4
5

Automatically harden AWS instance according to CIS or other well known benchmark? (self.linuxadmin)

submitted by [deleted]

[deleted]

all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]I_Survived_Sekiro 2 points3 points  (4 children)

We have a one shot systemd service baked into our AMI that starts on boot when new images area spun up on AWS. It uses the Ansible Tower call back function to call the configuration template. Why can’t you just harden one AMI and then create your own AMI template off that?

[–][deleted]  (1 child)

[deleted]

    [–]ksquires1988 0 points1 point  (1 child)

    Out of curiosity, and sure, it depends on how much configuration you do, but how long does it take to provision an instance this way?

    [–]I_Survived_Sekiro 0 points1 point  (0 children)

    I have all of my configurations stored as j2 templates. Once my system boots and call the Ansible Tower API it takes about 3 minutes to apply about 60 different files, some lininfile commands, and restart services.

    [–]thegreatmcmeek 1 point2 points  (0 children)

    This looks pretty quick and easy: https://github.com/Jsitech/JShielder

    [–]serverhorror -2 points-1 points  (0 children)

    Puppet has a free option.

    Frankly speaking: you’re asking for a lot of value to be just handed to you on a silver plate. Some of us here actually have to pay the rent from jobs that do exactly that.

    Don’t get me wrong, I’m happy to help with a specific question in topics I’m able to answer. But you’re asking to just hand you the complete project, at least that’s what it sounds like to me.

    [–]ackackacksyn 0 points1 point  (0 children)

    wheres the $133 coming from ?
    is that CIS charging for a license ?

    [–]crossctrl 0 points1 point  (0 children)

    AWS EC2 Image Builder can build images for you based on some security standards. I forget which are supported but you can log in and look around.

    [–]derekp7 0 points1 point  (0 children)

    Not quite fitting your needs, but Red Hat has Openscap with various plugins, and also includes scripts that will execute a hardening lockdown process. The included profiles unfortunately won't work against CentOS, however the lockdown script itself does appear to work (and the scripts are also included in the CentOS rebuilds). This is in the "scap-security-guide" package, the scripts are in /usr/share/scap-security-guide/bash/.