1. NetFoundry
  2. Docs & Guides
  3. Operations Guide

CIS Compliance for the NetFoundry VM

Introduction

The NetFoundry VM is a vehicle for delivering a wide variety of virtual networking functions e.g. hosting Services that are reachable by assigned network interfaces, Edge Router for Endpoints, and gateway tunneler for attached subnets. The VM may be obtained by adding a customer-hosted Edge Router in the web console and clicking the "get the VM" button. Know more by reading the main article about Edge Routers.

We use the CIS Benchmarks for  Ubuntu with the exceptions listed below, to secure the VM. We recognize that you may need to apply your own enterprise security standards to VMs launched in your environment. The VM image is hardened during creation via Ansible playbook automation to ensure consistency.  Of course, each time the images are produced, the latest updates are applied during that process as well.

All images are configured with the Ubuntu unattended-upgrades feature enabled.  This ensures that the Edge Router will download and install any required security patches available for the node.  We disable the reboot process, so as to not trigger operational problems.  Customers should be aware and meet their internal policy requirements.  Under normal circumstances, these are not generally required, as the nodes run in stand alone mode, without general users, running only NetFoundry software, so exposure to any vulnerabilities is very limited.  

Exceptions

  • 1.1.2-1.1.14: Rather than have different partitions for various logs, etc., we utilize a combination of remote logging to ElasticSearch and monitoring of file space usage via ElasticSearch's beats architecture to an alarmed system for cloud images, which are difficult to manage multiple partitions for in an easily digested manner.  This precludes the setting of partition permissions, such noexec, nosuid, etc.
    Note:: Virtual images provided for on premise installation do provide these settings
  • 1.1.1.7: UDF Filesystem is required by some cloud providers for initial boot configuration loading;
  • 1.4.2: Bootloader password has no significance in a cloud based virtual instance;
  • 1.4.3: Single user mode has no meaning to a cloud based virtual instance;
  • 3.4.2: Ensure hosts.allow is configured- We require possible access from anywhere, so we allow all;
  • 3.6.2-3.6.5: Do not follow the Benchmark precisely, using firewalld instead of iptables;
  • 4.2.1.2-4: Ensure rsyslog is configured to send logs to a remote log host- Since we use filebeats for this functionality, we do not use rsyslog to a remote host;
  • 4.4: We do not change the log rotation permissions
  • 5.4.1.1,2,4 5.4.5: By default, the password settings are disabled, no expiration, min days, disable on lock.  These can be changed by the user.
  • 5.5: Ensure root login is restricted to system console - No system console on an AWS image, root cannot ssh;

Articles in this section

See more
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.