You can enable Center for Internet Security (CIS) reinforcement to enhance OS security for cluster nodes. This topic describes how to enable CIS reinforcement for Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3. This topic also describes how to check OS security after CIS reinforcement is enabled.
Background information
CIS is a third-party security organization that is committed to leading a global community of enterprises, public service sectors, and academia to develop security best practices. CIS provides CIS Benchmarks for the Linux-based operating systems released by industry-leading companies, such as Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, CentOS, and Ubuntu. CIS Benchmarks have become an important criterion for assessing OS security for Alibaba Cloud customers. For more information, see CIS WorkBench.
Alibaba Cloud Linux 2 is an OS image released by Alibaba Cloud and is used as the default OS image by ACK clusters. Alibaba Cloud Linux 2 Benchmark passed the certification procedure of CIS on August 16, 2019. CIS then released CIS Aliyun Linux 2 Benchmark version 1.0.0. Alibaba Cloud Linux is the first CIS certified operating system in China.
Alibaba Cloud Linux 3 is an OS image released by Alibaba Cloud and supported by ACK clusters. Alibaba Cloud Linux 3 Benchmark passed the certification procedure of CIS on February 6, 2022. CIS then released CIS Alibaba Cloud Linux 3 Benchmark v1.0.0.
Security levels and items
CIS Aliyun Linux 2 Benchmark version 1.0.0
- Level 1 items are used to implement basic improvements. These items do not have a large impact on system performance.
- Level 2 items are suitable for scenarios that require higher security. These items may increase performance overheads.
- Scored: Compliance with Scored items increases the final benchmark score. Failure to comply with Scored items decreases the final benchmark score.
- Not Scored: Compliance with Not Scored items does not increase the final benchmark score. Failure to comply with Not Scored items does not decrease the final benchmark score.
- Level 1 Scored (145 items)
- Level 1 Not Scored (23 items)
- Level 2 Scored (33 items)
- Level 2 Not Scored (3 items)
Level 2 items may negatively impact system performance and Not Scored items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Scored items.
CIS Alibaba Cloud Linux 3 Benchmark v1.0.0
- Level 1 items are used to implement basic improvements. These items have only a minor impact on system performance.
- Level 2 items are suitable for scenarios that require higher security. These items may increase performance overheads.
- Automated: Compliance with Automated items increases the final benchmark score. Failure to comply with Automated items decreases the final benchmark score.
- Manual: Compliance with Manual items does not increase the final benchmark score. Failure to comply with Manual items does not decrease the final benchmark score.
- Level 1 Automated (183 items)
- Level 1 Manual (34 items)
- Level 2 Automated (45 items)
- Level 2 Manual (4 items)
Level 2 items may negatively impact system performance and Manual items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Automated items.
Work with CIS Alibaba Cloud Linux Benchmarks
Alibaba Cloud Linux 2
Alibaba Cloud Linux 3
You can enable CIS Reinforcement and set the Operating System to Alibaba Cloud Linux 3.2104 when you create an ACK cluster. This way, the system automatically configures CIS reinforcement for the cluster. This ensures that the Alibaba Cloud Linux 3 images of all nodes in the cluster meet most requirements of Level 1 Automated items in CIS Alibaba Cloud Linux 3 Benchmark version 1.0.0. For more information about the required items, see CIS Level 1 Automated items that are not covered by CIS reinforcement.
CIS Level 1 items that are covered by CIS reinforcement
Alibaba Cloud Linux 2
Item | Reason why the item is not covered by CIS reinforcement |
---|---|
1.1.2 Ensure /tmp is configured (Scored) | Involves partition modifications. |
1.1.18 Ensure sticky bit is set on all world-writable directories (Scored) | Affects the control logic of ACK. |
1.7.1.1 Ensure message of the day is configured properly (Scored) | Requires the deletion of the link to the user guide in the Message of the Day (MOTD) of Alibaba Cloud Linux 2 operating system. |
3.1.1 Ensure IP forwarding is disabled (Scored) | Affects the network plug-ins of ACK. |
3.5.1.1 Ensure default deny firewall policy (Scored) | Requires the configuration of firewall policies. |
3.5.1.2 Ensure loopback traffic is configured (Scored) | Requires the configuration of loopback rules. |
3.5.1.4 Ensure firewall rules exist for all open ports (Scored) | Requires the configuration of firewall rules for open ports. |
3.5.2.1 Ensure IPv6 default deny firewall policy (Scored) | Requires the configuration of IPv6 firewall policies. |
3.5.2.2 Ensure IPv6 loopback traffic is configured (Scored) | Requires the configuration of IPv6 loopback rules. |
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) | Requires the configuration of rsyslog to send log data to a remote log host. |
4.2.3 Ensure permissions on all logfiles are configured (Scored) | Requires the modification of a large number of files, which imposes potential security risks. |
5.2.10 Ensure SSH root login is disabled (Scored) | Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections. |
5.2.18 Ensure SSH access is limited (Scored) | Requires the configuration of users and groups that are allowed to access the system by using SSH. |
5.2.3 Ensure permissions on SSH private host key files are configured (Scored) | The GID of ssh_keys is hard-coded to 998 in the scan script. However, the GID may not be 998 in the system.
The GID may be 996.
|
5.3.2 Ensure lockout for failed password attempts is configured (Scored) | The recommended Benchmark configurations are quite different from the configuration file of the Alibaba Cloud Linux 2 system. Proceed with caution. |
6.1.11 Ensure no unowned files or directories exist (Scored) | Affects the control logic of ACK. |
6.1.12 Ensure no ungrouped files or directories exist (Scored) | Affects the control logic of ACK. |
Item | Description |
---|---|
Profile Applicability | Whether the item belongs to Level 1 or Level 2. |
Description | The brief introduction of the item. |
Rationale | The details and background information about the item. This helps you understand the reason for the recommended reinforcement. |
Audit | The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script. |
Remediation | If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system. |
Impact | Possible impacts if the system is not properly configured. |
References | References. |
CIS Controls | The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account. |
Alibaba Cloud Linux 3
Item | Reason why the item is not covered by CIS reinforcement |
---|---|
1.1.2 Ensure /tmp is configured(Automated) | Involves partition modifications. |
1.7.1.3 Ensure SELinux policy is configured(Automated) | Involves changes to SELinux and requires you to restart the cluster. |
1.7.1.4 Ensure the SELinux mode is not disabled(Automated) | Involves changes to SELinux and requires you to restart the cluster. |
3.2.1 Ensure IP forwarding is disabled(Automated) | Affects the Terway plug-in of ACK. |
4.2.2.5 Ensure systemd-journal-remote is installed(Auomated) | CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-Configuration Assessment Tool (CAT) includes this item. |
4.2.2.7 Ensure journald is not configured to recieve logs from a remote client(Auomated) | CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-CAT includes this item. |
4.2.2.9 Ensure systemd-journal-remote is enabled(Automated) | CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-CAT includes this item. |
4.2.3 Ensure permissions on all logfiles are configured (Automated) | Requires the modification of a large number of files, which imposes potential security risks. |
5.2.2 Ensure SSH access is limited (Automated) | Requires the configuration of users and groups that are allowed to access the system by using SSH. |
5.2.10 Ensure SSH root login is disabled (Automated) | Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections. |
5.2.19 Ensure SSH MaxSessions is set to 10 or less(Automated) | The evaluation result returned by CIS-CAT is different from the description in CIS Alibaba Cloud Linux 3 Benchmark. |
6.1.2 Ensure sticky bit is set on all world-writable directories (Automated) | Affects the control logic of ACK. |
6.1.11 Ensure no world writable files exist (Automated) | Affects the control logic of ACK. |
6.1.12 Ensure no unowned files or directories exist (Automated) | Affects the control logic of ACK. |
6.1.13 Ensure no ungrouped files or directories exist (Automated) | Affects the control logic of ACK. |
Item | Description |
---|---|
Profile Applicability | Whether the item belongs to Level 1 or Level 2. |
Description | The brief introduction of the item. |
Rationale | The details and background information about the item. This helps you understand the reason for the recommended reinforcement. |
Audit | The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script. |
Remediation | If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system. |
Impact | Possible impacts if the system is not properly configured. |
References | References. |
CIS Controls | The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account. |
Use CIS-CAT to evaluate the compliance of an ACK cluster with the CIS Benchmark
To evaluate the compliance of an ACK cluster with the CIS Benchmark, you can use CIS-CAT to scan the cluster. CIS-CAT is a configuration assessment tool that scans the configuration of a system to provide a detailed assessment report. You can run this tool on a system to obtain a benchmark score against a specified CIS Benchmark profile. The tool also provides remediation steps for noncompliant configurations. For more information, see CIS-CAT.
CIS-CAT has two editions: Lite and Pro. CIS-CAT Lite provides limited features and supports only the following systems: Windows 10, Ubuntu 18.04, and Google Chrome. CIS-CAT Lite does not support Alibaba Cloud Linux 2 and therefore cannot be used to scan ACK clusters for compliance evaluation.
CIS-CAT Pro has two versions: v4 and v3. This topic uses CIS-CAT Pro v4 as an example to describe how to evaluate the compliance of Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 with CIS Benchmark after CIS reinforcement is enabled.
Alibaba Cloud Linux 2
Alibaba Cloud Linux 3
CIS-CAT is not 100% compatible with Alibaba Cloud Linux 3. Therefore, you need to manually download the XCCDF and OVAL files of Alibaba Cloud Linux 3 and log on to a cluster node that runs Alibaba Cloud Linux 3 to perform the check.