Hardened Image general update and upgrade questions


Product Name

CIS Hardened Images® (AWS)

CIS Hardened Images® (Google)

CIS Hardened Images® (Oracle)

CIS Hardened Images® (Azure)

Product Version

All

Date

Sep 29, 2021



Problem

I would like to update or migrate to a new CIS Hardened Image, what is the process?

 

Solution

The CIS Hardened Images are updated monthly using OS updates provided to CIS directly by the CSP. In addition to the monthly OS updates, some monthly images also contain major, minor, or point revisions to the Benchmark itself.

We do not have the ability to enable read access to 'ListImages' and 'ListTagsForResource' for customers to create automation to pull the latest version of the AMIs. That is a limitation of the AWS Marketplace out of the scope of something we can fix. We would very much appreciate it if you would submit a ticket with AWS to note this request in the hopes that this feature may be available in the future.

Here is some additional information about our Hardened Images, updates, and upgrading your HI:

To update an existing, deployed CIS HI as opposed to migrating to the newest release, the steps are as follows:

  1. Begin by running and applying OS updates to align with the latest bug fixes, security patches, and packages provided by the corresponding vendor/CSP

  2. Review the version number you are currently using and the new version you are looking to update to

    1. As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.0.27 – this would mean that the ONLY alterations made to the HI are based on OS updates. This means following only step 1 will satisfy this update

    2. As an example, the HI you are using is versioned 1.0.0.20 and the HI you want to update to align with is the most recent versioned 1.0.1.0 OR 1.2.0.0 – this would mean that, in addition to the OS updates, there has been an update to the corresponding CIS Benchmark used to harden that CIS HI.

      1. Any change in the first 3 number of the version will indicate a change in the benchmark content used to harden the CIS HI

      2.  If you are a CIS SecureSuite Member, you can leverage CIS-CAT to run on your current (older version) to help with the update

        1. Run CIS CAT PRO Assessor on your HI to find what new recommendations may be failing and account for any potential configuration drift

          1. Note: The version of any given Benchmark in CIS-CAT may not align with the the first 3 digits of the HI. If this is the case, you may need to produce the files on WorkBench, please see the following article: Export OVAL and XCCDF content for a CIS Benchmark® that is no longer integrated into Assessor

        2. Compare the failures on your recently run CIS-CAT report to remediate the recommendations that are with the corresponding CIS Benchmark WORD doc or PDF

      3.  If you are NOT a CIS SecureSuite Member

        1. To do this, go to CIS Workbench and download the corresponding CIS Benchmark PDF

        2. Go to the end of the document where the changelog is located and review what recommendation may have been modified, added or deleted since the previous version

        3. Remediate the CIS HI based on the content in the changelog to update to the latest version

        4. ***Make sure remediation is conducted on changelog items that pertain to the specific level you are using the CIS HI for (Level 1 vs. Level 2 vs. STIG)***

Keywords; Hardened Image HI Migrate

Content by Label


Copyright © 2020

Center for Internet Security®