You can enable Center for Internet Security (CIS) reinforcement to enhance OS security for cluster nodes. This topic describes how to enable CIS reinforcement for Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3. This topic also describes how to check OS security after CIS reinforcement is enabled.

Background information

CIS is a third-party security organization that is committed to leading a global community of enterprises, public service sectors, and academia to develop security best practices. CIS provides CIS Benchmarks for the Linux-based operating systems released by industry-leading companies, such as Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, CentOS, and Ubuntu. CIS Benchmarks have become an important criterion for assessing OS security for Alibaba Cloud customers. For more information, see CIS WorkBench.

Alibaba Cloud Linux 2 is an OS image released by Alibaba Cloud and is used as the default OS image by ACK clusters. Alibaba Cloud Linux 2 Benchmark passed the certification procedure of CIS on August 16, 2019. CIS then released CIS Aliyun Linux 2 Benchmark version 1.0.0. Alibaba Cloud Linux is the first CIS certified operating system in China.

Alibaba Cloud Linux 3 is an OS image released by Alibaba Cloud and supported by ACK clusters. Alibaba Cloud Linux 3 Benchmark passed the certification procedure of CIS on February 6, 2022. CIS then released CIS Alibaba Cloud Linux 3 Benchmark v1.0.0.

For Benchmark file downloads and more information about Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3, please log in to your CIS account at the link below:

Security levels and items

CIS Aliyun Linux 2 Benchmark version 1.0.0

CIS Aliyun Linux 2 Benchmark version 1.0.0 consists of 204 items that are categorized into two security levels. Level 1 contains 168 items, and Level 2 contains 36 items. Differences between Level 1 items and Level 2 items:
  • Level 1 items are used to implement basic improvements. These items do not have a large impact on system performance.
  • Level 2 items are suitable for scenarios that require higher security. These items may increase performance overheads.
Besides, CIS Aliyun Linux 2 Benchmark classifies the items into two groups based on scoring information: Scored and Not Scored.
  • Scored: Compliance with Scored items increases the final benchmark score. Failure to comply with Scored items decreases the final benchmark score.
  • Not Scored: Compliance with Not Scored items does not increase the final benchmark score. Failure to comply with Not Scored items does not decrease the final benchmark score.
Therefore, the 204 items of CIS Aliyun Linux 2 Benchmark can be classified into four groups:
  • Level 1 Scored (145 items)
  • Level 1 Not Scored (23 items)
  • Level 2 Scored (33 items)
  • Level 2 Not Scored (3 items)

Level 2 items may negatively impact system performance and Not Scored items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Scored items.

CIS Alibaba Cloud Linux 3 Benchmark v1.0.0

CIS Alibaba Cloud Linux 3 Benchmark v1.0.0 consists of 266 items that are categorized into two security levels. Level 1 contains 217 items, and Level 2 contains 49 items. Differences between Level 1 items and Level 2 items:
  • Level 1 items are used to implement basic improvements. These items have only a minor impact on system performance.
  • Level 2 items are suitable for scenarios that require higher security. These items may increase performance overheads.
Besides, CIS Alibaba Cloud Linux 3 Benchmark classifies the items into two groups based on scoring information: Automated and Manual.
  • Automated: Compliance with Automated items increases the final benchmark score. Failure to comply with Automated items decreases the final benchmark score.
  • Manual: Compliance with Manual items does not increase the final benchmark score. Failure to comply with Manual items does not decrease the final benchmark score.
Therefore, the 266 items of CIS Alibaba Cloud Linux 3 Benchmark can be classified into four groups:
  • Level 1 Automated (183 items)
  • Level 1 Manual (34 items)
  • Level 2 Automated (45 items)
  • Level 2 Manual (4 items)

Level 2 items may negatively impact system performance and Manual items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Automated items.

Work with CIS Alibaba Cloud Linux Benchmarks

Alibaba Cloud Linux 2

You can enable CIS Reinforcement and set the Operating System to Alibaba Cloud Linux 2.1903 when you create an ACK cluster. This way, the system automatically configures CIS reinforcement for the cluster. This ensures that the Alibaba Cloud Linux 2 images of all nodes in the cluster meet most requirements of Level 1 Scored items in CIS Aliyun Linux 2 Benchmark version 1.0.0. For more information about the required items, see CIS Level 1 Scored items that are not covered by CIS reinforcement.
Note To meet the requirements of Level 1 items, ACK automatically creates a regular user named ack_cis in the Alibaba Cloud Linux 2 operating system for which CIS reinforcement is enabled.

Alibaba Cloud Linux 3

You can enable CIS Reinforcement and set the Operating System to Alibaba Cloud Linux 3.2104 when you create an ACK cluster. This way, the system automatically configures CIS reinforcement for the cluster. This ensures that the Alibaba Cloud Linux 3 images of all nodes in the cluster meet most requirements of Level 1 Automated items in CIS Alibaba Cloud Linux 3 Benchmark version 1.0.0. For more information about the required items, see CIS Level 1 Automated items that are not covered by CIS reinforcement.

CIS Level 1 items that are covered by CIS reinforcement

Alibaba Cloud Linux 2

CIS Aliyun Linux 2 Benchmark version 1.0.0 contains 145 Level 1 Scored items. Based on analysis and testing of these items, ACK provides CIS reinforcement for 128 out of the 145 items. The coverage is more than 88%.
Table 1. CIS Level 1 Scored items that are not covered by CIS reinforcement
Item Reason why the item is not covered by CIS reinforcement
1.1.2 Ensure /tmp is configured (Scored) Involves partition modifications.
1.1.18 Ensure sticky bit is set on all world-writable directories (Scored) Affects the control logic of ACK.
1.7.1.1 Ensure message of the day is configured properly (Scored) Requires the deletion of the link to the user guide in the Message of the Day (MOTD) of Alibaba Cloud Linux 2 operating system.
3.1.1 Ensure IP forwarding is disabled (Scored) Affects the network plug-ins of ACK.
3.5.1.1 Ensure default deny firewall policy (Scored) Requires the configuration of firewall policies.
3.5.1.2 Ensure loopback traffic is configured (Scored) Requires the configuration of loopback rules.
3.5.1.4 Ensure firewall rules exist for all open ports (Scored) Requires the configuration of firewall rules for open ports.
3.5.2.1 Ensure IPv6 default deny firewall policy (Scored) Requires the configuration of IPv6 firewall policies.
3.5.2.2 Ensure IPv6 loopback traffic is configured (Scored) Requires the configuration of IPv6 loopback rules.
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) Requires the configuration of rsyslog to send log data to a remote log host.
4.2.3 Ensure permissions on all logfiles are configured (Scored) Requires the modification of a large number of files, which imposes potential security risks.
5.2.10 Ensure SSH root login is disabled (Scored) Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections.
5.2.18 Ensure SSH access is limited (Scored) Requires the configuration of users and groups that are allowed to access the system by using SSH.
5.2.3 Ensure permissions on SSH private host key files are configured (Scored) The GID of ssh_keys is hard-coded to 998 in the scan script. However, the GID may not be 998 in the system. The GID may be 996.
5.3.2 Ensure lockout for failed password attempts is configured (Scored) The recommended Benchmark configurations are quite different from the configuration file of the Alibaba Cloud Linux 2 system. Proceed with caution.
6.1.11 Ensure no unowned files or directories exist (Scored) Affects the control logic of ACK.
6.1.12 Ensure no ungrouped files or directories exist (Scored) Affects the control logic of ACK.
You can refer to the following sections in CIS Aliyun Linux 2 Benchmark version 1.0.0 to add fixes for CIS Level 1 Scored items that are not covered by CIS reinforcement. You can add fixes based on the Remediation section and check whether the fix works as expected based on the Audit section.
Item Description
Profile Applicability Whether the item belongs to Level 1 or Level 2.
Description The brief introduction of the item.
Rationale The details and background information about the item. This helps you understand the reason for the recommended reinforcement.
Audit The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script.
Remediation If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system.
Impact Possible impacts if the system is not properly configured.
References References.
CIS Controls The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account.

Alibaba Cloud Linux 3

CIS Alibaba Cloud Linux 3 Benchmark v1.0.0 contains 183 Level 1 Automated items. Based on analysis and testing of these items, ACK provides CIS reinforcement for 168 out of the 183 items. The coverage is more than 91.8%.
Table 2. CIS Level 1 Automated items that are not covered by CIS reinforcement
Item Reason why the item is not covered by CIS reinforcement
1.1.2 Ensure /tmp is configured(Automated) Involves partition modifications.
1.7.1.3 Ensure SELinux policy is configured(Automated) Involves changes to SELinux and requires you to restart the cluster.
1.7.1.4 Ensure the SELinux mode is not disabled(Automated) Involves changes to SELinux and requires you to restart the cluster.
3.2.1 Ensure IP forwarding is disabled(Automated) Affects the Terway plug-in of ACK.
4.2.2.5 Ensure systemd-journal-remote is installed(Auomated) CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-Configuration Assessment Tool (CAT) includes this item.
4.2.2.7 Ensure journald is not configured to recieve logs from a remote client(Auomated) CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-CAT includes this item.
4.2.2.9 Ensure systemd-journal-remote is enabled(Automated) CIS Alibaba Cloud Linux 3 Benchmark does not include this item but CIS-CAT includes this item.
4.2.3 Ensure permissions on all logfiles are configured (Automated) Requires the modification of a large number of files, which imposes potential security risks.
5.2.2 Ensure SSH access is limited (Automated) Requires the configuration of users and groups that are allowed to access the system by using SSH.
5.2.10 Ensure SSH root login is disabled (Automated) Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections.
5.2.19 Ensure SSH MaxSessions is set to 10 or less(Automated) The evaluation result returned by CIS-CAT is different from the description in CIS Alibaba Cloud Linux 3 Benchmark.
6.1.2 Ensure sticky bit is set on all world-writable directories (Automated) Affects the control logic of ACK.
6.1.11 Ensure no world writable files exist (Automated) Affects the control logic of ACK.
6.1.12 Ensure no unowned files or directories exist (Automated) Affects the control logic of ACK.
6.1.13 Ensure no ungrouped files or directories exist (Automated) Affects the control logic of ACK.
You can refer to the following sections in CIS Alibaba Cloud Linux 3 Benchmark v1.0.0 to add fixes for CIS Level 1 Automated items that are not covered by CIS reinforcement. You can add fixes based on the Remediation section and check whether the fix works as expected based on the Audit section.
Item Description
Profile Applicability Whether the item belongs to Level 1 or Level 2.
Description The brief introduction of the item.
Rationale The details and background information about the item. This helps you understand the reason for the recommended reinforcement.
Audit The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script.
Remediation If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system.
Impact Possible impacts if the system is not properly configured.
References References.
CIS Controls The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account.

Use CIS-CAT to evaluate the compliance of an ACK cluster with the CIS Benchmark

To evaluate the compliance of an ACK cluster with the CIS Benchmark, you can use CIS-CAT to scan the cluster. CIS-CAT is a configuration assessment tool that scans the configuration of a system to provide a detailed assessment report. You can run this tool on a system to obtain a benchmark score against a specified CIS Benchmark profile. The tool also provides remediation steps for noncompliant configurations. For more information, see CIS-CAT.

CIS-CAT has two editions: Lite and Pro. CIS-CAT Lite provides limited features and supports only the following systems: Windows 10, Ubuntu 18.04, and Google Chrome. CIS-CAT Lite does not support Alibaba Cloud Linux 2 and therefore cannot be used to scan ACK clusters for compliance evaluation.

CIS-CAT Pro has two versions: v4 and v3. This topic uses CIS-CAT Pro v4 as an example to describe how to evaluate the compliance of Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 with CIS Benchmark after CIS reinforcement is enabled.

Alibaba Cloud Linux 2

  1. To download CIS Aliyun Linux 2 Benchmark version 1.0.0, see CIS Alibaba Cloud Linux benchmarks.
  2. Go to CIS SecureSuite and register a CIS SecureSuite membership. Then, download the CIS-CAT Pro installation package named Assessor-CLI-v4.0.23.zip.
    CIS Pro
  3. Log on to a cluster node that runs Alibaba Cloud Linux 2.
    For more information about how to connect to an Elastic Compute Service (ECS) node in an ACK cluster, see View nodes and Overview.
  4. Run the following commands in sequence to install a Java environment that is required by CIS-CAT: 
    yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
    cat > /etc/profile.d/java8.sh <<EOF 
export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
EOF
    source /etc/profile.d/java8.sh
  5. Run the following commands in sequence to use CIS-CAT Pro (Assessor-CLI-v4.0.23.zip) to scan the node: 
    unzip Assessor-CLI-v4.0.23.zip
    cd Assessor-CLI
    chmod +x ./Assessor-CLI.sh
    ./Assessor-CLI.sh  -b ./benchmarks/CIS_Aliyun_Linux_2_Benchmark_v1.0.0-xccdf.xml  -p "Level 1" -html
    Note
    • -b: specifies the benchmark based on which the node is scanned. The parameter value includes the operating system and benchmark version.
    • -p: specifies the level of items that are scanned. In this example, Level 1 is specified because only CIS Level 1 Scored items need to be scanned.
  6. Check the scan result.
    CIS scan result
    The following table describes the parameters in the scan result. For more information, see CIS-CAT Pro Assessor v4 Report.
    Parameter Description
    Total # of Results The total number of items that are provided by the specified benchmark. CIS Aliyun Linux 2 Benchmark v1.0.0 contains 204 items.
    Total Scored Results The total number of Scored items that belong to the specified level. Level 1 contains 145 items.
    Total Pass The total number of Scored items that belong to the specified level and passed the check. ACK provides CIS reinforcement for 128 Level 1 Scored items.
    Total Fail The total number of Scored items that belong to the specified level and failed the check. ACK does not provide CIS reinforcement for 17 Level 1 Scored items.
    Total Error The total number of Scored items that belong to the specified level and caused errors during script execution. In this example, no error occurred and therefore the result is 0.
    Total Unknown The total number of Scored items that belong to the specified level and where CIS-CAT was unable to determine if the criteria were met. In this example, the result is 0.
    Total Not Applicable The total number of items of the specified benchmark that are not applicable to the operating system. When you use CIS-CAT Pro to scan a node that runs Alibaba Cloud Linux 2 against CIS Aliyun Linux 2 Benchmark v1.0.0, all items apply.
    Total Not Checked These items are Not Scored. The items that belong to the Total Informational category are also Not Scored.
    Total Not Selected The total number of items of the specified benchmark that are not checked. In this example, CIS-CAT Pro checks only Level 1 items. Therefore, the 36 Level 2 items are not checked.
    Total Informational The total number of items that require manual evaluation. These items are Not Scored in the specified level.

Alibaba Cloud Linux 3

CIS-CAT is not 100% compatible with Alibaba Cloud Linux 3. Therefore, you need to manually download the XCCDF and OVAL files of Alibaba Cloud Linux 3 and log on to a cluster node that runs Alibaba Cloud Linux 3 to perform the check.

  1. Log on to CIS WorkBench, click Export, find XCCDF + OVAL, and the click Download to download the XCCDF and OVAL package. Extract the package.
    99The following figure shows the files included in the package.7
  2. Go to CIS SecureSuite and register a CIS SecureSuite membership. Then, download the CIS-CAT Pro installation package named Assessor-CLI-v4.0.23.zip.
    CIS Pro
  3. Log on to a cluster node that runs Alibaba Cloud Linux 3.
    For more information about how to connect to an ECS node in an ACK cluster, see View nodes and Overview.
  4. Run the following commands in sequence to install a Java environment that is required by CIS-CAT: 
    yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
    cat > /etc/profile.d/java8.sh <<EOF 
export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
EOF
    source /etc/profile.d/java8.sh
  5. Run the following command to ignore the CIS check: 
    cd Assessor-CLI/config
sed -i 's/ignore.platform.mismatch=false/ignore.platform.mismatch=true/g' assessor-cli.properties
cd -
  6. Run the following commands in sequence to use CIS-CAT Pro (Assessor-CLI-v4.0.23.zip) to scan the node: 
    cp /path/to/CIS_Alibaba_Cloud_Linux_3_Benchmark_v1.0.0-xccdf.xml  Assessor-CLI/benchmarks/
cd Assessor-CLI
chmod +x ./Assessor-CLI.sh
./Assessor-CLI.sh  -b ./benchmarks/CIS_Alibaba_Cloud_Linux_3_Benchmark_v1.0.0-xccdf.xml -p "Level 1" -txt -html
    Note
    • -b: specifies the benchmark based on which the node is scanned. The parameter value includes the operating system and benchmark version.
    • -p: specifies the level of items that are scanned. In this example, Level 1 is specified because only CIS Level 1 Automated items need to be scanned.
  7. Check the scan result.
    2
    The following table describes the parameters in the scan result. For more information, see the Reports section in User Guide Assessor of CIS-CAT Pro Assessor v4.
    Parameter Description
    Total # of Results The total number of items that are provided by the specified benchmark. CIS Alibaba Cloud Linux 3 Benchmark v1.0.0 contains 266 items.
    Total Scored Results The total number of Scored items that belong to the specified level. Level 1 contains 183 items.
    Total Pass The total number of Automated items that belong to the specified level and passed the check. ACK provides CIS reinforcement for 168 Level 1 Automated items.
    Total Fail The total number of Automated items that belong to the specified level and failed the check. ACK does not provide CIS reinforcement for 15 Level 1 Automated items.
    Total Error The total number of Scored items that belong to the specified level and caused errors during script execution. In this example, no error occurred and therefore the result is 0.
    Total Unknown The total number of Automated items that belong to the specified level and where CIS-CAT was unable to determine if the criteria were met. In this example, the result is 0.
    Total Not Applicable The total number of items of the specified benchmark that are not applicable to the operating system.
    Total Not Checked These items are Manual. The items that belong to the Total Informational category are also Manual.
    Total Not Selected The total number of items of the specified benchmark that are not checked. In this example, CIS-CAT Pro checks only Level 1 items. Therefore, the 49 Level 2 items are not checked.
    Total Informational The total number of items that require manual evaluation. These items are Manual in the specified level.