CentOS-7 Installer Security Profiles
|
The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux. |
1. CentOS Linux and Security
Please see the WARNING in the above red box about CentOS Linux and Security. The CentOS team does not verify or certify any software with respect to security. The CentOS team builds Source Code released by Red Hat, Inc. for RHEL as it is released (with minor modifications for trademarks and artwork). Any assurance, verification, or certification that Red Hat provides for RHEL do not apply to CentOS Linux. If you want verified, certified software then please contact Red Hat.
2. Security Profiles
The anaconda installer used on the CentOS Linux Minimal, DVD, and Everything ISOs contain a section called Security Profiles. These profiles add packages to installs and they also may perform set up options for several services.
A detailed description of the Security Profiles is included for RHEL here. On that page, you will find links that explain each of the options in great detail. If you have questions about what an individual profile is trying to accomplish, you can research it there.
The CentOS team has changed the profiles for branding and we have tested the installs to ensure they complete and that you are left with a functionally booting system. We have done no tests for suitability.
2.1. Requirements
The Security Profiles on the 7.7.1908 install media are:
Default (no profile selected): Normal install, normal remote access. Default firewalld and sshd active.
Standard System Security Profile: Normal install, normal remote access. Default firewalld and sshd active.
PCI-DSS v3.2.1 Control Baseline: Remote root access, local root access from the console. Remote user access, local user access from the console. Default firewalld and sshd active.
NOTE: Please be aware of the login and firewall restrictions in the above profiles. If the security profile restricts remote root logins, make sure you have console access to the machine after reboot AND that you have setup a non root user to be able to log in and then you can su to root from that user if required.
Also note, as stated numerous times on this page, that neither the CentOS Project nor Red Hat provide any certification or assurance of any kind related to these security profiles if applied to CentOS Linux. They are included only as an aide to the user. If you require certified products that provide software assurance and are rigorously tested for compliance with standards and audited for CVE security issues, CentOS is not that product. Please see this link for more details.
2.2. Known Issues
Previously, with the 7.3.1611 ISOs, we knew that all 4 of the STIG installs produced an sshd_config file that would not allow SSHD to start. This was an upstream issue (Bug Report bz 1401069). This issue has been fixed with the 7.4.1708 ISOs and all installs produce working SSHD now.
The installer in 7.3.1611 required an internet connection to use Security Profiles, that is no longer the case. Now the extra packages for Security Profiles reside on the install media and are installed from there.
Security profiles "Standard System Security Profile" and "C2S for CentOS Linux 7" can't be used in the CentOS 7.5.1804 installer. A bug causes the installer to require a separate partition for /dev/shm, which is not possible. RHBZ#1570956