System Hardening for Infrastructure as a Service (IaaS)

Abstract

Reduce the attack vector.! Minimize risk.! When discussing the topic of system hardening, the goal is to lock down the system to make it more difficult for a hacker to break in. There exist a number of hardening standards for a variety of applications and products, but perhaps the first stop should be the operating system itself. We examine system hardening in a cloud environment to assess if standard operating system hardening benchmarks are applicable in a cloud virtual machine.Five case studies of large-scale security breaches are analyzed to determine which system hardening benchmarks would have mitigated and possibly prevented the various attacks. These examples serve as a reminder of the importance of system hardening in general, and the IaaS consumer must protect the portion of the environment under their control and responsibility. Two industry standard benchmarks (CIS and STIG) are discussed, and STIG is implemented on an AWS EC2 instance running Red Hat Enterprise Linux 7.After evaluating 207 scripted benchmarks, we recommend and pass 195, leaving only 12 failed items which form the basis of discussion for this paper. These failed items include five false positives, one known bug and two exemptions, subsequently raising our compliance score to 98%. In a real-world audit, the remaining four failed items would be scrutinized for compensating controls or strong justification for a process exemption.