How Secure is Rocky Linux 8?
Introduction
Rocky Linux 8 systems are pretty secure out of the box. New Rocky Linux (RL) 8 installations adhere to industry best practices and conform to the high standards set by the upstream Red Hat Enterprise Linux distribution that it is rebuilt from.
Fortunately, the high standards set by the upstream distribution means that Rocky Linux ships with reasonable default configurations.
There are several organizations with more specific and stringent secure requirements than that offered out-of-the-box by RL.
This is where independent nonprofit and for-profit organizations and initiatives come into play. These initiatives exist solely for the purpose of verifying and improving the security posture of popular technical products. This helps to take security to the highest levels possible.
One of the common mechanisms by which these organizations do this is by creating or specifying standards, controls and benchmarks for various popular technical products.
Center for Internet Security (CIS)
Established over 20 years ago, the Center for Internet Security, Inc. (CIS) is an independent nonprofit organization committed to making the connected world a safer place. CIS is a community-driven effort with a stated mission of developing, validating, and promoting best practice solutions for securing IT systems and data.
CIS produces the popular CIS Controls® and CIS Benchmarks™ for various products.
CIS Benchmarks provide configuration guidelines across different vendor product categories designed to safeguard systems against threats. The product categories include - Operating Systems, Cloud providers, Server software, Mobile devices and Network devices.
CIS recently compiled and release CIS Benchmarks for the Rocky Linux 8 Operating system.
CIS Rocky Linux 8 Benchmark
Version 1 of the CIS Benchmark for Rocky Linux 8 was released on 03-29-2022.
The benchmark targets system and application administrators, security specialists, auditors and other IT support specialists who are responsible for developing, deploying, assessing and securing solutions that incorporate Rocky Linux 8.
CIS benchmark Profile Definitions for Rocky Linux 8
The specific solutions addressed by this CIS benchmark covers 2 different product classes - workstations and servers. Two separate use cases (levels) are then defined within each class. CIS calls these profile definitions. The profiles defined are:
-
Level 1 - Server - Designed for use on servers. Intended for practical use cases without inhibiting the utility of the server. This profile provides clear security benefits over new and default RL installations.
-
Level 2 - Server - Also intended for use on servers. Intended for use in environments where security is of high importance. When implemented, these Level-2 guidelines have the potential to impact the utility or performance of the technology.
-
Level 1 - Workstation - Intended for use on workstations. Intended for practical use cases without inhibiting the utility of the workstation. This profile provides clear security benefits over new and default RL installations.
-
Level 2 - Workstation - Designed for use on workstations. Intended for use in environments where security is of high importance. When implemented, these Level 2 guidelines can impact the utility or performance of the workstation.
CIS benchmark recommendation for Rocky Linux 8
The CIS benchmark recommendations for Rocky Linux 8 provides many details that touch on almost every operational aspect of operating Rocky Linux workstations and servers.
The guidelines cover the following high-level areas:
-
Initial Setup
-
Services
-
Network configuration
-
Logging and Audit
-
Access, Authentication and Authorization
-
System Maintenance
Conclusion
The CIS benchmark recommendations for Rocky Linux 8 systems span over 730 pages. Version 1 of the benchmark contains over 300 detailed recommendations of changes designed to further secure Rocky Linux 8 workstations and servers. These recommendations can help to enforce stringent compliance requirements in high security environments.
For complete details of what’s covered, as well as detailed remediations please visit the CIS website to get a copy the guidelines here -