SecureBaseline Cloud
SecureBaseline Cloud is an automated hardening platform for Linux servers based on CIS Benchmarks. The solution identifies and remediates OS configuration vulnerabilities, ensuring compliance with information security requirements.
What’s New
- All updates are available in the official documentation
Problems It Solves
- Manual security configuration — automates routine operations for configuring hundreds of OS security parameters
- Lack of a unified standard — applies recognized CIS Benchmarks across all servers in the infrastructure
- Audit complexity — automatic generation of compliance reports with per-rule detail
- Risk of human error — uses proven roles instead of manual changes
- Lack of visibility — centralized dashboard with compliance metrics across the entire infrastructure
Key Capabilities
Compliance Scanning
- Server scanning for CIS Benchmark compliance
- Support for virtually all popular Linux distributions
- Detailed reports
- Compliance score trend tracking
Automated Hardening
- Automatic application of CIS recommendations
- Granular control: enable/disable individual rules
- CIS Level 1 and Level 2 profiles and many others
- Safe preview mode before applying changes
Centralized Management
- Web interface for managing hosts and tasks
- Scheduler for regular scanning (cron)
-
Create a Yandex Virtual Private Cloud network and two subnets in the
ru-central1-aandru-central1-bavailability zones. You may also use existing ones if desired. All subnets must belong to the same VPC network. -
Create a Yandex Lockbox secret with the database password:
DB_PASSWORD=$(openssl rand -base64 32 | tr -d '\n')
yc lockbox secret create \
--name haas-db-password \
--payload "[{\"key\": \"password\", \"text_value\": \"$DB_PASSWORD\"}]"
- Create a Yandex Lockbox secret with the administrator password:
yc lockbox secret create \
--name haas-admin-password \
--payload "[{\"key\": \"password\", \"text_value\": \"YOUR_ADMIN_PASSWORD\"}]"
Warning
Warning: use strong passwords. The minimum length is 9 characters.
-
In the management console, select the folder where you want to deploy the application.
-
Navigate to the Cloud Apps service.
-
In the left panel, select Marketplace.
-
Select SecureBaseline Cloud and click Use.
-
Specify:
- Prefix for resource naming
- Subnet in the
ru-central1-azone - Subnet in the
ru-central1-bzone - Select the Yandex Lockbox secret with the PostgreSQL password
- Public SSH key
- Maximum number of agents
- Administrator email
- Select the Yandex Lockbox secret with the administrator password
- Select the Environment type
-
Click Install and wait for the installation to complete. The process takes approximately 10–15 minutes.
-
Go to the console, open the Virtual Machines section, and select the virtual machine whose name starts with
control-plane. Open its public IP address in a browser and log in using the credentials specified earlier.
-
Security Audit Preparation
- Full infrastructure scanning
- Compliance report generation
- Remediation of identified non-conformities
-
Regular Monitoring
- Weekly scheduled scanning
- Compliance trend tracking
- Alerting on metric degradation
-
Mass Hardening
- Centralized policy application
- Phased implementation (Level 1 to Level 2)
- Rollback capability when needed
OpenNix provides technical support to users in Yandex Cloud. You can contact their technical support by email at support@opennix.ru. Support engineers are available on business days from 9 am to 6 pm GMT+3.
| Resource type | Quantity |
|---|---|
| Access rights for folder | 9 |
| Virtual machine | 1 |
| Instance group | 1 |
| PostgreSQL database | 1 |
| PostgreSQL user | 1 |
| PostgreSQL cluster | 1 |
| Lockbox secret version | 1 |
| Lockbox secrets | 2 |
| Object Storage bucket | 1 |
| Message queues | 2 |
| Service account | 1 |
| Service account static access key | 1 |