Linux VM Clean-Up to Use Publicly-Shared OMIs

This topic lists all or some of the actions you can take to reduce risks when using an OMI shared by another user.

An OMI created from a virtual machine (VM) or a snapshot has the same characteristics as this VM or the VM the snapshot is created from. Therefore, the OMI may include backdoors, vulnerable configurations, or malicious software. Any VM created from a shared OMI thus includes the same risks as this OMI.

Overview

This topic provides command samples for CentOs 7 Linux VMs, but the list of actions is the same for other Linux VMs.

You can execute these commands from anywhere in your VM and in any order.

We strongly recommend creating the VM from the shared OMI in a separate, closed-streamed network, that is, using new security groups with SSH only and out of any Net. This prevents the VM from attacking any potentially vulnerable appliance in your network.

The following sections gather the actions you can take to reduce risks when using a public OMI:

Remote Access

SSH

Check that SSH is enabled with SSH keys only:

$ cat /etc/ssh/sshd_config \| grep -e '^PermitRootLogin' -e '^StrictModes' -e '^RSAAuthentication' -e '^PubkeyAuthentication' -e '^PermitEmptyPasswords' -e '^AuthorizedKeysFile'

Expected result:

PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
AuthorizedKeysFile .ssh/authorized_keys

If the OMI is not meant to be accessed as root, the element PermitRootLogin is set to no. This enforces SSH-key authentication and denies passwords, considered a weak authentication method.

Extra SSH Keys

Check that no extra SSH key is included:

$ diff -q -b <(curl -s http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key)  <(cat $HOME/.ssh/authorized_keys) > /dev/null ; echo $?

Expected result:

  • 0, if the ~/.ssh/authorized_keys file only contains the key provided by the meta-data server.

  • 1, if there is a difference.

This action compares the content of the ~/.ssh/authorized_keys file with all public keys allowed on the VM.

You need to perform this action for each user meant to connect to the VM.

Extra Users

Check that no extra user is included:

$ cat /etc/passwd \| grep -vF -e "/bin/false" -e "/bin/nologin" -e "/usr/sbin/nologin"

Expected result:

  • A list of all users able to spawn a shell, that is, all users able to connect to the VM.

This command compares the results with what is expected to be on the OMI.

Launch of Extra Services

Extra Services

Check that no unwanted behavior is configured:

$ ls /etc/init.d/

Expected result:

  • A list of all services.

Ensure you use the right distribution type. You can also use the /etc/rc.d/ directory.

Unwanted Commands

Check that no unwanted commands are run:

$ cat $HOME/.bashrc

Expected result:

  • A list of commands automatically run when a shell is started.

You need to perform this action for each user able to connect to the VM.

Advanced Checks for High-Security Needs

Running Processes

Check running processes:

$ ps aux

Expected result:

  • A list of all running processes.

Open Ports

Check open ports:

$ netstat -nalp

Expected result:

  • A list of all open ports, with the program path.

Crons

Check crons:

$ for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null \| grep -v '^#'; done
$ ls /etc/cron.*/
$ cat /etc/crontab
$ cat /etc/rsyslog.conf /etc/rsyslog.d/*

Expected result:

  • Lists of cron scripts.

To check what the crons do, you need to read the files and check the legitimacy of each one.

Anti-Virus Scans

Check that no silent virus is included:

$ yum install clamav clamav-update
$ sed -i ‘/^Example/d’ /etc/freshclam.conf
$ freshclam
$ clamscan -r /

Expected result:

  • A summary of the scan.

These commands use Clamav, an open source anti-virus scanner available at the following address: net/downloads" target="_blank" rel="noopener">https://www.clamav.net/downloads.

Related Pages