Configure and Start CentOS 7 OVA Version 3 Image

The CentOS 7 Hardened Image is available in OVA format. This section describes the technical specifications, security and hardening summary, and how to configure and launch version 3 of the OVA image.
The CentOS 7 Hardened Image is available in OVA format. This section describes the technical specifications, security and hardening summary, and how to configure and launch version 3 of the OVA image.
Technical Specifications
The hardened OVA has the following specifications:
Processor Cores
Operating System
CentOS Linux release 7.6.1810 (Core)
Docker Version
docker-ce 18.09.2
Partition Information
Partition Name
Disk Space
all remaining space (332GB)
Security and Hardening Summary
The hardened OVA was scanned against multiple profiles for CentOS 7 using the OpenSCAP scanner.  The scan results for each profile are listed below.
Standard System Security Profile
PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
C2S for Red Hat Enterprise Linux 7
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
DISA STIG for Red Hat Enterprise Linux 7
United States Government Configuration Baseline
Criminal Justice Information Services (CJIS) Security Policy
Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Health Insurance Portability and Accountability Act (HIPAA)
Upon booting the hardened image, there are some tasks that should be completed to ensure the image is secure and troubleshooting can be performed if necessary.
Log In to the Image
The default user name for the hardened image is 
 and the default password is 
Change CentOS User Password
The password for the CentOS user must be changed immediately. This is enforced by the system and there is no way to skip this step. The password must meet the following requirements:
  • At least 15 characters long
  • Contains 2 uppercase letters
  • Contains 2 lowercase letters
  • Contains 2 special characters
  • Cannot have more than 4 characters of any type in a row
Upload an SSH Key (Optional)
If you wish to log in to the hardened image without being prompted for a password, you can generate an 
 key and copy it to the image. Note that you will still be required to use a password when invoking 
To generate the 
 key, and copy it to the image:
  1. Generate a key using the 
     command, and press 
    to accept all defaults when prompted:
  2. Once the key is created, upload it to the machine using the 
    ssh-copy-id -i ~/.ssh/ [email protected]
Change Root User Password
The root user password has been set to a random value. This should be changed at login. If a user is locked out or if it is necessary to boot the system in single user mode for recovery purposes, you will need to get the root password. To update the root password, run the following command:
sudo passwd
Change Grub Bootloader Password
The grub bootloader requires a user name and password in order to edit the boot-time settings. The user name is 
To update the password:
  1. Log in to the system, and run the following command as root to generate a hashed password:
  2. Open the 
    file, and look for a line similar to the following:
    password_pbkdf2 portal <password-hash>
  3. Replace 
     in the file with the hashed password generated from step 1.
  4. Perform an automatic update of the 
     file on the system by running the following command:
    grub2-mkconfig -o /boot/grub2/grub.cfg
When the system is booted, you can edit the boot-time settings by pressing '
' and entering the user name 
 with the password you just generated.
Upgrade Docker
To prevent accidental upgrades, Docker has been version locked in the OVA. If you want to upgrade Docker, run the following command as root to clear the lock:
yum versionlock clear
Running the above command can result in the Docker engine being upgraded to an unsupported version if the
sudo yum update
command is also run.
Keeping the Operating System Up To Date
The CentOS OVA should be treated like any other Linux server on your network and have security patches regularly applied, for example:
sudo yum update
Change Password Policy
To change the password policy:
  1. Log in to the machine, and switch to root user:
    sudo -s
  2. Open the 
     file, navigate to the bottom of the file, and change or comment on any policy:
    # Per CCE-CCE-27200-5: Set ucredit = -2 in /etc/security/pwquality.conf ucredit = -2 # Per CCE-CCE-27360-7: Set ocredit = -2 in /etc/security/pwquality.conf ocredit = -2 # Per CCE-CCE-27345-8: Set lcredit = -2 in /etc/security/pwquality.conf lcredit = -2 # Per CCE-CCE-27333-4: Set maxrepeat = 2 in /etc/security/pwquality.conf maxrepeat = 2 # Per CCE-CCE-27512-3: Set maxclassrepeat = 4 in /etc/security/pwquality.conf maxclassrepeat = 4 # Per CCE-CCE-27214-6: Set dcredit = -1 in /etc/security/pwquality.conf dcredit = -1 # Per CCE-CCE-27293-0: Set minlen = 15 in /etc/security/pwquality.conf minlen = 15 # Per CCE-CCE-26631-2: Set difok = 8 in /etc/security/pwquality.conf difok = 8 # Per CCE-CCE-27115-5: Set minclass = 4 in /etc/security/pwquality.conf minclass = 4
    You can find explanations for each policy at the top of the file. They are also available from
  3. After changing the password policy, you can update the password for root and the CentOS user:
    passwd root passwd centos