Hardened Image general update and upgrade questions
Product Name
CIS Hardened Images® (AWS)
CIS Hardened Images® (Google)
CIS Hardened Images® (Oracle)
CIS Hardened Images® (Azure)
Product Version
All
Date
Sep 29, 2021
Problem
I would like to update or migrate to a new CIS Hardened Image, what is the process?
Solution
The CIS Hardened Images are updated monthly using OS updates provided to CIS directly by the CSP. In addition to the monthly OS updates, some monthly images also contain major, minor, or point revisions to the Benchmark itself.
We do not have the ability to enable read access to 'ListImages' and 'ListTagsForResource' for customers to create automation to pull the latest version of the AMIs. That is a limitation of the AWS Marketplace out of the scope of something we can fix. We would very much appreciate it if you would submit a ticket with AWS to note this request in the hopes that this feature may be available in the future.
Here is some additional information about our Hardened Images, updates, and upgrading your HI:
How can we confirm the Benchmark version from within a Hardened Image?
Upgrading to a Hardened image with a new OS:
Migrate to the newest version of the CIS hardened image available in your cloud provider marketplace. Please reference your cloud provider documentation for specific steps. The migration of your applications will be up to your organization. Some organizations can do this through code deployment that they have developed and maintained. Others manually reinstall applications depending on their internal process and procedure.
To update an existing, deployed CIS HI as opposed to migrating to the newest release, the steps are as follows:
Begin by running and applying OS updates to align with the latest bug fixes, security patches, and packages provided by the corresponding vendor/CSP
Review the version number you are currently using and the new version you are looking to update to
As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.0.27 – this would mean that the ONLY alterations made to the HI are based on OS updates. This means following only step 1 will satisfy this update
As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.1.0 OR 1.2.0.0 – this would mean that, in addition to the OS updates, there has been an update to the corresponding CIS Benchmark used to harden that CIS HI.
Any change in the first 3 number of the version will indicate a change in the benchmark content used to harden the CIS HI
If you are a CIS SecureSuite Member, you can leverage CIS-CAT to run on your current (older version) to help with the update
Run CIS CAT PRO Assessor on your HI to find what new recommendations may be failing and account for any potential configuration drift
Note: The version of any given Benchmark in CIS-CAT may not align with the the first 3 digits of the HI. If this is the case, you may need to produce the files on WorkBench, please see the following article: Export OVAL and XCCDF content for a CIS Benchmark® that is no longer integrated into Assessor
Compare the failures on your recently run CIS-CAT report to remediate the recommendations that are with the corresponding CIS Benchmark WORD doc or PDF
If you are NOT a CIS SecureSuite Member
To do this, go to CIS Workbench and download the corresponding CIS Benchmark PDF
Go to the end of the document where the changelog is located and review what recommendation may have been modified, added or deleted since the previous version
Remediate the CIS HI based on the content in the changelog to update to the latest version
***Make sure remediation is conducted on changelog items that pertain to the specific level you are using the CIS HI for (Level 1 vs. Level 2 vs. STIG)***
Keywords; Hardened Image HI Migrate
Content by Label