CentOS-7 Installer Security Profiles

The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux.

1. CentOS Linux and Security

Please see the WARNING in the above red box about CentOS Linux and Security. The CentOS team does not verify or certify any software with respect to security. The CentOS team builds Source Code released by Red Hat, Inc. for RHEL as it is released (with minor modifications for trademarks and artwork). Any assurance, verification, or certification that Red Hat provides for RHEL do not apply to CentOS Linux. If you want verified, certified software then please contact Red Hat.

2. Security Profiles

The anaconda installer used on the CentOS Linux Minimal, DVD, and Everything ISOs contain a section called Security Profiles. These profiles add packages to installs and they also may perform set up options for several services.

A detailed description of the Security Profiles is included for RHEL here. On that page, you will find links that explain each of the options in great detail. If you have questions about what an individual profile is trying to accomplish, you can research it there.

The CentOS team has changed the profiles for branding and we have tested the installs to ensure they complete and that you are left with a functionally booting system. We have done no tests for suitability.

2.1. Requirements

In previous installers (7.3.1611) you needed an internet connection to use Security Profiles, that is no longer the case. Now the extra packages for Security Profiles reside on the install media and are installed from there.

Here are the Security Profiles on the 7.4.1708 install media:

Default: Normal install, normal remote access. Default firewalld and sshd active.

Standard System Profile: Normal install, normal remote access. Default firewalld and sshd active.

PCI-DSS v3 Control Baseline for CentOS Linux 7: Remote root access, local root access from the console. Remote user access, local user access from the console. Default firewalld and sshd active.

C2S for CentOS Linux 7: No root logins from console or remote. Normal user logins work from the console and remote. Default firewalld and sshd active.

Red Hat Corporate Profile for Certified Cloud Providers: Firewall blocks all remote access. Root log ins at the console OK. If you do not have console access to this machine, you will be locked out on reboot.

Common Profile for General-Purpose Systems: Normal install, normal remote access. Default firewalld and sshd active.

DISA STIG for CentOS Linux 7: Firewall blocks all remote access. Root log ins at the console OK. If you do not have console access to this machine, you will be locked out on reboot.

United States Governement Configuration Baseline (USGCB/STIG) - Draft: Firewall blocks all remote access. No root log ins, no remote log ins. If you do not have console access to this machine, you will be locked out on reboot.

Criminal Justice Information System (CJIS) Security Policy: Firewall blocks all remote access. Root log ins at the console OK. No remote log ins. If you do not have console access to this machine, you will be locked out on reboot.

Standard Docker Host Profile: Normal install, normal remote access. Default firewalld and sshd active.

Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171): Firewall blocks all remote access. No root log ins, no remote log ins. If you do not have console access to this machine, you will be locked out on reboot.

<!> NOTE: Please be aware that many of the above profiles, as listed in the details, turn off all remote access via the firewalld daemon. Also be aware that many also prevent root logins either remotely and sometimes even at the console. So when using Security Profiles, make sure you have console access to the machine after reboot AND that you have setup a non root user to be able to log in and then you can su to root from that user if required.

<!> Also note, as stated numerous times on this page, that neither the CentOS Project nor Red Hat provide any certification or assurance of any kind related to these security profiles if applied to CentOS Linux. They are included only as an aide to the user. If you require certified products that provide software assurance and are rigorously tested for compliance with standards and audited for CVE security issues, CentOS is not that product. Please see this link for more details.

2.2. Known Issues

Previously, with the 7.3.1611 ISOs, we knew that all 4 of the STIG installs produced an sshd_config file that would not allow SSHD to start. This was an upstream issue (Bug Report bz 1401069). This issue has been fixed with the 7.4.1708 ISOs and all installs produce working SSHD now.

TipsAndTricks/C7SecurityProfiles (last edited 2017-09-05 22:28:53 by AnssiJohansson)