System hardening is the process of securing a system by modifying its “out of the box” configuration to reduce the attack surface. This task can be a bit overwhelming if you are not sure where to start. Luckily, the Center for Internet Security (CIS) has drafted what they call, Benchmarks. These Benchmarks provide a comprehensive list of configuration recommendations broken out into two levels, Level 1 and Level 2 for most available Operating Systems (OS).
If you are interested in implementing the CIS Benchmarks for your systems, download them here — they’re free! Spin up a free tier server in AWS and start playing! I would recommend sticking to the Level 1 configuration recommendations to start with as you are less likely to break a necessary part of the configuration and/or lock yourself out. Each configuration recommendation provides a Scoring, Profile Applicability, Description, Rationale, Audit, and Remediation section. These sections provide a great amount of detail for each configuration so that you have a thorough understanding of the recommendation before accepting it as part of your baseline.
Most systems are generally pre-configured with settings and protocols that are typically not recommended for use and should be disabled. This is all part of the system hardening process. Let’s look at an example Level 1 configuration recommendation for Ubuntu 16.04 LTS, section 2.3.4 Ensure telnet client is not installed (Scored). Below is an example of a screenshot taken directly from the Benchmark so we can walk through testing:
As you can see, the Audit section explains exactly what command you need to type to verify that the telnet client is not ‘installed’. When the below command is ran on an “out of the box” Ubuntu 16.04 LTS AMI, the following output is generated:
We have determined that the telnet client is in fact ‘installed’ by default because you can see the output of the ‘dpkg -s telnet’ command returned. Now, if we follow the Remediation step above, we can be confident that running the ‘apt-get remove telnet’ command will uninstall the telnet client, so let’s try it:
We see that the ‘apt-get remove telnet’ command ran successfully so let’s verify that telnet client is in no longer installed. To do so, you simply rerun the Audit command ‘dpkg -s telnet’ and the output now states that the service is uninstalled.
Each configuration recommendation provides you with an Audit and Remediation section so that you can verify each configuration item and output like the one demonstrated above.
Another option to verify that configuration change(s) are successful is to do a baseline Amazon Inspector scan prior to making any changes to a system. Below is an example of a baseline AWS CIS – Ubuntu 16.04 Inspector assessment that was ran prior to making the above change to uninstall the telnet client.
You will see that there was a High severity finding, 2.3.4 Ensure telnet client is not installed, that detected the telnet client was installed:
After the configuration change was made to uninstall the telnet client, a second AWS CIS – Ubuntu 16.04 Inspector assessment was ran against the same system. You can see below that item, 2.3.4 Ensure telnet client is not installed is no longer listed as a finding:
If you are interested in hardening your systems but don’t have the staff, knowledge, or time the AWS Marketplace has several common OS Amazon Machine Images (AMIs) that are hardened to the Level 1 or Level 2 Benchmarks that you can deploy for an additional hourly cost. Or give us a ring, we can get you started!