Linux Instance Clean-up to Use Publicly-shared OMIs
This topic lists all or some of the actions you can take to reduce risks when using an OMI shared by another user.
An OMI created from an instance or a snapshot has the same characteristics as this instance or the instance the snapshot is created from. Therefore, the OMI may include backdoors, vulnerable configurations, or malicious software. Any instance launched from a shared OMI thus includes the same risks as this OMI.
This topic provides command samples for CentOs 7 Linux instances, but the list of actions is the same for other Linux instances.
You can execute these commands from anywhere in your instance and in any order.
We strongly recommend launching the instance from the shared OMI in a separate, closed-streamed network, that is, using new security groups with SSH only and out of any Virtual Private Cloud (VPC). This prevents the instance from attacking any potentially vulnerable appliance in your network. |
The following table gathers the actions you can take to reduce risks when using a public OMI:
Action | CentOs 7 command | Expected Result | Comments | |||
---|---|---|---|---|---|---|
Remote access |
Enable SSH with SSH keys only |
|
|
If the OMI is not meant to be accessed as root, the element |
||
Check that no extra SSH key is included |
|
|
This action compares the content of the ~/.ssh/authorized_keys file with all public keys allowed on the instance. You need to perform this action for each user meant to connect to the instance. |
|||
Check that no extra user is included |
|
A list of all users able to spawn a shell, that is, all users able to connect to the instance. |
This command compares the results with what is expected to be on the OMI. |
|||
Launch of extra services |
Check that no unwanted behavior is configured |
|
A list of all services. |
|
||
Check that no unwanted commands are run |
|
The bshrc file. |
You need to perform this action for each user able to connect to the instance. |
|||
Advanced checks for high-security needs |
Check running processes |
|
A list of all running processes. |
|||
Check open ports |
|
A list of all open ports, with the program path. |
||||
Check crons |
|
A list of all user crons. |
There is no finite way to define a script dangerous or not. To check what the crons do, you need to read the files and check the legitimacy of each one. |
|||
|
The lists of the recurrent crons. |
|||||
|
The Echo crontab. |
|||||
|
A configuration file listing all logging services. |
|||||
Anti-virus scans |
Check that no silent virus is included |
|
A summary of the scan. |
Related Pages