SecureBaseline Cloud
SecureBaseline Cloud is an automated hardening platform for Linux servers compliant with international CIS Benchmarks standards. The solution identifies and remediates operating system configuration vulnerabilities, ensuring compliance with information security requirements.
Problems Solved
- Manual security configuration — automates routine operations for configuring hundreds of OS security parameters
- Lack of unified standards — applies industry-recognized CIS Benchmarks across all infrastructure servers
- Audit complexity — automatically generates compliance reports with per-rule detail
- Human error risk — uses proven Ansible roles instead of manual changes
- Lack of visibility — centralized dashboard with compliance metrics across entire infrastructure
Key Features
Compliance Scanning (OpenSCAP)
- Server scanning for CIS Benchmark compliance
- Support for Ubuntu 20.04/22.04, Debian 11/12, RHEL/CentOS/Oracle Linux 8/9, Amazon Linux 2023 and many other
- Detailed reports in HTML, XML, PDF formats
- Compliance score tracking over time
Automated Hardening
- Automatic application of CIS recommendations
- Granular control: enable/disable individual rules
- CIS Level 1 and Level 2 profiles
- Safe preview mode for changes
Centralized Management
- Web interface for host and task management
- Scheduler for regular scanning (cron)
-
Create a Yandex Virtual Private Cloud network and two subnets in the
ru-central1-aandru-central1-bavailability zones. You may also use existing ones if desired. All subnets must belong to the same VPC network. -
Create a Yandex Lockbox secret with the database password:
DB_PASSWORD=$(openssl rand -base64 32 | tr -d '\n')
yc lockbox secret create \
--name haas-db-password \
--payload "[{\"key\": \"password\", \"text_value\": \"$DB_PASSWORD\"}]"
- Create a Yandex Lockbox secret with the administrator password:
yc lockbox secret create \
--name haas-admin-password \
--payload "[{\"key\": \"password\", \"text_value\": \"YOUR_ADMIN_PASSWORD\"}]"
Warning
Warning: use strong passwords. The minimum length is 9 characters.
-
In the management console, select the folder where you want to deploy the application.
-
Navigate to the Cloud Apps service.
-
In the left panel, select Marketplace.
-
Select SecureBaseline Cloud and click Use.
-
Specify:
- Prefix for resource naming
- Subnet in the
ru-central1-azone - Subnet in the
ru-central1-bzone - Select the Yandex Lockbox secret with the PostgreSQL password
- Public SSH key
- Maximum number of agents
- Administrator email
- Select the Yandex Lockbox secret with the administrator password
- Select the Environment type
-
Click Install and wait for the installation to complete. The process takes approximately 10–15 minutes.
-
Go to the console, open the Virtual Machines section, and select the virtual machine whose name starts with
control-plane. Open its public IP address in a browser and log in using the credentials specified earlier.
-
Security Audit Preparation
- Full infrastructure scanning
- Compliance report generation
- Remediation of identified non-conformities
-
Regular Monitoring
- Weekly scheduled scanning
- Compliance trend tracking
- Alerting on metric degradation
-
Mass Hardening
- Centralized policy application
- Phased implementation (Level 1 to Level 2)
- Rollback capability when needed
OpenNix provides technical support to users in Yandex Cloud. You can contact their technical support by email at support@opennix.ru. Support engineers are available on business days from 9 am to 6 pm GMT+3.
| Resource type | Quantity |
|---|---|
| Service account | 1 |
| Static access key | 1 |
| Folder members | 8 |
| Message Queues | 2 |
| Lockbox Secret | 1 |
| Lockbox Secret | 1 |
| PostgreSQL User | 1 |
| PostgreSQL Database | 1 |
| PostgreSQL Cluster | 1 |
| Compute Instance | 1 |
| Instance Group | 1 |
| Object Storage Bucket | 1 |