CIS Compliance for the NetFoundry VM

Introduction

The NetFoundry VM is a vehicle for delivering a wide variety of virtual networking functions e.g. hosting Services that are reachable by assigned network interfaces, Edge Router for Endpoints, and gateway tunneler for attached subnets. The VM may be obtained by adding a customer-hosted Edge Router in the web console and clicking the "get the VM" button. Know more by reading the main article about Edge Routers.

We use the CIS Benchmarks for CentOS and Ubuntu with the exceptions listed below, to secure the VM. We recognize that you may need to apply your own enterprise security standards to VMs launched in your environment. The VM image is hardened with open source Ansible playbook published and maintained by MindPoint Group, available at https://github.com/MindPointGroup/RHEL7-CIS.

Exceptions

  • 1.1.2-1.1.14: Rather than have different partitions for various logs, etc., we utilize a combination of remote logging to ElasticSearch and monitoring of file space usage via ElasticSearch's beats architecture to an alarmed system;
  • 1.1.1.7: UDF Filesystem is required by some cloud providers for initial boot configuration loading;
  • 1.4.2: Bootloader password has no significance in a cloud based virtual instance;
  • 1.4.3: Single user mode has no meaning to a cloud based virtual instance;
  • 3.4.2: Ensure hosts.allow is configured- We require possible access from anywhere, so we allow all;
  • 3.6.2-3.6.5: Do not follow the Benchmark precisely, using firewalld instead of iptables;
  • 4.2.1.2-4: Ensure rsyslog is configured to send logs to a remote log host- Since we use filebeats for this functionality, we do not use rsyslog to a remote host;
  • 5.3.X: We do not allow password only access, so they are NA;
  • 5.5: Ensure root login is restricted to system console - No system console on an AWS image, root cannot ssh;
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.