Linux Instance Clean-up to Use Publicly-shared OMIs

This topic lists all or some of the actions you can take to reduce risks when using an OMI shared by another user.

An OMI created from an instance or a snapshot has the same characteristics as this instance or the instance the snapshot is created from. Therefore, the OMI may include backdoors, vulnerable configurations, or malicious software. Any instance launched from a shared OMI thus includes the same risks as this OMI.

This topic provides command samples for CentOs 7 Linux instances, but the list of actions is the same for other Linux instances.

You can execute these commands from anywhere in your instance and in any order.

We strongly recommend launching the instance from the shared OMI in a separate, closed-streamed network, that is, using new security groups with SSH only and out of any Virtual Private Cloud (VPC). This prevents the instance from attacking any potentially vulnerable appliance in your network.

The following table gathers the actions you can take to reduce risks when using a public OMI:

Action CentOs 7 command Expected Result Comments

Remote access

Enable SSH with SSH keys only

 
$ cat /etc/ssh/sshd_config | grep -e '^PermitRootLogin' -e '^StrictModes' -e '^RSAAuthentication' -e '^PubkeyAuthentication' -e '^PermitEmptyPasswords' -e '^AuthorizedKeysFile'
 
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
AuthorizedKeysFile .ssh/authorized_keys

If the OMI is not meant to be accessed as root, the element PermitRootLogin is set to no.
However, this action enforces SSH-key authentication and denies passwords, considered a weak authentication method.

Check that no extra SSH key is included

 
$ diff -q -b <(curl -s http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key)  <(cat $HOME/.ssh/authorized_keys) > /dev/null ; echo $?

  • 0, if the ~/.ssh/authorized_keys file only contains the key provided by the meta-data server.

  • 1, if there is a difference.

This action compares the content of the ~/.ssh/authorized_keys file with all public keys allowed on the instance.

You need to perform this action for each user meant to connect to the instance.

Check that no extra user is included

 
$ cat /etc/passwd | grep -vF -e "/bin/false" -e "/bin/nologin" -e "/usr/sbin/nologin"

A list of all users able to spawn a shell, that is, all users able to connect to the instance.

This command compares the results with what is expected to be on the OMI.

Launch of extra services

Check that no unwanted behavior is configured

 
$ ls /etc/init.d/

A list of all services.

Important

Ensure you use the right distribution type. You can also use the /etc/rc.d/ directory.

Check that no unwanted commands are run

 
$ cat $HOME/.bashrc

The bshrc file.

You need to perform this action for each user able to connect to the instance.

Advanced checks for high-security needs

Check running processes

 
$ ps aux

A list of all running processes.

Check open ports

 
$ netstat -nalp

A list of all open ports, with the program path.

Check crons

 
$ for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null | grep -v '^#'; done

A list of all user crons.

There is no finite way to define a script dangerous or not. To check what the crons do, you need to read the files and check the legitimacy of each one.

 
$ ls /etc/cron.*/

The lists of the recurrent crons.

 
$ cat /etc/crontab

The Echo crontab.

 
$ cat /etc/rsyslog.conf /etc/rsyslog.d/*

A configuration file listing all logging services.

Anti-virus scans

Check that no silent virus is included

These commands use Clamav, an open source anti-virus scanner available at the following address: https://www.clamav.net/downloads.

 
$ yum install clamav clamav-update
$ sed -i ‘/^Example/d’ /etc/freshclam.conf
$ freshclam
$ clamscan -r /

A summary of the scan.

Related Pages