aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Technology
  • Tools

CIS Hardening Support In Container-Optimized OS From Google

  • aster.cloud
  • May 18, 2022
  • 3 minute read

At Google, we follow a security-first philosophy to make safeguarding our clients’ and users’ data easier and more scalable, with strong security principles built into multiple layers of Google Cloud. In line with this philosophy, we want to make sure that our Container-Optimized OS adheres to industry-standard security best practices. To this end, we released a CIS benchmark for Container-Optimized OS that codifies the recommendations for hardening and security measures we have been using. Our Container-Optimized OS  97 releases now support CIS Level 1 compliance, with an option to enable support for CIS Level 2 hardening.

CIS benchmarks help define the security recommendations for various software systems, including various operating systems. In the past, Google had developed a CIS benchmark for Kubernetes as part of the continued contributions to the container orchestration space. We decided to build a CIS benchmark for Container-Optimized OS because they are well recognized across the industry, are created and reviewed in open source, and can provide a good baseline when it comes to hardening your operating systems.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

Our benchmarks for Container-Optimized OS are based on the CIS benchmarks defined by their security community for distribution-independent Linux OSes. In addition to applying some of the security recommendations for generic Linuxes—such as making file permissions more strict—we included measures to support hardening specific to Container-Optimized OS, such as verifying that the OS has the capabilities for checking filesystem integrity with dm-verity or that logs can be exported to Cloud Logging. We also removed some checks that don’t apply to Container-Optimized OS due to its minimal OS footprint that can reduce the attack surface. Container-Optimized OS 97 and later versions come with support for CIS Level 1 and can allow users to optionally apply support for Level 2 hardening as well.

Read More  Huawei Connect 2023: Accelerating Intelligence For Shared Success

Compliance is not just about a one-time hardening effort, however. You will need to ensure that the deployed OS images stay within compliance throughout their life. At Google, we continually run scans on our Google Cloud projects to help verify that our VMs and container images are kept up-to-date with the latest CIS security guidelines. To help scan a wide range of products with a low resource usage overhead, we developed Localtoast, our own open-source configuration scanner.

Localtoast is highly customizable and can be used to detect insecure OS configurations on local and remote machines, VMs, and containers. Google uses Localtoast internally to help verify CIS compliance on a wide range of Container-Optimized OS installations and other OSes. Its configuration and scan results are stored in the same Grafeas format that deploy-time security enforcement systems such as Kritis use, which can make it easier to integrate with existing supply chain security and integrity tooling. See this video for a showcase of how you can use this Localtoast scanner on COS.

Included in the Localtoast repo is a set of scan configuration files that help scan Container-Optimized OS’ CIS benchmarks. For other Linux OSes, we include a fallback config which supports and is based on the distribution-independent Linux CIS benchmarks and aims to help provide relevant security findings for a wide range of Linuxes—with support for more OSes coming in the future.

Apart from the configs for scanning live instances, we also released modified configs for scanning container images.

Container-Optimized OS 97 and above comes with Localtoast and the Container-Optimized OS-specific scanning config that supports CIS compliance pre-installed. We welcome you to try out our user-guide, and hope that the provided tools will help you get a step further in your journey toward keeping your cloud infrastructure secure.

Read More  Partnering With The State Of Oregon To Support A Skilled Tech Workforce

If you have any questions, don’t hesitate to reach out to us.

 

 

By: Erik Varga (SWE, Vulnerability Management Team) and Anil Altinay (SWE, Container-Optimized OS Team)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • CIS
  • Compliance
  • Google Cloud
  • OS
  • Security
You May Also Like
View Post
  • Technology

Building secure, scalable AI in the cloud with Microsoft Azure

  • July 5, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Turns out OpenAI is the customer behind Oracle’s mysterious $30 billion cloud deal

  • July 3, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

A looming hyperscaler exodus? UK IT leaders are thinking of ditching US cloud providers – here’s why

  • June 26, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Prioritize security from the edge to the cloud

  • June 25, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

6 edge monitoring best practices in the cloud

  • June 25, 2025
Genome
View Post
  • Technology

AlphaGenome: AI for better understanding the genome

  • June 25, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Pure Accelerate 2025: All the news and updates live from Las Vegas

  • June 18, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management

  • June 18, 2025

Stay Connected!
LATEST
  • 1
    Building secure, scalable AI in the cloud with Microsoft Azure
    • July 5, 2025
  • 2
    Turns out OpenAI is the customer behind Oracle’s mysterious $30 billion cloud deal
    • July 3, 2025
  • aster-cloud-erp-bill_of_materials_2 3
    What is an SBOM (software bill of materials)?
    • July 2, 2025
  • aster-cloud-sms-pexels-tim-samuel-6697306 4
    Send SMS texts with Amazon’s SNS simple notification service
    • July 1, 2025
  • Camping 5
    The Summer Adventures : Camping Essentials
    • June 27, 2025
  • aster-cloud-website-pexels-goumbik-574069 6
    Host a static website on AWS with Amazon S3 and Route 53
    • June 27, 2025
  • 7
    A looming hyperscaler exodus? UK IT leaders are thinking of ditching US cloud providers – here’s why
    • June 26, 2025
  • Prioritize security from the edge to the cloud
    • June 25, 2025
  • 6 edge monitoring best practices in the cloud
    • June 25, 2025
  • Genome 10
    AlphaGenome: AI for better understanding the genome
    • June 25, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • 2
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • 3
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • What is cloud bursting?
    • June 18, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.