Linux and Cloud Native Security: AlmaLinux

Continuing my series of Q&As on cloud native security with Linux, I reached out to the creators of AlmaLinux to weigh in on how it supports secure cloud native operations on Linux.

AlmaLinux was released in the wake of Red Hat‘s CentOS shifting from a standard release to a rolling release, an event that caused a serious shift in the enterprise Linux community. Gone was one of the darlings of the industry, and in its place rose a number of alternatives.

AlmaLinux was one of the first such alternatives, and it has quickly risen to the top of the heap. I reached out to AlmaLinux to chat about cloud-native security and Bala Raman, an AlmaLinux contributor and cloud/container engineer, responded.

What’s the biggest security issue cloud native developers face?

Bala Raman, AlmaLinux contributor and cloud and container developer

The layers of the onion. Cloud native development adds complexity in multidimensional layers such as the cloud node OS, cloud software, application container OS, and then application platform and application itself. Each layer has its own security concerns and mitigations. Just handling all those by cloud native developers is the biggest challenge.

If you could give one piece of advice to businesses wanting to deploy containers as securely as possible, what would that be?

Using platform as a service (PaaS), software as a service (SaaS) and function as a service (FaaS) to help shift the burden of managing security to service providers, developers can focus on their application development and use.

What is AlmaLinux doing unlike any other server operating system for cloud/container security?

AlmaLinux cloud images and containers are built more frequently to include enhancements and security updates. Work is also constantly being done to enable automated cloud image and container releases, so for example, when high CVE security fixes are available, they are automatically built and released.

What does the future of cloud native development look like?

More adoption of browser-based Web IDEs for development will happen. GitOps will play a major role in the future of cloud native development. GitHub/GitLab Actions will be integrated driving factors in those developments. App development cycles will be shorter but more error-prone.

What’s the first thing an administrator should do to a server operating system to harden it?

First the basics like changing any default passwords (root user in cloud images). Apply operating system updates, fix packs and security patches. Remove unused, unwanted packages. Make use of sudoers and lock down root where possible. Keep the operating system firewall locked, open only necessary firewall rules. On AlmaLinux, it’s possible to automate things like this by applying a security profile at install time, following our Center for Internet Security benchmark for example.

How can small to medium-sized businesses gain the levels of security found in the enterprise?

Use of open source security tools for scanning and monitoring are a great help. Integrate these steps in CI/CD processes like code scanning and container security analysis etc. Mixing and matching with PaaS, SaaS or FaaS can go a long way.

What’s the best thing container developers can do to ensure they’re building off a solid and secure foundation?

Follow Docker/container best practices, like keeping container images minimal, just enough to run the application in need. This is part of why we released our [Red Hat Universal Base Images]-equivalent container set. Making use of AlmaLinux micro and minimal images come in handy in scenarios like that. Use Docker multistage builds and build tools like buildah for better optimization and security.

From your perspective, what’s the answer to supply chain security issues?

One potential solution is verifiable build pipelines from code merges all the way to your final builds. We are looking into doing something like this for our build process, to integrate with something like ImmuDB, an immutable database. It provides a blockchain-like integrity in supply chain process management and can greatly improve security.

What is the coolest piece of cloudnative technology coming out of AlmaLinux in the coming months or year?

AlmaLinux already has cloud images for Amazon Web Services, Google Cloud, Azure, Vagrant, LXC/LXD and OpenNebula. AlmaLinux Container images are available in Docker Hub, Quay.io and Amazon ECR Public Gallery. Our new AlmaLinux OS updates for Raspberry Pi are available now too.

This all opens more possibilities of using AlmaLinux in Internet of Things devices.

We’re also planning AlmaLinux-based software and application-specific Docker containers for Go, Node.js and Java that will be available soon. Those container images will be great additions for everything from development to deployment.

Should businesses be striving for full-blown automation, or should they keep a layer of human intervention involved in the DevOps Process?

Option two. AI/ML-driven automation with GitOps will be a nice fit: adoptive automation with checks and balances for validation, verification and approvals. There will always be a human layer developing the automation, so let’s not lose sight of that either.