IVS-04: OS Hardening and Base Controls

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: IVS-07: OS Hardening and Base Controls, IVS-11: Hypervisor Hardening.

Control Statement

Harden host and guest OS, hypervisor or infrastructure control plane according to their respective best practices, and supported by technical controls, as part of a security baseline.

Implementation Guidance

Supporting technical controls should aid situations when only the ports, protocols, and services necessary to meet business needs are provided. Such controls should be based on benchmarks (e.g., CIS). Implement anti-malware, file integrity monitoring, and logging, and utilize hardware rooted trust in virtual trusted platform modules (vTPMs). Whenever possible, organizations should use minimalistic, container-specific host operating systems (OSs), with all other services and functionality disabled—and with read-only file systems and other hardening practices employed to reduce attack surfaces.

  1. Hosts that run containers should only run containers and not other apps—such as web servers or databases—outside of containers.
  2. Hosts that run containers should be continuously scanned for vulnerabilities and updated promptly.
  3. The host OS should not run unnecessary system services.
  4. Access to the container host should be based on the need-to-know and least privilege principles.
  5. File integrity monitoring and host intrusion detection should be leveraged for containers.

Auditing Guidance

  1. Determine if the host and the guest OS has been hardened as per best practices.
  2. Determine if the hypervisor or infrastructure control planes are hardened as per best practices.
  3. Determine if appropriate technical controls exist that ensure that the hardening is done.
  4. Determine if a security baseline has been set up.
  5. Determine if the security baseline contains information about the hardening done.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.