We use the CIS Benchmark for CentOS 7 v2.1.1, with the exceptions listed below, to secure our gateways before they are delivered to you.
We recognize that you may need to apply your own enterprise security standards to gateways installed on your network. Our software is very robust, however if you encounter problems with our product after making changes, please reach out to our support team for assistance.
- 1.1.2-1.1.14: Rather than have different partitions for various logs, etc., we utilize a combination of remote logging to ElasticSearch and monitoring of file space usage via ElasticSearch's beats architecture to an alarmed system;
- 188.8.131.52: UDF Filesystem is required by some cloud providers for initial boot configuration loading;
- 1.4.2: Bootloader password has no significance in a cloud based virtual instance;
- 1.4.3: Single user mode has no meaning to a cloud based virtual instance;
- 3.4.2: Ensure hosts.allow is configured- We require possible access from anywhere, so we allow all;
- 3.6.2-3.6.5: Do not follow the Benchmark precisely, using firewalld instead of iptables;
- 184.108.40.206-4: Ensure rsyslog is configured to send logs to a remote log host- Since we use filebeats for this functionality, we do not use rsyslog to a remote host;
- 5.3.X: We do not allow password only access, so they are NA;
- 5.5: Ensure root login is restricted to system console - No system console on an AWS image, root cannot ssh;