CentOS 8 is EOL - How to migrate to AlmaLinux and secure the new host

On December 31st, 2021, CentOS 8 officially went end-of-life. This brought an end to one of the most venerable Linux server distributions. CentOS had long been the go-to alternative Linux distribution for teams looking for the stability and compatibility of Red Hat Enterprise Linux (RHEL) without the high licensing costs. The distro was a near-perfect clone of RHEL with the exception of copyrighted terms/logos and some proprietary management software. 

Unfortunately for admins everywhere, the CentOS project has decided to shift away from producing RHEL-derivative operating systems. The project now focuses exclusively on a more bleeding-edge distribution called CentOS Stream. This is a continuously released distro with features considered stable but not necessarily tested enough for the upstream RHEL distribution. That’s good news for anyone who has ever been frustrated with the sometimes ancient packages in RHEL/CentOS, but it comes at a cost. 

Because CentOS Stream continuously receives major new software updates, it lacks the compatibility and stability provided by RHEL’s more conservative software packaging and extensive QA cycles. These concerns have led many to search for the next new CentOS. When searching for a CentOS replacement, we must make sure our new distro meets several key criteria:

  • Runs anywhere (on-prem/cloud)
  • Easy to migrate to from CentOS
  • Not locked into a single vendor
  • Must be secure

About AlmaLinux

While there are several potential replacement RHEL-derivatives such as Oracle Linux or Amazon Linux, none meets all the requirements like the latest RHEL-derivative AlmaLinux. The AlmaLinux OS Foundation now maintains this new RHEL-derivative, with backing from many major industry players such as Amazon, Microsoft, and AMD. AlmaLinux’s backing by a 501c non-profit foundation and not a particular software or cloud vendor eases vendor lock-in concerns. It also means AlmaLinux supports both Intel and ARM architectures and runs well in various infrastructure settings such as on-prem, major clouds, and containerized workloads. 

For those requiring long support cycles, AlmaLinux matches the upstream RHEL end-of-life date, with support until June 2029. You’ll also be able to properly secure your systems all the way till that end-of-life date, as the Center for Internet Security (CIS) has already published AlmaLinux level 1 and level 2 benchmarks.

Migrating Systems

Migrating from CentOS to AlmaLinux is as simple as spinning up a new AlmaLinux system. Existing applications will continue to run just as they did under CentOS, so no costly application migrations are necessary. AlmaLinux system images can be found on all major clouds, and configuration management tools support AlmaLinux as a drop-in replacement for CentOS and RHEL.

What if a system rebuild isn’t possible though? As much as we all want to treat our systems as disposable, there always seems to be that one special snowflake system that can’t be easily rebuilt. For those systems, the Alma team offers a script that migrates from CentOS to AlmaLinux in place.

Below we have a very special CentOS 8 system that was lovingly handcrafted and would be difficult to rebuild. The Yum repos on the system have already been updated to point to an archive mirror so Yum installs are still fully functional. By running yum update, all packages are also updated to the very latest versions, so we’re fully prepared for our migration.

cli_centos

Now we can fetch the AlmaLinux migration script and start our migration. The script will update the system’s Yum repositories to point to the Alma repositories. It then removes CentOS-specific OS packages and does a reinstall of existing packages to get Alma varieties.

curl -O https://raw.githubusercontent.com/AlmaLinux/almalinux-deploy/master/almalinux-deploy.sh

sudo bash almalinux-deploy.sh

migration_script

After the reinstall and a reboot we now have a fully working AlmaLinux system that will continue to receive important bug and security fixes.

cli_now_alma

Securing Our New System

Pulling in the latest software packages is not the end of the story. We want to make sure we fully secure our new AlmaLinux host. For that we’ll use the Mondoo Platform to scan and report on security best practices for AlmaLinux. This includes the new AlmaLinux CIS benchmarks and CVE detection in packages.

Mondoo is a hosted security platform for DevOps and Security practitioners. We help users quickly find known vulnerabilities and misconfigurations, and automate manual security processes.

Get Started with Mondoo

Let’s start by heading to console.mondoo.com where we can sign in to Mondoo using a Google, GitHub, or Microsoft account.

login

Once we log in, we’ll name our organization in Mondoo and create our very first space. The organization manages users and their access to assets such as servers, cloud accounts, or Kubernetes clusters. We’ll use spaces to organize these assets and apply access controls. Once we’ve created the space, we’ll have a choice of how to set up our first system:

vast_emptiness

For our AlmaLinux system we select “Try it locally.” This gives us a small code block to set up Mondoo. Running this script on our host sets up the Mondoo Yum repository, installs the Mondoo package, and registers our system in the Mondoo Platform.

install

Scan with Mondoo

With Mondoo installed, we can now scan our system with the default Mondoo baseline security policy by running mondoo scan. This command gives us scan result output directly in our shell and includes a link back to the Mondoo platform for more detailed results.

cli_scan

Following the link to the Mondoo Platform gives us an overview of each policy applied to our system by default. This includes:

  • A platform vulnerability policy, which looks for CVEs in outdated packages
  • An end-of-life policy, which now passes since we’ve migrated to AlmaLinux
  • A Linux Security Baseline, which includes best practices for security on Linux

asset

Overall our system has an A score, but our baseline security could use a bit of work. Clicking on that policy gives us a view of each query that Mondoo ran. We can now see where we can improve.

linux_baseline

From here we can dig into each of the failures and see what it would take to remediate these problems. A great example is the “Ensure AIDE is installed” query. This makes sure the Advanced Intrusion Detection Environment (AIDE) package is installed. The query includes a description of the benefits of the AIDE package and instructions for installing it on multiple platforms. We can install this package, run mondoo scan again, and refresh for an updated score.

query

Applying Additional Security Policies

This Baseline Security policy is a great starting point for users who want to secure their systems. However, if you need to achieve specific regularity requirements, you’ll want the CIS Benchmark for AlmaLinux. Mondoo includes an extensive out-of-the-box set of policies in the Policy Hub, which allows you to browse and enable/disable specific policies.

policy_hub

Searching for Alma in the Policy Hub displays policies specifically designed for AlmaLinux, such as the CIS Level 1 and Level 2 Benchmarks. Enable these policies by selecting the checkbox and clicking Enable. The policies will automatically apply to just our AlmaLinux hosts, so there’s no need to apply these up on specific systems, and they’ll automatically apply as we provision new AlmaLinux hosts.

search_alma

With the AlmaLinux CIS Benchmark Level 1 enabled, we can run mondoo scan again to see our CIS security posture.

cis_results

It looks like we have our work cut out for us on securing this new AlmaLinux host. Thankfully we can tackle these policy failures one issue at a time and track our progress with continuous security scanning using Mondoo.

New call-to-action