Building Strong Linux Security and Compliance: CIS Benchmarks and More

What makes Linux security unique? What special considerations does Linux have across security standards like those set by The Center for Internet Security (CIS)? Every OS has their own unique considerations, and Linux is no different. We’ll also explore how Puppet can fit within your broader Linux security plan to help make hardening Linux that much easier. 

What Makes Linux Security Unique? 

Linux is an incredibly flexible operating system — it’s modular and most of its popular distributions are open source. This means that Linux security can be custom-built for your particular organizational needs around compliance and security. 

Linux was created in 1991 by Linus Torvalds, a 21-year-old computer science student who wrote the operating system kernel to create a free and open-source alternative of the MINIX operating system, which was based on the design of Unix. 

Today, Linux is installed on more than 85% of smartphones and there are more than 600 active Linux distributions, or distros as they are known in Linux circles (source). This is a testament to the flexibility and modularity of the original design — a modularity that we will tie into security needs today. 

To understand what makes Linux security unique, it’s important to understand how many different flavors there are for Linux — it makes up an entire family tree of different variations on the original OS. Click here to see that family tree visualized. While each of these variations of Linux share a core foundation, it’s important to consider security that can work with different members of the same family tree.

Linux does come with some built-in kernel security defenses like firewalls and the Linux Kernel Lockdown configuration option – and while this makes it unique, it still requires the same security rigor as any other OS. 

CIS Benchmarks + Compliance for Linux Security 

One of the best ways to maintain security and keep your organization safe is to stay compliant with the latest regulations — easier said than done. 

We’ll review the popular, and comprehensive, CIS benchmarks as a starting point, plus examine best practices created after a recent US executive order — all globally applicable, and the best place to begin for Linux. 

CIS Benchmarks 

The Center for Internet Security (CIS) has established critical, community-sourced compliance standards for different operating systems, including Linux. These globally recognized baseline configurations were created to protect your systems, data, and users from external threats and IT risk. The CIS standards specific to Linux address things like root privilege issues — a common entry point for exploitation, and other access concerns. 

Ensuring that your specific branch of Linux adheres to CIS benchmarks is a critical step in preventing cyberattacks and keeping your data secure. 

Software Bill of Materials (SBOM)

In 2021, the White House issued an executive order that required the National Institute of Standards and Technology (NIST) to create a set of best practices for software security. 

The resulting documents from this order addressed concerns around a lack of visibility from software providers about their products which could compromise security in government systems. Ultimately, it meant that vendors needed to be more accountable for the software that they provided. 

What is SBOM? 

SBOM stands for “Software Bill of Materials,” defines a nested inventory of all the pieces which make up software components for visibility into elements like package name, version, known security vulnerabilities, and more. 

An SBOM should accomplish the following: 

• It will list all of the software components that are included within an application, runtime environment, or API. 
• For each software component, the minimum elements must be included (package name, version, unique identifier, dependences, licensing information, known vulnerabilities, and the software hash). 
• The information must be machine readable by all third-party integrations for visibility. 

How does this tie in with Linux? Since the Linux OS is modular, having visibility into the modules that are cross used can help make you smarter about known vulnerabilities. It also allows you to react swiftly when a vulnerability is found — and this visibility benefits software consumers, no matter the use case. 

Securing Linux 101

The foundations of strong Linux security are supported by initiatives like SBOM and the security standards published by CIS, but here’s where you will need to start thinking about your organization’s individual needs. 

• What security features does your Linux system already include? Instances like Debian and Ubuntu Linux are great examples of OS that come with some existing security features right out of the box. 
• How are you managing access? This includes password policy enforcement, multi-factor authentication, and more. 
• How is data protected? This may include strong encryption of data at rest and in flight. 
• How many different software pieces make up your OS? Some applications and services are more secure than others. 

Standard benchmarks like those from CIS will include security tactics that cover basics that are broadly applicable across Linux, which include recommendations like: 

• Stay on top of patching 
• Enable firewall protection 
• Strengthen password requirements and SSH keys 
• Regularly scan for threats 
• Stay on top of compliance and compliance drift 

You’re not just protecting data when you implement strong security practices — you’re also maintaining uptime and system reliability across your entire system. The flexibility of Linux makes it widely used for a reason, and for those same reasons, it is a popular target for malware developers. Your reputation, your customer’s information, and the functionality of the entire org are on the line every day. 

How Puppet Can Support Linux Security 

Puppet is unique for handling pieces of your security plan as it can abstract the type of Linux that you are running and allow you to write one domain-specific language (DSL). Puppet takes care of the differences so you can manage continuous compliance, patching, and access management across servers without missing a beat. 

Puppet agents are open source — they can interpret commands across different branches of Linux automatically. No matter what script you need to write for security, Puppet’s abstraction layer knows what you’re trying to accomplish. 

Puppet is a portable part of the Linux family tree, making sure that you have consistency and remain in compliance at scale. You won’t have to start code from scratch each time you have enforce something new across your environment. 

See for yourself how Puppet works in your Linux OS — our free trial includes 10 nodes to get you started: 

TRY PUPPET FOR LINUX