EFI/redhat/user.cfg group ownership
    • UEFI Boot Loader grub.cfg user ownership
    • /boot/efi/EFI/redhat/user.cfg user ownership
    • UEFI Boot Loader grub.cfg permissions
    • /boot/efi/EFI/redhat/user.cfg permissions
  • CIS 4.2.4: Ensure SSH daemon access is configured

Container images:

  • CIS 5.3.1.2: Ensure the latest version of authselect is installed

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's AlmaLinux 9.x hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

  • CIS 1.1.2.1: Configure /tmp
    • CIS 1.1.2.1.1: Ensure /tmp is a separate partition
    • CIS 1.1.2.1.2: Ensure nodev option set on the /tmp partition
    • CIS 1.1.2.1.3: Ensure nosuid option set on on the /tmp partition
    • CIS 1.1.2.1.4: Ensure noexec option set on on the /tmp partition
  • CIS 1.1.2.2: Configure /dev/shm
    • CIS 1.1.2.2.1: Ensure /dev/shm is a separate partition
    • CIS 1.1.2.2.2: Ensure nodev option set on the /dev/shm partition
    • CIS 1.1.2.2.3: Ensure nosuid option set on the /dev/shm partition
    • CIS 1.1.2.2.4: Ensure noexec option set on the /dev/shm partition
  • CIS 1.1.2.3: Configure /home
    • CIS 1.1.2.3.1: Ensure separate partition exists for /home
    • CIS 1.1.2.3.2: Ensure nodev option set on the /home partition
    • CIS 1.1.2.3.3: Ensure nosuid option set on the /home partition
  • CIS 1.1.2.4: Configure /var
    • CIS 1.1.2.4.1: Ensure separate partition exists for /var
    • CIS 1.1.2.4.2: Ensure nodev option set on the /var partition
    • CIS 1.1.2.4.3: Ensure nosuid option set on the /var partition
  • CIS 1.1.2.5: Configure /var/tmp
    • CIS 1.1.2.5.1: Ensure separate partition exists for the /var/tmp
    • CIS 1.1.2.5.2: Ensure nodev option set on the /var/tmp partition
    • CIS 1.1.2.5.3: Ensure nosuid option set on the /var/tmp partition
    • CIS 1.1.2.5.4: Ensure noexec option set on the /var/tmp partition
  • CIS 1.1.2.6: Configure /var/log
    • CIS 1.1.2.6.1: Ensure separate partition exists for /var/log
    • CIS 1.1.2.6.2: Ensure nodev option set on the /var/log partition
    • CIS 1.1.2.6.3: Ensure nosuid option set on the /var/log partition
    • CIS 1.1.2.6.4: Ensure noexec option set on the /var/log partition
  • CIS 1.1.2.7: Configure /var/log/audit
    • CIS 1.1.2.7.1: Ensure separate partition exists for /var/log/audit
    • CIS 1.1.2.7.2: Ensure nodev option set on the /var/log/audit partition
    • CIS 1.1.2.7.3: Ensure nosuid option set on the /var/log/audit partition
    • CIS 1.1.2.7.4: Ensure noexec option set on the /var/log/audit partition

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

VM images:

  • CIS 5.3.1.1: Ensure latest version of PAM is installed
  • CIS 5.3.1.2: Ensure libpam-modules is installed
  • CIS 5.3.1.3: Ensure libpam-pwquality is installedCIS 5.3.3.4.3: Ensure pam_unix includes a strong password hashing algorithm

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies.

  • CIS 1.4.1: Ensure the bootloader password is set
  • CIS 5.1.4: Ensure sshd access is configured
  • CIS 6.1.2.1: Configure systemd-journal-remote
    • CIS 6.1.2.1.2: Ensure systemd-journal-upload authentication is configured
    • CIS 6.1.2.1.3: Ensure systemd-journal-upload is enabled and active
  • CIS 4.2.1: Ensure UFW (Uncomplicated Firewall) is installed
  • CIS 6.1.2: Configure journald
    • CIS 6.1.2.2: Ensure journald ForwardToSyslog is disabled
  • CIS 2.3.1: Ensure time synchronization is in use
    • CIS 2.3.1.1: Ensure a single time synchronization daemon is in use

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's Debian hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.

Benchmark Scope and Exclusions

While we strive for comprehensive compliance, certain CIS controls are excluded due to technical constraints specific to virtual machine environments or because they are best configured post-deployment by end users.

Excluded Controls Due to Single Partition Layout

CIS 1.1.2: Configure Filesystem Partitions

  • CIS 1.1.2.1: Configure /tmp
    • CIS 1.1.2.1.1: Ensure /tmp is a separate partition
    • CIS 1.1.2.1.2: Ensure the nodev option is set on the /tmp partition
    • CIS 1.1.2.1.3: Ensure the nosuid option is set on the /tmp partition
    • CIS 1.1.2.1.4: Ensure the noexec option is set on the /tmp partition
  • CIS 1.1.2.3: Configure /home
    • CIS 1.1.2.3.1: Ensure a separate partition exists for /home
    • CIS 1.1.2.3.2: Ensure the nodev option is set on the /home partition
    • CIS 1.1.2.3.3: Ensure the nosuid option is set on the /home partition
  • CIS 1.1.2.4: Configure /var
    • CIS 1.1.2.4.1: Ensure a separate partition exists for /var
    • CIS 1.1.2.4.2: Ensure the nodev option is set on the /var partition
    • CIS 1.1.2.4.3: Ensure the nosuid option is set on the /var partition
  • CIS 1.1.2.5: Configure /var/tmp
    • CIS 1.1.2.5.1: Ensure a separate partition exists for /var/tmp
    • CIS 1.1.2.5.2: Ensure the nodev option is set on the /var/tmp partition
    • CIS 1.1.2.5.3: Ensure the nosuid option is set on the /var/tmp partition
    • CIS 1.1.2.5.4: Ensure the noexec option is set on the /var/tmp partition
  • CIS 1.1.2.6: Configure /var/log
    • CIS 1.1.2.6.1: Ensure a separate partition exists for /var/log
    • CIS 1.1.2.6.2: Ensure the nodev option is set on the /var/log partition
    • CIS 1.1.2.6.3: Ensure the nosuid option is set on the /var/log partition
    • CIS 1.1.2.6.4: Ensure the noexec option is set on the /var/log partition
  • CIS 1.1.2.7: Configure /var/log/audit
    • CIS 1.1.2.7.1: Ensure a separate partition exists for /var/log/audit
    • CIS 1.1.2.7.2: Ensure the nodev option is set on the /var/log/audit partition
    • CIS 1.1.2.7.3: Ensure the nosuid option is set on the /var/log/audit partition
    • CIS 1.1.2.7.4: Ensure the noexec option is set on the /var/log/audit partition

Excluded Graphical Image Controls

The following CIS controls are excluded from some hardened Linux VM images. These controls apply to GNOME Display Manager (GDM) and other graphical interface components, which are not included in OpenLogic's virtual machine images. As such, these controls are not applicable in headless or server-based deployments.

  • CIS 1.7: Configure GNOME Display Manager
    • CIS 1.7.1: Ensure GDM is removed
    • CIS 1.7.2: Ensure the GDM login banner is configured
    • CIS 1.7.3: Ensure the GDM disable-user-list option is enabled
    • CIS 1.7.4: Ensure GDM screen locks when the user is idle
    • CIS 1.7.5: Ensure GDM screen locks cannot be overridden
    • CIS 1.7.6: Ensure GDM automatic mounting of removable media is disabled
    • CIS 1.7.7: Ensure GDM disabling automatic mounting of removable media is not overridden
    • CIS 1.7.8: Ensure GDM autorun-never is enabled
    • CIS 1.7.9: Ensure GDM autorun-never is not overridden
    • CIS 1.7.10 Ensure XDCMP is not enabled

Excluded Platform-Specific PAM Controls

The following PAM-related controls are excluded from some hardened Linux images. These controls apply to platform-specific PAM configurations, which are not included in OpenLogic's images. As such, these controls are not applicable in minimal deployments.

  • CIS 5.3.1.3: Ensure libpam-pwquality is installed

Controls Requiring End-User Configuration

The following controls are excluded from the hardened image but are expected to be configured by end users based on their environment and security policies.

VM images:

  • CIS 1.4.1: Ensure bootloader password is set
  • CIS 5.1.4: Ensure sshd access is configured

Container images:

  • CIS 5.3.1.3: Ensure libpam-pwquality is installed

Quality Assurance and Coverage

All hardened images undergo rigorous automated and manual QA to ensure consistency, functionality, and compliance. Despite the noted exclusions, OpenLogic's Ubuntu hardened images still pass more than 300 CIS security controls across both the Level 1 and Level 2 profiles.

These images offer a secure, production-ready foundation for organizations seeking to maintain CIS compliance while operating in virtualized environments.