In this guest blog post, Mia LaVada, a product manager at the Center for Internet Security (CIS), explains how to ensure Linux image performance and availability in Microsoft Azure.
Cloud computing offers many benefits for your business. Cloud infrastructure makes sense for both small organizations and large enterprises interested in taking advantage of modern security solutions and flexible computing power. With Microsoft Azure, you can go beyond the limits of on-premises datacenters with more regions than any other provider.
But just being established in the cloud isn’t the end of the mission. You must ensure the performance and availability of your applications and services in Microsoft Azure to fully reap many of the cloud computing benefits. For example:
- Rapidly scale cloud services: In the absence of performance and availability, you can’t reliably scale cloud computing services to fit your needs. This means that your organization could miss out on taking advantage of certain resources, or it might need to pay for resources it no longer needs for a period of time.
- Faster disaster recovery of cloud services: Poor availability in the cloud means you can’t count on having cloud-based backups available in the event of a disaster. Even if they are available, poor performance might render those backups incomplete, potentially costing your organization because of lost data, intellectual property, etc.
- Access to innovative technology: In the absence of performance and availability, you can’t use the cloud to adequately experiment with new technology such as artificial intelligence and machine learning. This can provide you with an inaccurate picture of how new technologies work, causing you to lose out by not innovating now.
We at the Center for Internet Security understand the importance of performance and availability for your cloud environments. That’s why we’ve partnered with the Microsoft Azure team to test CIS Hardened Images for Linux using Azure Monitor Agent (AMA). We explore what this compatibility means for you below.
Visualizing performance and availability in Microsoft Azure
Azure Monitor is a service that helps you evaluate the availability and performance of your applications and services in Microsoft Azure. It uses telemetry to provide you with an overview of your applications. With that information, you can proactively remediate issues that undermine the availability and performance of your apps and their dependent resources.
A high-level view of Azure Monitor. (Source: Microsoft Azure)
In the past, Azure Monitor employed legacy monitoring agents for data collection. Now Azure Monitor Agent does that work. First, it gathers data from the guest operating systems of Azure and hybrid virtual machine images. It then feeds that data into Azure Monitor, where it informs insights and other services such as Microsoft Sentinel.
As noted in its documentation, AMA sends various types of information to Azure Monitor. These include logs, or events that occurred within the system, and traces, or series of related events that follow a user request through a distributed system. These and other pieces of data help you monitor the health and performance of Azure virtual machines (VMs) at scale, including Linux VMs.
Helping you make the most of CIS Hardened Images for Linux
Overall, the process of testing the CIS Hardened Images for Linux went smoothly. The Azure team made a few tweaks to AMA throughout the investigation with CIS to account for the differences across various Linux distributions. Even so, there weren't any issues in which the AMA functionality was degraded when installed on a CIS machine.
When the Azure team made changes to AMA, it did so for failures to comply with the CIS Benchmarks settings post-AMA install. Primarily, these changes involved file/directory ownership (overly lax permissions) and network setup of an AMA sub-component (it was listening on all interfaces rather than loopback).
With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for the following CIS Benchmarks:
- CIS Red Hat Enterprise Linux 7 Benchmark Level 1
- CIS Red Hat Enterprise Linux 7 Benchmark Level 2
- CIS Red Hat Enterprise Linux 8 Benchmark Level 1
- CIS Red Hat Enterprise Linux 8 Benchmark Level 2
- CIS Ubuntu Linux 20.04 LTS Benchmark Level 1
- CIS CentOS Linux 7 Benchmark Level 1
- CIS Debian Linux 10 Benchmark Level 1
- CIS Oracle Linux 8 Benchmark Level 1
What’s more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new AMA versions become available. This ensures no AMA functionality regression, thereby helping you maintain the performance and availability of these pre-hardened virtual machine images for Linux.
An ongoing commitment
CIS is committed to working with Microsoft to make products more secure and available on a variety of Linux environments, benchmarks, and settings. To that end, we are glad to announce the compatibility of AMA and CIS Hardened Images for Linux.