Written by Joel Gonsalves
System Administrator at Blue Crystal Solutions
Introduction:
When securing Linux-based servers, adhering to industry standards is crucial for maintaining a robust and resilient infrastructure. The Centre for Internet Security (CIS) provides comprehensive benchmarks for hardening Linux systems, including CIS Level 1. However, in certain cases where servers have already been deployed, obtaining ready-made CIS-hardened images may not be feasible. In such scenarios, it becomes necessary to develop scripts for implementing the hardening manually. This article explores the journey of achieving CIS Level 1 hardening for SUSE Linux 15 and Oracle Linux 8, overcoming challenges and utilising tools such as OpenSCAP and Tenable to ensure compliance.
Understanding the Challenge:
The initial requirement was to harden Linux servers based on CIS Level 1 standards. However, CIS had yet to release specific scripts for implementing the hardening on SUSE Linux 15 and Oracle Linux 8. This posed a significant challenge, as the hardening process had to be developed from scratch.
Leveraging OpenSCAP:
After thorough research, the team identified OpenSCAP as a valuable resource for Linux hardening. Test servers were set up, and the OpenSCAP package was installed to access the available scripts for CIS hardening. While this provided a foundation, it was discovered that the provided scripts did not cover all items specified in the CIS standards.
Identifying Gaps and Customising Scripts:
To bridge the gaps in the hardening process, a careful review of the existing scripts was conducted. By comparing the CIS standards and using tools like Tenable, the team gained insights into the vulnerabilities and areas where the existing scripts fell short. The scripts were customised and refined based on these findings to cover the remaining CIS requirements.
Testing and Reporting:
Testing the effectiveness of the hardening measures is a crucial step in ensuring compliance. A reporting tool was unavailable for the servers associated with one client (Comviva). To address this, a prebuilt script was utilised, which generated a text-based report. This report provided insights into the gaps that needed to be addressed within the CIS script for Comviva’s servers.
Iterative Improvement:
Using the reports generated by Tenable for one client and the text-based report for Comviva, the team could identify specific areas where the scripts needed refinement. These findings were then used to update the scripts iteratively, ensuring that all necessary security measures were implemented to meet CIS Level 1 standards.
Achieving CIS Level 1 Standard:
Despite the challenges, the team successfully reached a point where the deployed servers for multiple clients met the stringent CIS Level 1 standards. By leveraging OpenSCAP, customised scripting, and iterative improvements based on testing and reporting, the Linux servers were hardened, providing enhanced security and compliance.
Conclusion:
Implementing CIS Level 1 hardening for already deployed Linux servers requires meticulous planning and resourceful problem-solving. By leveraging tools like OpenSCAP and utilising reporting tools such as Tenable, even in the absence of a reporting tool, it is possible to identify and address the gaps in the hardening process. Through continuous refinement and customisation, the team achieved the desired level of security, providing clients with servers that meet the rigorous CIS Level 1 standards.
