本文档介绍了 CIS 基准是什么、基准与 Container-Optimized OS (COS) 有何关系、如何审核实例中的合规性状态,以及如何在发生故障时进行问题排查。
概览
互联网安全中心 (CIS) 发布了针对各平台的最佳做法安全建议的基准。Container-Optimized OS CIS Benchmark 是一系列关于配置使用 Container-Optimized OS 来支持强大安全状况的实例的建议。
访问基准
CIS 网站上提供了 Container-Optimized OS CIS 基准:
- 转到 CIS 基准下载页面。
- 搜索 CIS Google Container-Optimized OS Benchmark。
- 点击下载 PDF。
安全建议等级
CIS 针对 Container-Optimized OS 定义了以下建议级别。
第 1 级
此级别的建议适用于大多数环境。此级别提供如下建议:
- 地址随机分配功能处于启用状态
/tmp
不能用于运行可执行二进制文件- 数据包重定向发送功能已停用
2 级
此级别的建议会扩展第 1 级建议,从而实现更严格的安全环境。2 级建议并不一定适用于所有情况,因为可能需要对应用做出更改。采纳之前,您应先评估环境级别 2 中的建议。此级别提供如下建议:
- 所有开放端口都有防火墙规则
- 不接受 ICMP 重定向和路由器通告
- 默认用户 shell 超时不得超过 900 秒
Container-Optimized OS 如何符合 CIS 基准
从 Milestone 97 开始,Container-Optimized OS 映像默认符合 CIS 1 级,并提供了符合 CIS 2 级的选项。我们还提供了一个扫描器,可用于根据 CIS 建议级别审核您的实例。
定义建议的 CIS 配置位于 /usr/share/google/security/cis-compliance/cis_config.textproto
中。CIS 扫描工具使用该配置来检查实例的合规性状态。每次 CIS 级合规性扫描程序运行的结果都会写入 /var/lib/google/cis_scanner_scan_result.textproto
。每次运行 CIS 扫描程序时,此文件都会被覆盖。如果任何 CIS 第 1 级或第 2 级扫描失败,cis_scanner_scan_result.textproto
文件会包含所有失败的检查的列表。
检查实例合规性状态
Container-Optimized OS 映像提供以下 systemd 服务,用于检查和配置合规性:
- cis-level1.service:默认处于启用状态,启动时启动。服务启动时,会检查实例是否符合 CIS 1 级。
- cis-level2.service:默认处于停用状态。此服务可让您将实例配置为符合 CIS 2 级标准,并对照 1 级和 2 级标准检查实例的状态。
以下部分介绍了如何检查实例的合规状态,以及如何自动执行审核流程。
检查 CIS 1 级合规性状态
如需查看您的实例是否符合 CIS 1 级标准,请检查 cis-level1.service
的状态:
systemctl status cis-level1
输出内容类似如下:
Reading scan config from /usr/share/google/security/cis-compliance/cis_config.textproto
Running scan of 62 benchmarks
Scan status: SUCCEEDED
Found 0 non-compliant benchmarks
Writing scan results to /var/lib/google/cis_scanner_scan_result.textproto
如果发现任何不符合规定的检查,请参阅 CIS 合规性 1 级/2 级检查失败。
cis-level1.service
仅在实例启动时检查一次 CIS 1 级合规性。要配置定期合规性检查,请参阅定期检查 CIS 合规性状态。
配置 CIS 2 级合规性并检查状态
您可以使用 cis-level2
服务对实例进行配置,以符合 CIS 第 2 级,并对照 1 级和 2 级系统检查合规状态。systemd 服务支持所有 CIS 2 级建议,但以下建议除外:
4.1.1.2 确保 Stackdriver 服务正在运行
此建议仅适用于默认使用 Stackdriver 日志记录代理的实例。由于用户可能更喜欢不同类型的日志记录代理,因此我们会让用户自行启动。因此,
cis-level2
服务不会配置实例,也不会检查此建议的合规性。
对于以下建议,cis-level2
服务会配置实例,但不会验证这些建议的合规状态。
- 3.3.1.1 确保 IPv6 默认拒绝防火墙政策
- 3.3.1.2 确保已配置 IPv6 环回流量
- 3.3.1.3 确保已配置 IPv6 出站和已建立的连接
- 3.3.1.4 确保所有开放端口都存在 IPv6 防火墙规则
- 3.3.2.1 确保默认拒绝防火墙政策
- 3.3.2.2 确保环回流量已配置
- 3.3.2.3 确保已配置出站和已建立的连接
cis-level2
服务默认处于停用状态。如需启动该服务,请运行以下命令:
systemctl start cis-level2.service
如需查看您的实例是否已成功配置并符合 CIS 2 级建议,请检查 cis-level2.service
的状态:
systemctl status cis-level2
输出内容类似如下:
Reading scan config from /usr/share/google/security/cis-compliance/cis_config.textproto
Running scan of 112 benchmarks
Scan status: SUCCEEDED
Found 0 non-compliant benchmarks
Writing scan results to /var/lib/google/cis_scanner_scan_result.textproto
如果实例配置失败或发现任何不符合规定的检查,请参阅问题排查。
cis-level2
服务仅配置一次实例并检查 CIS 2 级合规性是否符合要求。要配置定期合规性检查,请参阅定期检查 CIS 合规性状态。
CIS 合规性状态的定期检查
Container-Optimized OS 映像包含以下服务,以定期检查 CIS 合规性:
- cis-compliance-tracker.service:根据
/etc/cis-scanner/env_vars
中定义的环境变量检查合规性状态。默认情况下,此服务会检查是否符合 CIS 1 级合规性,并处于停用状态。 - cis-compliance-tracker.timer:定期运行
cis-compliance-scanner.service
。默认周期为一天一次。
配置扫描器服务
cis-compliance-scanner.service
负责根据 /etc/cis-scanner/env_vars
中定义的环境变量检查 CIS 合规性的状态。默认情况下,此服务会检查 CIS 1 级合规性。
如需检查 CIS 2 级合规性,请将 /etc/cis-scanner/env_vars
中的 LEVEL 环境变量设置为 2。/etc/cis-scanner/env_vars
文件类似于以下内容:
# cis-compliance-scanner.service environment variables
# The config file defines which checks to perform by cis_scanner
CONFIG="/usr/share/google/security/cis-compliance/cis_config.textproto"
# Where to store the result of the scan
RESULT="/var/lib/google/cis_scanner_scan_result.textproto"
# Upto which level to scan. It can be 1 or 2
LEVEL="2"
# Extra options that can be passed to cis_scanner
# For valid options, see output of `cis_scanner -h`
EXTRA_OPTIONS=""
配置计时器
如需设置定期合规性扫描,请启动 cis-compliance-scanner.timer
单元:
systemctl start cis-compliance-scanner.timer
默认情况下,cis-compliance-scanner.timer
每天启动 cis-compliance-scanner.service
次。如需更改扫描周期,请替换 cis-compliance-scanner.timer
单位的 OnUnitActiveSec 字段:
sudo mkdir /etc/systemd/system/cis-compliance-scanner.timer.d
sudo tee /etc/systemd/system/cis-compliance-scanner.timer.d/override.conf <<EOF
[Unit]
Description=Run CIS Scanner once an hour
[Timer]
OnUnitActiveSec=1h
EOF
此示例将扫描仪时间段设置为每小时一次。
如需应用更改,请重新加载 systemd 单元:
systemctl daemon-reload
停用特定的 CIS 合规性检查
CIS 1 级和 2 级建议适用于大多数环境。不过,有些建议可能不适用于特定的环境。如需停用特定建议,请使用 /etc/cis-scanner/env_vars
中的 EXTRA_OPTIONS 环境变量。
以下 env_vars
文件示例选择停用 etc-passwd-permissions
建议:
# cis-compliance-scanner.service environment variables
# The config file defines which checks to perform by cis_scanner
CONFIG="/usr/share/google/security/cis-compliance/cis_config.textproto"
# Where to store the result of the scan
RESULT="/var/lib/google/cis_scanner_scan_result.textproto"
# Upto which level to scan. It can be 1 or 2
LEVEL="1"
# Extra options that can be passed to cis_scanner
# For valid options:`cis_scanner -h`
EXTRA_OPTIONS="--benchmark-opt-out-ids=etc-passwd-permissions"
自动启用和检查 CIS 合规状态
您可以使用 cloud-init 或 OS Policy 自动执行实例的合规性检查过程。以下示例展示了每个工具的一些用例:
- 示例 1:每天检查一次 CIS 1 级合规性。
- 示例 2:每小时检查一次 CIS 1 级合规性。
- 示例 3:每天检查一次 CIS 2 级合规性。
- 示例 4:停用特定的 CIS 合规性检查。
使用 cloud-init
在尝试以下示例之前,请确保您已按照将 Cloud-init 与 Cloud 配置格式搭配使用中的说明熟悉使用 cloud-init 配置 COS 实例。
示例 1
以下示例配置开始默认 CIS 1 级定期扫描(每天一次),
#cloud-config runcmd: # Check the compliance status of the instance once a day. - systemctl start cis-compliance-scanner.timer
示例 2
以下示例每小时配置一次 CIS 1 级定期扫描。
#cloud-config # Override cis-compliance-scanner.timer with 1 hour frequency. write_files: - path: /etc/systemd/system/cis-compliance-scanner.timer.d/override.conf permissions: 0600 owner: root content: | [Unit] Description=Run CIS Scanner once an hour [Timer] OnUnitActiveSec=1h runcmd: # Reload systemd units. - systemctl daemon-reload # Check the compliance status of the instance once an hour. - systemctl start cis-compliance-scanner.timer
示例 3
以下示例将 CIS 第 2 级定期扫描配置为默认周期为每天一次。
#cloud-config runcmd: # Configure the instance for CIS level 2. - systemctl start cis-level2.service # Change the scan level to CIS Level 2. - sed -i 's/^LEVEL=.*$/LEVEL="2"/' /etc/cis-scanner/env_vars # Check the compliance status of the instance once a day. - systemctl start cis-compliance-scanner.timer
示例 4
以下示例将扫描器配置为每天运行一次,并选择停用特定的 CIS 建议。
#cloud-config runcmd: # Opt-out of the etc-passwd-permissions check. - sed -i 's/^EXTRA.*$/EXTRA_OPTIONS="--benchmark-opt-out-ids=etc-passwd-permissions"/' /etc/cis-scanner/env_vars # Check the compliance of the instance once a day. - systemctl start cis-compliance-scanner.timer
使用操作系统政策
您可以使用操作系统政策来配置 CIS 基准扫描。在开始之前,请确保您已熟悉操作系统政策,包括:
此外,如需进行部署,用户还需要在以下示例配置中添加 instanceFilter
和 rollout
。
示例 1
以下示例配置开始默认 CIS 1 级定期扫描(每天一次),
# An OS policy to check CIS level 1 compliance once a day. osPolicies: - id: ensure-cis-level1-compliance-once-a-day-policy mode: ENFORCEMENT resourceGroups: - resources: id: ensure-cis-level1-compliance-once-a-day exec: validate: interpreter: SHELL # If cis-compliance-scanner.service is active, return an exit code # 100 to indicate that the instance is in compliant state. # Otherwise, return an exit code of 101 to run `enforce` step. script: |- is_active=$(systemctl is-active cis-compliance-scanner.timer) result=$(systemctl show -p Result --value cis-compliance-scanner.service) if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then exit 100; else exit 101; fi enforce: interpreter: SHELL # COS 97 images are by-default CIS Level 1 compliant and there is no # additional configuration needed. However, if certain changes # cause non-compliance because of the workload on the instance, this # section can be used to automate to make fixes. For example, the # workload might generate a file that does not comply with the # recommended file permissions. # Return an exit code of 100 to indicate that the desired changes # successfully applied. script: |- # optional <your code> # Check the compliance of the instance once a day. systemctl start cis-compliance-scanner.timer && exit 100
示例 2
以下示例每小时配置一次 CIS 1 级定期扫描。
# An OS policy to check CIS level 1 compliance once an hour. osPolicies: - id: ensure-cis-level1-compliance-once-an-hour-policy mode: ENFORCEMENT resourceGroups: - resources: id: ensure-cis-level1-compliance-once-an-hour exec: validate: interpreter: SHELL # If cis-compliance-scanner.service is active, return an exit code # 100 to indicate that the instance is in compliant state. # Otherwise, return an exit code of 101 to run `enforce` step. script: |- is_active=$(systemctl is-active cis-compliance-scanner.timer) result=$(systemctl show -p Result --value cis-compliance-scanner.service) if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then exit 100; else exit 101; fi enforce: interpreter: SHELL # Return an exit code of 100 to indicate that the desired changes # were successfully applied. script: |- # Overwrite "OnUnitActiveSec" field of the # cis-compliance-scanner.timer to trigger # cis-compliance-scanner.service once an hour # instead of once a day. mkdir /etc/systemd/system/cis-compliance-scanner.timer.d tee /etc/systemd/system/cis-compliance-scanner.timer.d/override.conf <<EOF [Unit] Description=Run CIS Scanner once an hour [Timer] OnUnitActiveSec=1h EOF # Reload systemd units. systemctl daemon-reload # Check the compliance of the instance once an hour. systemctl start cis-compliance-scanner.timer && exit 100
示例 3
以下示例将 CIS 第 2 级定期扫描配置为默认周期为每天一次。
# An OS policy to check CIS level 2 compliance once a day. osPolicies: - id: ensure-cis-level2-compliance-once-a-day-policy mode: ENFORCEMENT resourceGroups: - resources: id: ensure-cis-level2-compliance-once-a-day exec: validate: interpreter: SHELL # If cis-compliance-scanner.service is active, return an exit code # 100 to indicate that the instance is in compliant state. # Otherwise, return an exit code of 101 to run `enforce` step. script: |- is_active=$(systemctl is-active cis-compliance-scanner.timer) result=$(systemctl show -p Result --value cis-compliance-scanner.service) if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then exit 100; else exit 101; fi enforce: interpreter: SHELL # Return an exit code of 100 to indicate that the desired changes # were successfully applied. script: |- # Configure the instance for CIS level 2. systemctl start cis-level2.service # Change the scan level to 2. sed -i 's/^LEVEL=.*$/LEVEL="2"/' /etc/cis-scanner/env_vars # Check the compliance of the instance once a day. systemctl start cis-compliance-scanner.timer && exit 100
示例 4
以下示例将扫描器配置为每天运行一次,并选择停用特定的 CIS 建议。
# An OS policy to opt-out of CIS check and check compliance status once a day. osPolicies: - id: exclude-cis-check-and-check-compliance-once-a-day-policy mode: ENFORCEMENT resourceGroups: - resources: id: exclude-cis-check-and-check-compliance-once-a-day exec: validate: interpreter: SHELL # If cis-compliance-scanner.service is active, return an exit code # 100 to indicate that the instance is in compliant state. # Otherwise, return an exit code of 101 to run `enforce` step. script: |- is_active=$(systemctl is-active cis-compliance-scanner.timer) result=$(systemctl show -p Result --value cis-compliance-scanner.service) if [ "$is_active" == "active" ] && [ "$result" == "success" ]; then exit 100; else exit 101; fi enforce: interpreter: SHELL # Return an exit code of 100 to indicate that the desired changes # were successfully applied. script: |- # Opt-out of the etc-passwd-permissions check. sed -i 's/^EXTRA.*$/EXTRA_OPTIONS="--benchmark-opt-out-ids=etc-passwd-permissions"/' /etc/cis-scanner/env_vars # Check the compliance of the instance once a day. systemctl start cis-compliance-scanner.timer && exit 100
问题排查
配置实例以符合 CIS 2 级建议失败
cis-level2
服务会先配置实例以符合 CIS 2 级建议,然后检查其是否符合 CIS 1 级和 2 级。如果实例配置失败,cis-level2
服务会退出,并显示以下错误消息:
Job for cis-level2.service failed because the control process exited with error code.
See "systemctl status cis-level2.service" and "journalctl -xeu cis-level2.service" for details.
日志日志将提及未能应用于实例并导致 cis-level2
systemd 服务失败的建议。
CIS 合规级别 1 / 级别 2 检查失败
每次运行 CIS 级别的合规性的扫描结果会写入 /var/lib/google/cis_scanner_scan_result.textproto
。如果任何 CIS 第 1 级或第 2 级扫描失败,textproto 文件将包含所有失败检查的列表,如以下示例所示:
cat /var/lib/google/cis_scanner_scan_result.textproto
# Output
start_time: {
seconds: 1648241700
nanos: 763152171
}
end_time: {
seconds: 1648241700
nanos: 812992527
}
scanner_version: "1.1.4.3"
benchmark_version: "1.0.0"
status: {
status: SUCCEEDED
}
non_compliant_benchmarks: {
id: "etc-passwd-permissions"
compliance_occurrence: {
non_compliant_files: {
path: "/etc/passwd"
reason: "File permission is 0664, expected the following bits to be set: 0444 and the following bits to be clear: 0133"
}
}
}
compliant_benchmarks: {
id: "etc-passwd-permissions"
compliance_occurrence: {}
}
如需缓解失败的检查,请使用 CIS 基准,并按照 Remediation
部分中的步骤检查未通过的检查,使实例合规。如需查找与 CIS 基准中的未通过检查相对应的建议,请在位于 /usr/share/google/security/cis-compliance/cis_config.textproto
的 CIS 扫描程序配置文件中查找 non_compliant_benchmark's
ID。