Consider using CIS hardened images

[jemrobinson]

We should check whether the CIS hardened VM images work with our deployments and if they do, consider the costs/benefits.

[martintoreilly]

CIS hardened images for Safe Haven VMs available on Azure

Source: https://www.cisecurity.org/cis-hardened-image-list/

• CIS Ubuntu Linux 18.04 LTS Benchmark
• NGINX
• PostgreSQL
• Windows 2019 Server

CIS Benchmarks

Source: https://www.cisecurity.org/cis-benchmarks/

These are hardening recommendations, not pre-built images.

• Apache HTTP Server
• Apache Tomcat
• Docker
• Google Chrome
• MIT Kerberos
• Microsoft Azure
• Microsoft IIS
• Microsoft SQL Server
• Microsoft Windows Server
• MongoDB
• Mozilla Firefox
• NGINX
• Oracle MySQL
• Palo Alto Networks
• PostgreSQL
• Ubuntu Linux

[martintoreilly]

Bitnami images

Not CIS certified but certified by Bitnami as up-to-date and secure.

• Gitlab CE
• NGINX
• Guacamole
• PostreSQL
• MySQL
• MongoDB

[martintoreilly]

DoD STIGs

US Department of Defence Security Technical Implementation Guides: https://www.stigviewer.com/stigs

These are hardening recommendations, not pre-built images, and include generic STIGs for e.g. Network Security and Remote Access in addition to STIGs for specific operating systems and software.

[JimMadge]

I've had a look at their Ubuntu 18.04 benchmark. Do we know what changes they have implemented in their image? I understand they might not want to protect their work, but it's harder to have confidence when we can't see what they have done.

Some of the recommendations, like having certain 'system' directories on separate partitions, would be hard to replicate ourselves as the default Ubuntu images comes with a standard one-partition layout.