Introduction: We have implemented iso-guarantee reinforcement for the ACK cluster based on the Alibaba Cloud linux operating system, which means that Alibaba Cloud regards security as an important part in the development and delivery of cloud products, and integrates compliance into the "blood" of the product. Implanting safety into the "bone marrow" of the product can help customers who have a guarantee claim to go to the cloud more quickly and conveniently.
Author:
Mei Sheng, an operating system product expert in Alibaba Cloud Basic Software Department, is engaged in the productization of Alibaba Cloud Linux.
Bo Ji is an operating system security engineer in the Alibaba Cloud Basic Software Department. He is engaged in Alibaba Cloud Linux's security reinforcement, CIS reinforcement, and confidential computing.
Preface
According to the national letter of interest issued by the Ministry of Security "GB / T22239-2019 information security technology to protect basic level of network security requirements" , in which the operating system set forth requirements to protect some level. At the same time, more and more companies and industries are embracing cloud native and making full use of cloud native infrastructure. Cloud native technology is ubiquitous. As a provider of cloud native services, Alibaba Cloud will continue to develop cloud native technology at a high speed. And security is an indispensable and important part of cloud native. Alibaba Cloud Linux 2 is the first choice for the official operating system image of Alibaba Cloud and the default image of ACK. It provides ACK customers with an equal-guaranteed reinforcement solution to meet customers' needs for simpler, faster, stable, and safer use of Alibaba Cloud. When the user creates an ACK cluster, if you choose Alibaba Cloud Linux 2, you can choose to start the configuration and other security reinforcement, so that the corresponding security reinforcement items will be automatically executed when the cluster is created, which directly meets the requirements of the “GB/T22239- 2019 information technology security network security protection groups present requirements "level protection requirements of the operating system. For specific usage, please refer to : ACK and other protection and reinforcement instructions .
Background knowledge of iso-guarantee
The network security hierarchical protection system is the basic national policy and basic system in the field of network security in our country. In 1994, the State Council issued Order No. 147 of the Regulations on the Security Protection of Computer Information Systems. The regulations first proposed that "computer information systems implement security level protection", and the concept of security level protection was born. In 2007 and 2008, the state promulgated the "Administrative Measures for Information Security Level Protection" and "Basic Requirements for Information Security Level Protection." This is regarded as "Wait for Guarantee 1.0" . In order to adapt to the development of new technologies and address the needs of hierarchical protection of information systems in the fields of cloud computing, Internet of Things, mobile internet, and industrial control, in 2019, the Ministry of Public Security took the lead in organizing the application of key standards for hierarchical protection in new fields of information technology to national standards. Work, hierarchical protection has officially entered the "equal protection 2.0" era.
The role of ACK and other protection and reinforcement
Currently, the ACK cluster uses the Alibaba Cloud Linux 2 operating system as the default system image of the cluster. In order to help ACK users “out of the box” use the "equal to guarantee operating system", with the support of the Alibaba Cloud native team, the ACK cluster based on the Alibaba Cloud Linux 2 operating system image is guaranteed to ensure the compatibility and performance of the native image. On the basis of the system, it has carried out the guarantee compliance adaptation to help users get rid of complex reinforcement operations and cumbersome configuration, allowing users to enjoy the out-of-the-box operating system and other guarantee environments. According to the "Basic Requirements for Information Security Technology Network Security Level Protection (GB/T 22239-2019)", the hardened system meets the following check items:
Check item type |
Check item name | Levels of danger |
| Identification | The identity of the logged-in user should be identified and authenticated. The identity is unique, and the identity authentication information has complexity requirements and is regularly replaced | high |
| Identification | When remotely managing the server, necessary measures should be taken to prevent the authentication information from being eavesdropped on during network transmission | high |
| Identification | It shall have the function of handling login failures, configure and enable related measures such as ending the session, limiting the number of illegal logins, and automatically logging out when the login connection times out | high |
| Access control | Accounts and permissions should be assigned to the logged-in user | high |
| Access control | The default account should be renamed or deleted, and the default password of the default account should be modified | high |
| Access control | The granularity of access control should reach the user level or process level as the subject, and the file and database table level as the object. | high |
| Access control | Delete or disable redundant and expired accounts in time to avoid the existence of shared accounts | high |
| Access control | The minimum permissions required to manage users should be granted to achieve separation of permissions for management users | high |
| Access control | The access control strategy should be configured by the authorized subject, and the access control strategy stipulates the subject's access rules to the object | high |
| security audit | The audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc. | high |
| security audit | The audit record should include the date and time of the event, user, event type, whether the event was successful, and other audit-related information | high |
| security audit | The security audit function should be enabled, and the audit covers every user, and important user behaviors and important security events are audited | high |
| security audit | The audit process should be protected from unexpected interruptions | high |
| Intrusion prevention | Should be able to find possible known vulnerabilities, and after sufficient testing and evaluation, the vulnerabilities should be patched in time | high |
| Intrusion prevention | The principle of minimal installation should be followed, and only the required components and applications should be installed | high |
| Intrusion prevention | Unnecessary system services, default sharing, and high-risk ports should be closed | high |
| Intrusion prevention | Should be able to detect intrusions to important nodes and provide alarms when serious intrusions occur | high |
| Intrusion prevention | The management terminal managed through the network should be restricted by setting the terminal access method or network address range | high |
| Malicious code prevention | Anti-malware software should be installed, and the anti-malware software version and malicious code library should be updated in time | high |
For detailed rule descriptions, please refer to Alibaba Cloud Linux and other guarantee 2.0 three-level mirror inspection rules description .
The usage of ACK and other security reinforcement
When a user creates an ack cluster, if you check the security reinforcement on the purchase interface, the reinforcement script will be automatically executed when the cluster is initialized to reinforce all machines in the ack cluster, and the reinforcement script will be automatically deleted after the reinforcement is completed. For the specific usage method, please refer to ACK using Alibaba Cloud Linux and other guarantee 2.0 three-level version .
- note:
- In order to meet the standard requirements of the Level 3 version of Dianbao 2.0, ACK will create three ordinary users of ack_admin, ack_audit, and ack_security by default in the Alibaba Cloud Linux 2 operating system reinforced by Dianbao.
- In order to meet the standard requirements of the Dianbao 2.0 Level 3 version, Dianbao's Alibaba Cloud Linux 2 prohibits the use of Root users to log in through SSH. You can use VNC through the ECS console to log in to the system and create a common user who can use SSH. For specific operations, see Logging in to a Linux instance through VNC remote connection .
The effect of the hardening can be scanned by configuring the corresponding Equal-guaranteed Compliance Scanning Baseline. This document details how to configure the Equal-guaranteed Compliance Baseline Check Policy: Alibaba Cloud Linux, etc. Guaranteed 2.0 three-level version of the mirror baseline check policy configuration . Specific steps are as follows:
- Purchase the Enterprise Edition of Cloud Security Center. Only the Enterprise Edition supports the baseline check service. For specific operations, see Purchase Cloud Security Center .
- Log in to the ECS management console .
- In the left navigation bar, click Instances and Mirrors > Instances .
- In the upper left corner of the top menu bar, select a region.
- In the instance list , click the ECS instance ID of the Alibaba Cloud Linux operating system you have created.
- On the instance details tab, click the security protection status on the right .
- In the cloud security center management console, configure and execute a baseline inspection strategy that guarantees compliance.
- In the left navigation bar, select Security > Baseline Inspection .
- In the Baseline Check Strategy area, click Default Strategy , and then click +Add Strategy .
- In the baseline check strategy panel, complete the configuration and click OK . The configuration instructions are as follows:
- Policy name : Enter a name to identify the policy. For
Alibaba Cloud Linux 2等保合规检查example: . - Detection cycle : select the detection cycle (check once every 1, 3, 7 and 30 days) and the detection trigger time (00:00~06:00, 06:00~12:00, 12:00~18: 00, 18:00~24:00).
- Baseline name : search in the search box to enter such as security compliance, selected in the search results and other security three -Alibaba Cloud Linux / Aliyun Linux 2 compliance baseline examination .
- Effective server : Select the grouped assets to which the strategy needs to be applied. The new servers purchased a home in default all packets of ungrouped , the automatic To apply the policy to newly purchased assets, please choose not grouped .
- For a detailed description of the baseline check strategy, see Setting the Baseline Check Strategy .
- In the upper right corner of the baseline check page, click Policy Management .
- At the bottom of the panel, select the baseline examination grades of high and middle , and then click OK .
- In the Baseline Checking Strategy area, click the default strategy , and then click the name of the strategy that you have created.
- Click Check now .
You can click the progress details to view. When the following information is displayed, the inspection is complete.
- After checking , click the baseline name in the list on the baseline check page.
- Check the inspection results on the Compliance Baseline Inspection Panel of Alibaba Cloud Linux/Aliyun Linux 2 at Level 3 of the Guarantee . You can view or verify the results of the baseline check, and you can also use snapshots to roll back the instance. For specific operations, see Viewing and Processing Baseline Check Results .
The meaning of ACK and other security reinforcement
With the rapid development of the cloud era, the pace of enterprises going to the cloud is gradually accelerating, and more and more customers regard Alibaba Cloud as the best choice for enterprises to go to the cloud. We have implemented iso-guarantee reinforcement for the ACK cluster based on the Alibaba Cloud linux operating system, which means that Alibaba Cloud takes security as an important part in the process of cloud product development and delivery, integrates compliance into the product’s "blood", and integrates security. Implanting the product in the "bone marrow" can help customers who have a guarantee claim to go to the cloud more quickly and conveniently.
Original link: https://developer.aliyun.com/article/782304?
Copyright statement: The content of this article is voluntarily contributed by Alibaba Cloud real-name registered users. The copyright belongs to the original author. The Alibaba Cloud Developer Community does not own its copyright and does not assume corresponding legal responsibilities. For specific rules, please refer to the "Alibaba Cloud Developer Community User Service Agreement" and the "Alibaba Cloud Developer Community Intellectual Property Protection Guidelines". If you find suspected plagiarism in this community, fill in the infringement complaint form to report it. Once verified, the community will immediately delete the suspected infringing content.