We use proprietary and third party's cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Base-images Management - FIWARE Forge Wiki

Base-images Management

From FIWARE Forge Wiki

Jump to: navigation, search

The creation of base images is a very important operation mainly due the security updates and configuration of them. We download the official images from the different OS supported in FIWARE Lab for OpenStack. There are the three options that we can manage:

  • CentOS 6 and 7,
  • Ubuntu 14.04 and 16.04 (LTS releases) and
  • Debian 7 and 8.

However, we try to modify these images in order to make the default image a little more secure doing some operations on the Base Image. For this purpose, we follow the recommendations of the Centre for Internet Security (CIS). CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. CIS Benchmarks is the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. It provides a very exhaustive guideline, continuously refined and verified, to configure Operating System in a secure way. The recommendations that we adopt in the configuration of the virtual machines are the following:

  • We remove the default password for the default user. Additionally, the only valid method to login on the Instances is through public-private key.
  • Root user is disabled to be used to access to the Instance through SSH.
  • We remove the less secure ciphers from the valid ciphers and the less secure Key exchange methods.
  • We add a Warning banner explaining that an authorization is needed to access to these Instances.
  • We add some IPTables rules to ensure that by default, only some ports (ssh, http and https can be used).
  • By default, we enable only automatic security updates.
  • The administrative access to the instances is using a specific user with both password and public-private key. Every FIWARE Lab node has assigned the corresponding administrator who contact us to provide details about this access.

All the FIWARE GEis, that are deployed using these base images, inheriting those security configurations options. Sometimes, under the requirements of the FIWARE GEis owners, we need to modify IPTables rules in order to allow the use of other ports.

Personal tools
Create a book