Service Overview

Our Baselline and Deployment service provides virtual machines and pre-configured Linux containers, hardened and compliance-ready that eliminate the need to start from insecure vanilla distributions requiring weeks of manual hardening. We create golden images and templates optimized for safety, performance and regulatory compliance, ready for immediate deployment in any virtualized environment. Each baseline is meticulously configured according to customer-specific security standards – NIS2 Directive, PCI-DSS, CIS Benchmarks, ISO 27001, NIST frameworks, or custom requirement – ensuring that every deployed instance starts from a robust and auditable security posture. We provide deliverable in universally compatible formats with all major hypervisors and virtualization platforms, accompanied by automation scripts for scalable provisioning and validation scripts for continuous compliance checking.

Supported Linux Distributions

We create hardened baselines for the main Linux enterprise distributions used in business. We work mainly on Debian and Ubuntu in their LTS (Long Term Support) versions that guarantee stability and extended support, ideal for critical workload productions requiring predictability and minimisation of disruption. Support Oracle Linux, particularly required in enterprise environments running Oracle Database or Oracle applications, benefiting binary compatibility with RHEL and Unbreakable Enterprise Kernel optimized. On request, we create baselines for Red Hat Enterprise Linux, CentOS Stream, Rocky Linux, AlmaLinux, SUSE Linux Enterprise Server, and other specific distributions requested by the customer. Each distribution is configured from minimal installations to reduce surface attack, installing only packages strictly necessary for the specific role of the image.

Supported Compliance Framework

We design baselines strictly aligned to the main compliance and security standards frameworks. For compliance NIS2 (Network and Information Security Directive 2), we implement technical and organisational controls required by the European Directive for essential and important service operators, including cyber risk management, incident handling capabilities, business continuity measurements, and security governance aligned with the requirements of the Directive. For environments PCI-DSS (Payment Card Industry Data Security Standard), we configure systems according to the twelve requirements of the standard, with particular focus on requirement 2 (secure configurations), requirement 8 (strong authentication), requirement 10 (logging and monitoring), and other technical controls necessary for cardholder data environment. Implement CIS Benchmarks (Center for Internet Security) in levels 1 and 2, applying hundreds of specific configurations validated by the global security professionals community, covering filesystem hardening, kernel parameters, network configuration, authentication policies, auditing, and system services. On request, we implement compliance with ISO 27001 Annex A controls, NIST Cybersecurity Framework, NIST SP 800-53, GDPR technical requirements, HIPAA Security Rule for healthcare, SOC 2 Type II controls, and any other custom standards or requirements specified by the customer.

Types of Baseline and Specialized Profiles

We create differentiated bases for specific roles and use-cases, optimizing configurations for functional requirements while maintaining maximum safety. We manufacture OS minimal baseline containing only hardened operating system without application stacks, usable as a foundation for custom installations or as a basis for further specializations. Realize web server baselines pre-configured with Apache or Nginx hardened, essential modules, TLS optimized configuration, security headers, rate limiting, and ModSecurity WAF where required. Let's create database server baselines for MySQL/MariaDB, PostgreSQL, or Oracle Database with specific hardening, robust authentication, encryption at rest, full audit logging, and network isolation. We manufacture application server bases with runtime environments (Java/Tomcat, Python/Django, Node.js, PHP-FPM) configured according to best security practices. Realize container-specific bases for Docker or LXC optimized for reduced weight, minimal surface attack, and robust insulation. Let's create bastion/jump host baselines with two-factor authentication, session recording, restricted command execution, and comprehensive auditing for secure administrative access. On request, we develop fully custom baseline with specific application stacks, middleware, monitoring agents, backup clients, and any software requested by the pre-installed and pre-configured customer.

Hardening and Security Configurations

Each baseline implements full multi-layer hardening covering kernels, filesystems, networking, authentication, services and application-level security. Configuring kernel hardening through optimized sysctl parameters, disabling of unnecessary protocols and functionality, ASLR, stack protection, and other kernel-level mitigations. Implement filesystem hardening with secure partitioning, restrictive mount options (noexec, nosuid, nodev), rigorous permissions according to principle of least privilege, unnecessary SUID/SGID binary removal, and file integrity monitoring configuration. Apply network hardening Disabling unnecessary services, configuring restrictive firewalls (iptables/nftables), disabling IPv6 if not used, implementing TCP/IP stack hacking, and configuring suspicious network traffic logging. Configuring robust authentication with complex password policies, lockout account, unnecessary account disabling, granular sudo configuration, SSH hardening (key-based auth, disabled root login, restricted ciphers), and PAM configuration optimized. Implement warranty access control through AppArmor or SELinux with critical service enforcement profiles. Configuring auditd for logging complete with security events, appropriate log retention, and remote logging where required. Installing and Configuring security tooling essential such as fail2ban, rkhunter, AIDE, and other security monitoring and incident detection utilities.

Container Security for LXC and Docker

For container-based bases, we implement specific hardening for containerization technologies. For LXC containers, we configure unprivileged containers whenever possible, AppArmor profiles restrictive, capability dropping, resource limits (CPU, memory, I/O disk) to prevent resource exhaustion, and network isolation. For Docker images, we create minimal images based on Alpine Linux or Distroless for reduced attack surface, we implement multi-stage builds to minimize final size, we configure non-root USER for process execution, we implement read-only filesystems where possible, we drop unnecessary Linux capabilities, we set up restrictive drymp profiles, and we scan images for known vulnerabilities. We supply Dockerfiles fully documented allowing rebuild and customisation, and docker-compose configurations for multi-container orchestration where applicable.

Multi-Platform Formats and Compatibility

We provide baselines in all required formats ensuring universal compatibility with any virtualization platform. We produce images qcow2 (QEMU Copy-On-Write) optimized for KVM/Proxmox/OpenStack with thin provisioning and compression where appropriate. Generating Images raw for maximum compatibility and predictable performance, usable with any hypervisor. Creating Images VDI (VirtualBox Disk Image) for VirtualBox environments. We manufacture VMDK (Virtual Machine Disk) for VMware ESXi, vSphere, Workstation and Fusion. Let's go VHD/VHDX for Microsoft Hyper-V and Azure. We provide OVA/OVF (Open Virtualization Format) packages containing VM configuration metadata and virtual disks for maximum portability between heterogeneous platforms. For cloud deployments, we create cloud-init enabled images compatible with AWS, Azure, GCP, DigitalOcean and other cloud providers, allowing automated bootstrapping with metadata service. Production container images in OCI-compliant format for Docker, Podman, and Kubernetes, published on private or public registry. For LXC, we provide tarball templates or rootfs images directly imported into Proxmox or other LXC hosts.

Automation Scripts and Provisioning

We accompany each baseline with automation scripts complete for scalable deployment, configuration management, and validation. We provide Ansible playbooks for automated provisioning, post-deployment configuration, application installation, and configuration drift correction, allowing Infrastructure-as-Code approach and repeatable and consistent deployment through multiple instances. We include Packer templates for automated image building, allowing customers to reconstruct baseline with custom modifications or updates, integrated into CI/CD pipelines for continuous image building. We provide shell scripts for quick deployment in scenarios where Ansible is not available or for one-off simple tasks. We include cloud-init configurations for automated bootstrapping in cloud environments, configuring hostname, networking, SSH keys, user accounts, and other initializations at the first boot. We develop Terraform modules on request for full orchestration of infrastructure provisioning integrating hardened images in automated multi-tier deployments.

Compliance Validation and Continuous Checking

We provide compliance checking scripts that validate configurations compared to the implemented frameworks, allowing periodic auditing and detection of configuration drift. The scripts run hundreds of automated checkpoints by checking kernel parameters, file permissions, service configurations, network settings, authentication policies, and every other aspect relevant to compliance. They produce detailed reports identifying deviations from baseline, total compliance scoring, and remediation guidance for identified issues. The scripts are schedulabili via cron for continuous compliance monitoring and can integrate with SIEM or monitoring platforms for automated alerting when compliance degrades. We use standard tools like OpenSCAP, Lynis, CIS-CAT where appropriate, or we develop custom scripts for specific requirements not covered by existing tooling.

Detailed Technical Documentation

Each baseline is accompanied by complete documentation that documents every aspect of the configurations implemented. Documentation includes full list of changes compared to vanilla distributions, detailing each package installed or removed, modified configuration files with modification diffs, kernel parameters configured with rationale, enabled/disabled services, firewall rules implemented, and any other applied configuration. We provide compliance mapping that correlates every configuration implemented to specific framework controls (e.g., "kernel parameter X implements CIS control 3.2.1 and PCI-DSS requirement 2.2.4"), allowing auditing and demonstration of compliance. Documentation default credentials configured (if present) with recommendations for immediate post-deployment change. We include known limits and trade-offs made between security and usability. We provide quick start guide for initial deployment and operational procedures for common administrative tasks respecting hardened configurations.

Delivery and Support

We deliver baseline through secure and convenient modes for customers: direct download from secure storage, transfer via SFTP/SCP, delivery on encrypted physical media for high-security environments, or direct upload to customer infrastructure. For large images, we use optimized compression (gzip, xz, zstd) balancing compression ratio and decompression speed. We provide cryptographic checksum (SHA256) for integrity verification and optionally signature GPG for authenticity verification. We offer post-delivery support for troubleshooting deployments, clarifications on implemented configurations, and assistance in integrating the baselines into customer environment. Baseline updates are available upon explicit request of the customer when new versions of distributions are released, compliance frameworks are updated, or the customer requires changes to the original specifications, ensuring flexibility without imposition of maintenance ongoing unsolicited. Our service transforms the traditionally laborious process of hardening and compliance configuration into immediate deployment of production-ready systems, drastically reducing time-to-production, eliminating manual configuration errors, and ensuring consistency and auditability across the entire customer infrastructure.

---