As we harden our servers, our DataCenter hardware servers, and our new Cloud Server siblings, there are subtle differences that affect compliance in hardening.
As we research the latest RuleSets or Benchmarks for our needs, we see thousands of rules to Harden. Depending on your needs, your industry or your environment, there are hundreds of services that need to be secured. Some aren’t used at all, and simply disabled. Other services are used day-to-day to keep the solution running. These services are configured to elimate abuse or ensure authorized actions only.
There is an obvious, third category of risk to secure. It is the patching mechanism of your Operating System. Yum, Apt, Zypper uses .rpm, or .deb files to keep your system software and ancillary services up-to-date. These tools keep a database of dependencies between software components on your system. They all have external repositories full of updates, that are updated daily with everything from security bugfixes to feature enhancements.
Patching is a common feature of Enterprise IT, there are many tools to help you manage patching. Strategies develop around this very important function.
The secret is… many Hardening Standards, like NIST-800, C2S (a CIS fork), CIS Level 1 and more include a little known Rule. The Hardening Rule enforces that the system must be patched by Yum, Apt or Zypper inside a certain period of time. So teams go about Hardening their new Cloud Servers, they choose an OS, a version from the vendor, and continue on to build a Hardened foundation for their servers.
The rub comes when the period of time ends, and every Cloud Server, once in Compliance, falls out of Compliance, like clockwork. The Hardening Rule actually calls the Yum Update, the App Upgrade routines and provides compliance. These Rules stop short of scheduling patching, because patching can also cause Operational Risk, manipulating components of a running software solution.
An automated patch could easily be applied, which would satisfy Compliance issues, while immediately throwing Operational team into high risk. Updates and their dependencies may change the system substantially, and cause software to cease working, slow down, or crash, so Operational teams never allow unattended patching without exhaustive testing.
HardPrime makes hardening easy to do, and also easy to repeat. Many organizations add an environment to their workflow. As developers move an application through dev, test, non-prod, staging, qa, and production environment. Compliance and Hardening teams may need to have a special integration environment called “canary”, as in canary in the coal mine. Will your application canary survive when you upgrade the coal mine OS?
HardPrime reduces the time it takes to harden and document golden images, so you can build them more often, as repositories are updated, and your compliance policy dictates.