For many organizations, a compliant operating system is the backbone of their cloud strategy. In this blog, we will examine compliant images and virtual machines, tools for maintaining compliance, and automation methods.
First, let’s define compliant operating systems and virtual machine images. A compliant operating system is any operating system that meets specific standards established by an entity. For example, if an organization wanted to create a CIS-compliant operating system, it would need to meet the standards set forth by the Center for Information Security, whose sole purpose is to “create confidence” in the connected world. A virtual machine image (VMI or image for short) is a bootable copy of the operating system of a virtual machine in the cloud. In other words, it is a “portable” master template of a virtual machine that can then be used to create other identical virtual machines. For example, if an organization was running a Linux virtual machine in AWS, they could take a copy of the instance (called an Amazon Machine Image or AMI) and then deploy more virtual machines from this image. The ability to create images in the cloud allows organizations like CIS to offer “hardened” (operating systems that have been pre-configured to meet robust security recommendations and benchmarks) images in cloud marketplaces and provide secure, on-demand, and scalable computing environments in the cloud. It also provides organizations the ability to create their own hardened images from scratch through virtual machine compliance testing. We will look at some of those strategies now.
Arsenal at your disposal
In an ever-changing cyber threat landscape, it is hard to keep an operating system compliant, and that is why it is so critical to utilize scanning tools on a consistent basis. One tool in particular that I’d like to highlight is Tenable Nessus Pro’s “Compliance Audit Scanning” feature that allows its users to download compliance audit files for various operating systems (for the purposes of this example, we will highlight CIS’s Amazon Linux 2 v2.0.0 L2). Once this audit file is downloaded, users then provide the IP address and SSH credentials of the target virtual machine they would like to scan in their cloud environment. Nessus Pro then scans for compliance against CIS standards for an AWS EC2 instance running Linux and assigns a score from 0 – 100. Nessus Pro also provides detailed resolutions for failed compliance checks (for example, disabling IPv6 or DCCP) and making them compliant. In this example, an organization could go through the process of making this VM 100% compliant and then making an image from this 100% machine and launching all subsequent instances from this image.
There’s actually a term for this 100% image called a “Golden Image” which is an image that contains the latest security patches, software, configuration, and software agents that you need to install for logging, security maintenance, and performance monitoring. In other words, the Golden Image is the Image that an organization has configured to behave as it wants all of its application instances to behave and if VMI’s were children it would be the organizations favorite son. It’s worth mentioning one final point about compliance scanning and Golden Images. Although I mentioned earlier that it’s hard to keep an OS compliant and is critical to utilize scanning tools, it is even more critical to scan for compliance. Organizations need to adopt a fluid mindset when it comes to compliance checks, as scores can (and will) change quickly, and a virtual machine that was 100% compliant could quickly see a dip in its compliance score. As a result, if the organization’s Golden Image was built off of this VM it could change as well.Tools for Automating Creation of Compliant OS
The first tool we will look at is Hashicorp’s Packer which is an open-source tool that makes it simple to automate the provisioning of virtual machines without manual configuration by making machine images from source configuration. Packer works by taking the source machine image and using that as the foundation to automatically launch a virtual machine in your cloud environment. Packer will then create an image of that virtual machine, keeping your source machine image as the base and you will get the final image. With Packer, organizations could spin up a virtual machine, scan it with a compliance scanner, assess the compliance checks and, harden the instance, and make an image from this instance. This image could then be used as the “source image” in a Packer deployment.
Another useful tool is Ansible, which is a configuration management tool that you can combine with scanner tools like Nessus to automate compliance scan remediation on failures. For example, recall the failed compliance check that was mentioned earlier about not having IPv6 disabled in a virtual machine. Now imagine receiving that same failed check for hundreds or thousands of machines in your cloud environment. Although you could manually go through the process of fixing this failed check for each machine, the more efficient option would be to create a playbook in Ansible and run shell commands to disable IPv6 for your machines automatically.
The final tool category I’d like to discuss is CI/CD, which includes tools like GitHub actions or Jenkins. CI/CD tools (continuous integration and continuous deployment) are perfect for making changes to code that are then automatically tested and pushed out for delivery and deployment. For example, you could couple a CI/CD tool with Packer and Ansible to automate a Golden image/compliant operating system. Let’s see how:
-
-
- Scan a virtual machine for compliance with a scanner tool.
- Harden the virtual machine by remediating failed checks with an Ansible playbook.
- Create an image (Golden Image) from this hardened machine.
- Use this hardened image as the source image for a packer deployment.
- Use a code repository like GitHub as your source code management for your Packer deployment.
- Utilize your CI/CD tool to initiate a build job with your packer code stored on GitHub.
-
In Conclusion
Although they can be difficult to implement, time-consuming, and rather expensive, a compliant operating system is a non-negotiable that every organization needs. Whether it’s a mom-and-pop store looking to harden its current machines or a Fortune 500 company requiring FIPS-hardened operating systems to achieve a specific level of CMMC compliance, any organization that is serious about strengthening its cybersecurity programs should make compliant operating systems a priority. In fact, in industries like the healthcare industry, there can be legal and financial ramifications for non-compliance (for example, using an OS that is not in compliance with HIPAA).
The peace of mind in knowing that your OS is secure and up-to-date and also in protecting your workloads is invaluable for organizations operating in a continually evolving cyber landscape. And if you are an organization that does not want to go through the process of creating compliant images for the cloud (or building out the automation process as was discussed in this blog), then you can utilize cloud marketplaces where you can find already hardened images from verified providers. Whichever route organizations choose, the most important thing to remember is that maintaining compliance is a must.
