Base-images Management

The creation of base images is a very important operation mainly due the security updates and configuration of them. For this purpose, we download the official images of the different operating systems supported in the FIWARE Lab. There are the three options that we can manage:

  • CentOS 6 and 7,

  • Ubuntu 14.04, 16.04, and 18.04 (LTS releases), and

  • Debian 7 and 8.

However, we modify these images in order to make the default image a little more secure by doing some operations on them. For this purpose, we follow the recommendations of the Centre for Internet Security (CIS). CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. CIS Benchmarks is the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. It provides a very exhaustive guideline, continuously refined and verified, to configure Operating System in a secure way. The recommendations, that we adopt in the configuration of the virtual machines, are the following:

  • We remove the default password for the default user. Additionally, the only valid method to login on the operating system is through public-private key.

  • Root user is disabled to be used to access to the Instance through SSH.

  • We remove the less secure ciphers from the list of available valid ciphers and the less secure key exchange methods.

  • We add a warning banner explaining that an authorization is needed to access them.

  • We add some IPTables rules to ensure that by default, only some ports (ssh, http and https can be used).

  • By default, we enable only automatic security updates.

  • The administrative access to the operating system is allowed only using a specific user with both password and public-private key. Every FIWARE Lab node has assigned the corresponding administrator who contact us to provide details about this public-private key access.

All the FIWARE GEs, that are deployed using these base images, inherit these security configuration options. Sometimes, under the requirements of the FIWARE GEs owners, we need to modify IPTables rules in order to allow the use of some other ports.