System security is always a high priority topic for administrators. Servers are primary targets for attackers and the default configurations of most operating systems are not built with security as the primary focus. Instead, typical installations focus more on usability, communications, and functionality. There is a plethora of sites around the web claiming to have their own ‘perfect’ setup instructions for security hardening an operating system (OS).
In this blog, we’re going to discuss the value of security hardened images, what it means, what problems they do and don’t solve, and how using our OpenLogic CentOS security hardened images from the Amazon Web Services (AWS) Marketplace ensures you have a secure system.
What is “security hardened?”
The purpose of CentOS security hardening is to eliminate as many security risks as possible. The general rule is to have installed only what is absolutely necessary. Unnecessary programs could introduce additional security flaws – they may offer useful features to the user but if they provide backdoor access to the system, they must be removed during OS security hardening.
Security hardening generally involves tightening up OS features (for example, setting password minimum length and locking inactive user accounts), enforcing SELinux policies, removing unused software (HTTP or FTP servers), verifying file permissions, reporting/auditing changes to the network, sudoers file, and kernel loading/unloading. The OpenLogic enhanced support for CentOS security hardened systems follow the guidelines specified by the Center for Internet Security CentOS Linux Benchmark standard.
What problems are solved?
OS security hardening is done by removing all non-essential software programs and utilities from the system. The CentOS security hardened version provided by OpenLogic on AWS makes it more difficult for an attacker to access the system by reducing the area that the system exposes to the attacker and by mitigating the risks that exist for the system.
For example, the recent httpoxy vulnerability didn’t require any image updates, as none of our security-hardened images were vulnerable (we check as part of our due dilligence).
What problems aren’t solved?
OS security hardening is only one aspect of an overall security policy. It does not address the following:
• Human factors such as usernames and exposed passwords
• Physical server access such as BIOS, GRUB, etc.
• Network security such as firewalls, IPS, etc.
• IT processes around access
• Application software security vulnerabilities
Also, OS security hardening does not remove the need for log watching and reporting. There are tools available to parse your system’s logs and create reports analyzing specific areas of interest.
OpenLogic enhanced support for CentOS security hardened images ensure you start with a secure system. It makes it harder for an attacker to break into your system or for some other user on your system to read sensitive data. Your system will remain secure if you are careful and do not accidentally enable an OS feature that you don’t need. Keeping your CentOS system secure is an ongoing exercise of auditing, implementing solutions, monitoring logs and alerts, and making adjustments as your needs change.
Be sure to tune into OSS Radio every Friday to learn more about open source software and to get a chance to talk to the OpenLogic team about anything related to open source and architecture. If you would like to attend, please send an email to firstname.lastname@example.org and ask how you can get involved with OpenLogic OSS Radio.