Configure and Start CentOS 7 OVA Version 2 Image

The CentOS 7 Hardened Image is available in OVA format. This section describes the technical specifications, security and hardening summary, and how to configure and launch the OVA image.
apip42
The CentOS 7 Hardened Image is available in OVA format. This section describes the technical specifications, security and hardening summary, and how to configure and launch the OVA image.
2
2
Technical Specifications
The hardened OVA has the following specifications:
Name
Value
Processor Cores
8
RAM
64 GB
HDD
500 GB
Operating System
CentOS Linux release 7.5.1804 (Core)
Docker Version
docker-ce 18.03.0
Partition Information
Partition Name
Disk Space
/
50 GB
/tmp
16 GB
/home
20 GB
/var/log
10 GB
/var/log/audit
10 GB
/var/tmp
10 GB
/var
all remaining space (340 GB)
Security and Hardening Summary
The hardened OVA was scanned against multiple profiles for CentOS 7 using the OpenSCAP scanner. The scan results for each profile are listed next.
Profile
Score
Standard System Security Profile
99.09%
[DRAFT] PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
92.93%
C2S for Red Hat Enterprise Linux 7
97.51%
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
95.71%
DISA STIG for Red Hat Enterprise Linux 7
88.63%
United States Government Configuration Baseline
87.72%
Criminal Justice Information Services (CJIS) Security Policy
88.63%
Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
87.72%
Health Insurance Portability and Accountability Act (HIPAA)
91.4%
Configuration
Upon booting the hardened image, complete these tasks to ensure the image is secure and troubleshooting can be performed if necessary:
3
3
Log In to the Image
The default user name for the hardened image is 
centos
 and the default password is 
7layer
.
Change CentOS User Password
The password for the CentOS user must be changed immediately. This is enforced by the system and there is no way to skip this step. The password must meet the following requirements:
  • At least 15 characters long
  • Contains 2 uppercase letters
  • Contains 2 lowercase letters
  • Contains 2 special characters
  • Cannot have more than 4 characters of any type in a row
Upload an SSH Key (Optional)
If you wish to log in to the hardened image without being prompted for a password, you can generate an
SSH
key and copy it to the image. Note that you will still be required to use a password when invoking
sudo
.
To generate the 
SSH
key, and copy it to the image:
  1. Generate a key using the
    ssh-keygen
     command, and press 
    Enter 
    to accept all defaults when prompted:
    ssh-keygen
  2. Once the key is created, upload it to the machine using the 
    ssh-copy-id
    command:
    ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
Change Root User Password
The root user password has been set to a random value. This should be changed at login. If a user is locked out or if it is necessary to boot the system in single user mode for recovery purposes, you will need to get the root password. To update the root password, run the following command:
sudo passwd
Change Grub Bootloader Password
The grub bootloader requires a user name and password in order to edit the boot-time settings. The user name is 
portal
.
To update the password:
  1. Log in to the system, and run the following command as root to generate a hashed password:
    grub2-mkpasswd-pbkdf2
  2. Open the 
    /etc/grub.d/01_users 
    file, and look for a line similar to the following:
    password_pbkdf2 portal <password-hash>
  3. Replace
    <password-hash>
     in the file with the hashed password generated from step 1.
  4. Perform an automatic update of the 
    grub.cfg
     file on the system by running the following command:
    grub2-mkconfig -o /boot/grub2/grub.cfg
When the system is booted, you can edit the boot-time settings by pressing '
e
' and entering the user name 
portal
 with the password you just generated.
Upgrade Docker
To prevent accidental upgrades, Docker has been version locked in the OVA. If you want to upgrade Docker, run the following command as root to clear the lock:
yum versionlock clear
Running the above command can result in the Docker engine being upgraded to an unsupported version if the
sudo yum update
command is also run.
Keeping the Operating System Up To Date
The CentOS OVA should be treated like any other Linux server on your network and have security patches regularly applied, for example:
sudo yum update
Change Password Policy
To change the password policy:
  1. Log in to the machine, and switch to root user:
    sudo -s
  2. Open the 
    /etc/security/pwquality.conf
     file, navigate to the bottom of the file, and change or comment on any policy:
    # Per CCE-CCE-27200-5: Set ucredit = -2 in /etc/security/pwquality.conf ucredit = -2 # Per CCE-CCE-27360-7: Set ocredit = -2 in /etc/security/pwquality.conf ocredit = -2 # Per CCE-CCE-27345-8: Set lcredit = -2 in /etc/security/pwquality.conf lcredit = -2 # Per CCE-CCE-27333-4: Set maxrepeat = 2 in /etc/security/pwquality.conf maxrepeat = 2 # Per CCE-CCE-27512-3: Set maxclassrepeat = 4 in /etc/security/pwquality.conf maxclassrepeat = 4 # Per CCE-CCE-27214-6: Set dcredit = -1 in /etc/security/pwquality.conf dcredit = -1 # Per CCE-CCE-27293-0: Set minlen = 15 in /etc/security/pwquality.conf minlen = 15 # Per CCE-CCE-26631-2: Set difok = 8 in /etc/security/pwquality.conf difok = 8 # Per CCE-CCE-27115-5: Set minclass = 4 in /etc/security/pwquality.conf minclass = 4
    You can find explanations for each policy at the top of the file. They are also available from https://linux.die.net/man/5/pwquality.conf.
  3. After changing the password policy, you can update the password for root and the CentOS user:
    passwd root passwd centos