CentOS Security Guides

Security Meets CM

As part of building my CentOS role in Ansible I been looking for best practice guides. When I found the security guides I hit the jackpot. These guides provide detailed instructions how to configure CentOS. In the old days you would use these guides to build shell scripts or (gasp!) manually configure your servers. Now, you can take these directions and translate them into your CM tool of choice. I’m using Ansible for the task.

This is already extremely useful but these guides also provide tests. Often these tests are in a set of complex XML formats. No matter, the actual command line test can be extracted and used in something easier to work with like serverspec. Here is a small sample of how they look in serverspec:

 it "Add nodev Option to /dev/shm Partition" do
       expect( command('grep /dev/shm /etc/fstab | grep nodev') ).not_to return_stdout ""

   it "Add nosuid Option to /dev/shm Partition" do
       expect( command('grep /dev/shm /etc/fstab | grep nosuid') ).not_to return_stdout ""

   it "Add noexec Option to /dev/shm Partition" do
       expect( command('grep /dev/shm /etc/fstab | grep noexec') ).not_to return_stdout ""

You set the configuration via kickstart and Ansible and then test it with serverspec. It’s also a security audit.

I’ve got a lot more to do since these guides are massive. I expect to have a serverspec file with hundreds of tests by the time I’m done. There are tools called SCAP that will already do this and you can find them here. I think it’s worth the trouble to translate them into servespec because then I have all of my server configuration tests in one place. Besides, as I have argued before, the the tools that do CM, security, and auditing overlap. Trying to put them into nice distinct categories hurts the evolution of the CM tools.

My experience with these guides also confirmed my choice of CentOS as my OS. The guides are for Red Hat Linux so they work just as well for CentOS. I did not see any for other flavors of Linux.

The Security Guides

After a lot of searching here are the best guides I’ve found.

  1.  CIS CentOS 6 Security Benchmark. My favorite guide. Well written and comprehensive. This one is CentOS-specific too. From the web page check the box before CentOS Linux Benchmarks and then click I Accept at the bottom.
  2. Red Hat 6 STIG. ‘STIG’ stands for Security Technical Implementation Guide and is a term I see a lot on the US government web sites devoted to this area. This web site shows, I think, a web view of the DISA STIG.
  3. Red Hat 6 Official Security Guide. Not as detailed as the others but has a lot of explanation.
  4. DISA Red Hat 6 STIG.  This link has the raw XML so its hard to work with. See also link 2 above.
  5. NSA Red Hat 5 STIG. For an older version of Red Hat but still useful.
  6. SCAP for Red Hat 6. Another favorite of mine. Very good advice on server application configuration.
  7. USGCB – Red Hat Enterprise Linux 5 Desktop. The US government guide but this is for Red Hat 5 and the desktop version. Still useful. This page also has a kickstart file and Puppet scripts. These are very worthwhile looking at.

The good news is that, as far as I can tell after an initial examination, the information these provide is largely the same. Often it is the same verbatim. For example, the /dev/shm mount rules that the serverspec snippet above tests is found in all of them.

These guides contain just the kind of best practice configurations that the CM tools should be providing. Given time I hope they will. The CM tools are great but it’s the content that matters. Perhaps when I finish mine I can contribute it to Ansible Galaxy.


Categories: Security, Software


7 replies

  1. I am looking at integrating SCAP scanning into our Spacewalk server with https://fedorahosted.org/scap-security-guide/

    I have been looking out our CentOS builds this week and I am going trying to get a handle on our requirements as dictated by HHS. I finally started a spreadsheet to list the requirements from different agencies and see what overlaps and what does not apply.

    OpenFISMA (http://openfisma.org) is probably overkill but something I want to evaluate (read tinker with).


    • Thanks for the link to OpenFISMA. I hadn’t run across it. There are probably many in this category I haven’t seen yet. Does OpenFISMA actually perform the automated tests? I couldn’t tell from the demo.


  2. Great post! Actually we are looking at doing pretty much exactly that of turning all of our CIS Centos Benchmark tests into serverspec tests. Would you be interested at all in open sourcing?


    • Yes, I’d be happy to share them. I could post my tests to github. I was originally going to translate all the CIS CentOS tests into serverspec but I changed my mind after reading their terms of use (in the front of the document). It looked to me like they prohibit this. I could be wrong though. What I did instead was translate these into serverspec. They appear more or less identical. I have finished about half of them so far.


  3. Oh, happy day! I have been looking for easy ways to automate “STIG’ing” my CentOS boxen. I learned about Ansible yesterday (literally; Kevin Fenzy spoke about it at the #DenDojo I was at) and am excited to get started.
    I’m not much of a coder, no real experience; in fact, I’ve been an InfoSec admin/engineer/wonk for more than a decade, but I am a linux advocate and user, since I started as a UX/Linux Admin in 2000. Once I get comfortable with Ansible, I would like to help this project thrive. Let me know how I can help.


    • Hi Jeff,

      You can see the Ansible code for making CentOS STIG compliant on my Ansible github repository. Any help making it better would be great. Just testing it and letting me know where it doesn’t work or could be done better would be helpful. The nice thing about Ansible is that it’s fairly easy to understand what the code is doing once you understand its terminology. I want my CentOS config to be strict and locked down since I think security is very important. All criticism is welcome.



    • I’ve uploaded my STIG security tests to GitHub. Give it a try and let me know how it works.


Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: