CIS Compliance

Overview

The Center for Internet Security (CIS) identifies, develops, validates, promotes, and sustains best practice solutions for cyber defense and helps communities to enable an environment of trust in cyberspace.

CIS employs a closed crowdsourcing model to identify and refine effective security measures, where individual recommendations are shared with the community for evaluation through a consensus decision-making process. At a national and international level, CIS plays an important role in forming security policies and decisions by maintaining CIS Controls and CIS Benchmarks, and hosting the Multi-State Information Sharing and Analysis Center (MS-ISAC).

CIS Controls

CIS Controls and CIS Benchmarks provides global standard for internet security. The CIS Benchmark is categorized as Controls, and each Control is a collection of common security tests. The CIS Controls include the popular set of 20 security controls which map to many compliance standards. The CIS Controls advocate a defense-in-depth model to prevent and detect malware.
For instance, Controls 1.1 is for Filesystem Configurations, which is a collection of tests like 1.1.1 - Disable unused filesystems, which in turn comprises of sub-set tests such as 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled, 1.1.1.2 - Ensure mounting of freevfs filesystems is disabled, and others.

For complete information on the relevant Controls and tests for Distributed Independent Linux Benchmark, refer to CIS Ubuntu Linux LTS Benchmark, available for download at https://learn.cisecurity.org/benchmarks.

The individual tests are marked at either Level 1 or Level 2.

Level 1 tests are part of the CIS 1.0 profile. As per CIS, the tests in the Level 1 - Server profile are practical and prudent and are intended for providing a clear security benefit. These tests may inhibit the utility of the technology beyond acceptable means.

Level 2 tests are part of the CIS 2.0 profile. This profile is an extension of the Level 1 - Server profile and includes both Level 1 and Level 2 tests. As per CIS, the tests are intended for environments or use cases where security is paramount for a deep defense mechanism. These tests may negatively inhibit the utility or performance of the technology.

Note: The Benchmark declares a Control as failed, even if one test within the Control fails.

CIS Compliance for Avi Vantage

Enabling CIS Mode

Enable the CIS mode on Avi Vantage to successfully run the tests associated with specific Control. Configure the cis mode command under system configuration as shown below.



[admin:10-1-1-1]: > configure systemconfiguration
[admin:10-1-1-1]: systemconfiguration> linux_configuration
[admin:10-1-1-1]: systemconfiguration:linux_configuration> cis_mode
Overwriting the previously entered value for cis_mode

[admin:10-1-1-1]: systemconfiguration:linux_configuration> where
Tenant: admin
+----------+-------+
| Field    | Value |
+----------+-------+
| motd     |       |
| banner   |       |
| cis_mode | True  |
+----------+-------+

Starting with Avi Vantage release 17.2.7, configuring CIS mode enables iptables, which cover all the 3.6.X set of Controls.

Configuring this command applies it only to the Controllers and Service Engines created so forth. If the CIS mode needs to be enabled for existing Service Engines, follow one of the following suggested steps:

  • No downtime: Scale out all Service Engines, so that the services fall onto the newly spun SEs. CIS mode will be enabled on the newly created Service Engines. Scale in to fall back to the former setup, but with CIS mode Service Engines.

  • With downtime: Reboot the Service Engines. When the SEs come back online, the CIS mode will be enabled.

Non-Applicable Benchmark tests for Avi Service Engine

Avi Controller and Service Engines are purpose-built to provide an elastic distributed load balancing functionality and runs only on services that are required to provide this functionality. Only the admin user can login to the Service Engine VM for troubleshooting and recovery. Avi Vantage conforms to the CIS Benchmark tests with a few exceptions as listed below. The text following the instance quotes the reason for the exception.

Note: The list below only indicates the Benchmark denomination. For complete information on the mentioned Benchmarks tests, refer to CIS Benchmarks Landing Page.

1.1 File System Configurations

  • UDF File System – 1.1.1.7
    Requires the UDF kernel to not load which leads to Service Engine boot up issues and failure in connecting to the Controller.

  • Seperate Partitions – 1.1.2 to 1.1.17
    Requires a separate partition for /tmp, /var, /var/log, /var/log/audit, and /home. This does not comply with the two seperate logical partitions designed to allow Avi Vantage version rollback.

1.3 File System Integrity Checking

File System Integrity Checking – 1.3.2
Requires installation of the aide tool which is CPU intensive and leads to prolonged duration runs.

1.4 Secure Boot Settings

1.4.1 to 1.4.4
Requires password based grub bootloader menu that will interfere with the Avi Vantage single click upgrade functionality.

3.4 TCP Wrappers

3.4.3
Requires adding default deny in /etc/hosts.deny, which would impact Service Engine connectivity with the Avi Controller.

5.4.1 Set Shadow Password Suite Parameters

5.4.1.1 to 5.4.1.4
Requires enforcing password policy at the Service Engine level.
Avi Vantage supports only admin user. The Controller manages the password policy and when the admin user password is changed, it synchronizes this password across the fleet of SEs. So, no password enforcement is required at the SE level.

Additional Information

For complete information on executing Benchmarks using the Inspec tool, refer to Executing Benchmarks using Inspec.