Uphold Linux systems’ performance and availability in Azure

Cloud computing carries many benefits for your business… as long as you can ensure the performance and availability of your cloud environments.

Let’s take the following three cloud computing benefits as examples.

  • Rapidly scale cloud services: In the absence of performance and availability, you can’t reliably scale your cloud computing services to fit your needs. This means that your organization could miss out on taking advantage of certain resources, or it might need to pay for resources it no longer needs for a period of time.
  • Faster disaster recovery of cloud services: Poor availability in the cloud means that you can’t count on having cloud-based backups available in the event of a disaster. Even if they are available, poor performance might render those backups incomplete, potentially costing your organization due to lost data, intellectual property, etc.
  • Access to innovative technology: In the absence of performance and availability, you can’t use the cloud to adequately experiment with new technology such as artificial intelligence and machine learning. This can provide you with an inaccurate picture of how new technologies work, causing you to lose out by not innovating now.

We at the Center for Internet Security understand the importance of performance and availability for your cloud environments. That’s why we’ve partnered with the Microsoft Azure team to test CIS Hardened Images for Linux using Azure Monitor Agent. We explore what this compatibility means for you below.

Visualizing performance and availability in Azure

For context, Azure Monitor is a service that helps you evaluate the availability and performance of your applications and services in Microsoft Azure. It uses telemetry to provide you with an overview of your applications. With that information, you can proactively remediate issues that undermine the availability and performance of your apps and their dependent resources.

CIS Azure Monitor Linux

A high-level view of Azure Monitor

Azure Monitor used to employ legacy monitoring agents for data collection. Now Azure Monitoring Agent (AMA) does all of that work. First, it gathers data from the guest operating systems (OSes) of Azure and hybrid virtual machine images. It then feeds that data into Azure Monitor, where it informs insights and other services like Microsoft Sentinel.

As noted in its documentation, AMA sends various types of information to Azure Monitor. These include logs, or events that occurred within the system, and traces, or series of related events that follow a user request through a distributed system. These and other pieces of data help you monitor the health and performance of Azure virtual machines (VMs) at scale, including Linux VMs.

Helping you make the most of CIS Hardened Images for Linux

Overall, the process of testing the CIS Hardened Images for Linux went smoothly. The Azure team made a few tweaks to AMA throughout the investigation with CIS to account for the differences across various Linux distributions. Even so, there weren’t any issues where the AMA functionality was degraded when installed on a CIS machine.

When the Azure team did make some changes to AMA, it did so for failures to comply with the CIS Benchmarks settings post-AMA install. Primarily, these changes involved file/directory ownership (overly lax permissions) and network setup of an AMA sub-component (it was listening on all interfaces rather than loopback).

With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for the following CIS Benchmarks:

  • CIS Red Hat Enterprise Linux 7 Benchmark Level 1
  • CIS Red Hat Enterprise Linux 7 Benchmark Level 2
  • CIS Red Hat Enterprise Linux 8 Benchmark Level 1
  • CIS Red Hat Enterprise Linux 8 Benchmark Level 2
  • CIS Ubuntu Linux 20.04 LTS Benchmark Level 1
  • CIS CentOS Linux 7 Benchmark Level 1
  • CIS Debian Linux 10 Benchmark Level 1
  • CIS Oracle Linux 8 Benchmark Level 1

What’s more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new AMA versions become available. This ensures no AMA functionality regression, thereby helping you maintain the performance and availability of these pre-hardened virtual machine images for Linux going forward.

An ongoing partnership

Azure Monitor and CIS are committed to continuing their partnership to make its products more secure and available on a variety of Linux environments/Benchmarks/settings. Toward that end, we are glad to announce the compatibility of AMA and CIS Hardened Images for Linux.

Spin up a CIS Hardened Image from Azure Marketplace

Don't miss