SecureBaseline Cloud - CIS scanning and Linux hardening
SecureBaseline Cloud is a Hardening as a Service platform that automates CIS (Center for Internet Security) compliance scanning, vulnerability detection, and hardening for Linux servers. Available on Yandex Cloud, Azure Marketplace, AWS Marketplace, and DigitalOcean Marketplace.
What’s New in v1.2.3
LLM multi-provider support. 7 providers: YandexGPT, OpenAI, Azure OpenAI, Anthropic, AWS Bedrock, Google Vertex AI, and any OpenAI-compatible endpoint (Ollama, Mistral, vLLM). Inline test button, per-provider/model usage statistics, credential encryption (AES-256-GCM).
Modular prompt architecture. AI prompts extracted to YAML modules. Edit prompt behavior without recompilation.
must-gather diagnostic tool. CLI binary that collects system state, logs, configuration, SCAP content, and database statistics into a tar.gz archive for troubleshooting.
Host task exclusivity. Only one operation (scan, hardening, remediation) can run per host at a time. Concurrent requests return 409 Conflict.
Forced AI response language. AI assistant responds in the UI language (English or Russian), regardless of user input language.
What’s New in v1.2.2
Instant vulnerability scanning. CVE and OVAL databases are pre-installed in the image. The first scan starts immediately after deployment - no waiting for synchronization.
FSTEC BDU database with 74,000+ entries. For organizations operating under Russian information security standards, the full FSTEC threat and vulnerability database is integrated with automatic updates.
Improved automated remediation. Two-pass automated hardening increases CIS compliance from 67.7% to 78%. Every change is recorded in the audit log down to the individual rule level.
Russian Linux distributions. Added support for Astra Linux, RED OS, ALT Linux, Rosa Linux, OSnova, Simply Linux and other distributions based on Debian/RHEL families.
Multi-cloud deployment. Available on Yandex Cloud, Azure, AWS, and DigitalOcean with one-click deployment from marketplace listings.
Key Features
- Compliance Scanning - automated server assessment against CIS Benchmarks
- Vulnerability Scanning - CVE detection with pre-installed databases (NVD, OVAL, ExploitDB, MITRE ATT&CK, CISA KEV)
- FSTEC BDU - Russian vulnerability database with 74,000+ entries, auto-synced every 24 hours
- Security Hardening - automated application of CIS configurations with granular rule control
- Automated Remediation - generate, review, and apply fixes for individual failed rules
- Host Management - centralized management of Linux servers via SSH
- Task Scheduling - automation of scanning and hardening using cron schedules
- AI Diagnostics - analysis of hardening errors, task generation, and compliance coverage using LLM
- Reporting - detailed reports in HTML, PDF, CSV, and JSON formats
- Audit Logging - logging of all user actions and system events
Supported Operating Systems
| Family | Distributions |
|---|---|
| Ubuntu | 18.04, 20.04, 22.04, 24.04 |
| Debian | 11, 12 |
| RHEL | RHEL 7/8/9/10, CentOS 7/8/9, AlmaLinux 8/9, Rocky Linux 8/9 |
| Oracle | Oracle Linux 7, 8, 9, 10 |
| Amazon | Amazon Linux 2, 2023 |
| Fedora | Fedora 37+ |
| SUSE | SLES 15, openSUSE Leap |
| Astra Linux | Astra Linux SE (Debian-based) |
| RED OS | RED OS (RHEL-based) |
| ALT Linux | ALT Linux (RHEL-based) |
| Rosa Linux | Rosa Linux (RHEL-based) |
| Other RU | OSnova, Simply Linux |
Security Profiles
Security profiles are automatically detected from installed SCAP content. Available profiles vary by OS.
| Profile | Description | Availability |
|---|---|---|
| CIS Level 1 - Server | Basic security hardening | All supported OS |
| CIS Level 2 - Server | Enhanced security hardening | All supported OS |
| CIS Level 1 - Workstation | Basic workstation security | All supported OS |
| CIS Level 2 - Workstation | Enhanced workstation security | All supported OS |
| DISA STIG | Security Technical Implementation Guide | RHEL, Ubuntu, SLES |
| PCI-DSS | Payment Card Industry Data Security Standard | RHEL, Ubuntu, Debian |
| HIPAA | Health Insurance Portability and Accountability Act | RHEL, Ubuntu |
| OSPP | Operating System Protection Profile | RHEL, Fedora, Ubuntu |
| ANSSI BP28 | French National Cybersecurity Agency (4 levels) | RHEL, Ubuntu, Debian |
| E8 | Australian Essential Eight | RHEL, Ubuntu |
| ISM Official | Australian Information Security Manual | RHEL |
| CCN | Spanish National Cryptologic Center (3 levels) | RHEL |
| CUI | Controlled Unclassified Information | RHEL |
| Standard | Basic security profile | All supported OS |
Deployment Options
| Cloud | Marketplace | Deployment |
|---|---|---|
| Yandex Cloud | All-in-One | Single VM - all components |
| Yandex Cloud | Cluster | Distributed deployment with scaling |
| Azure | Azure Marketplace | One-click VM deployment |
| AWS | AWS Marketplace | One-click VM deployment |
| DigitalOcean | DO Marketplace | Droplet 1-Click |
Documentation Sections
| Section | Description |
|---|---|
| SSH Credentials | Manage SSH keys and passwords for connecting to servers |
| Security Hardening | Apply CIS Benchmark rules via Ansible playbooks with granular control |
| Vulnerability Scanning | Detect CVEs and FSTEC BDU vulnerabilities in installed packages |
| Remediation | Generate and approve Ansible scripts to fix compliance failures |
| Task Generator | AI-powered Ansible task generation from CIS rule descriptions |
| Coverage Analysis | AI-powered evaluation of CIS rule coverage in your Ansible roles |
| Troubleshooting | Diagnose SSH, scanning, hardening, and platform issues |
Related Sections
- Infrastructure Security Audit - comprehensive server and network infrastructure security assessment service
- OpenNix Projects - other products and tools by OpenNix