I’ve decided to migrate from Centos 6 to 7. This wasn’t an easy decision because my voluminous Ansible config files are Centos 6 based. The good news is that most of my roles still work, albeit with some modification. I was waiting because of uncertainty over systemd and the lack of security hardening guides for Centos 7.
While there is still no official DISA STIG for RHEL/Centos 7, my preferred standard because of its comprehensiveness, there is a draft STIG and the Center for Internet Security publishes a similar one. Good enough.
So far, and I’ve just started the migration, I’ve noticed two key benefits:
- Centos 7 VMs boot and run faster under XenServer 7. The difference is immediately noticeable. I suppose this is due to Hardware Assisted Virtualization which is supported on Centos 7. Unfortunately, this also means that console copy and paste no longer works in XenCenter. This means I have to open a bunch of SSH sessions to work with the VMs. Not terrible but it is annoying.
- Centos 7 has an install option to set the security profile to the draft DISA STIG. I choose this option and, while nice, was underwhelming. After installation I ran the OSCAP security checks and even with this option it still failed many of them. These failures were not understandable things like the lack of anti-virus software but setting which should have been in place like proper sshd lock down. I don’t know if this is intentional on Red Hat’s part or just sloppiness. Fortunately, my Centos 6 security roles in Ansible are mostly still valid and so I can update and use them.
I do also like that Centos 7 has newer versions of key software like syslog-ng and Python. I am especially looking forward to using the new features of syslog-ng as part of my Elasticsearch based logging and monitoring architecture. syslog-ng now support Elasticsearch and JSON format logs out of the box. Neat.