Service Overview

Our Baselline and Deployment service provides virtual machines and pre-configured Linux containers, hardened and compliance-ready that eliminate the need to start from insecure vanilla distributions requiring weeks of manual hardening. We create golden images and templates optimized for safety, performance and regulatory compliance, ready for immediate deployment in any virtualized environment. Each baseline is meticulously configured according to customer-specific security standards – NIS2 Directive, PCI-DSS, CIS Benchmarks, ISO 27001, NIST frameworks, or custom requirement – ensuring that every deployed instance starts from a robust and auditable security posture. We provide deliverable in universally compatible formats with all major hypervisors and virtualization platforms, accompanied by automation scripts for scalable provisioning and validation scripts for continuous compliance checking.

Supported Linux Distributions

We create hardened baselines for the main Linux enterprise distributions used in business. We work mainly onDebianandUbuntuin their LTS (Long Term Support) versions that guarantee stability and extended support, ideal for critical workload productions requiring predictability and minimisation of disruption. SupportOracle Linux, particularly required in enterprise environments running Oracle Database or Oracle applications, benefiting binary compatibility with RHEL and Unbreakable Enterprise Kernel optimized. On request, we create baselines forRed Hat Enterprise Linux, CentOS Stream, Rocky Linux, AlmaLinux, SUSE Linux Enterprise Server, and other specific distributions requested by the customer. Each distribution is configured from minimal installations to reduce surface attack, installing only packages strictly necessary for the specific role of the image.

Supported Compliance Framework

We design baselines strictly aligned to the main compliance and security standards frameworks. For complianceNIS2 (Network and Information Security Directive 2), we implement technical and organisational controls required by the European Directive for essential and important service operators, including cyber risk management, incident handling capabilities, business continuity measurements, and security governance aligned with the requirements of the Directive. For environmentsPCI-DSS (Payment Card Industry Data Security Standard), we configure systems according to the twelve requirements of the standard, with particular focus on requirement 2 (secure configurations), requirement 8 (strong authentication), requirement 10 (logging and monitoring), and other technical controls necessary for cardholder data environment. ImplementCIS Benchmarks (Center for Internet Security)in levels 1 and 2, applying hundreds of specific configurations validated by the global security professionals community, covering filesystem hardening, kernel parameters, network configuration, authentication policies, auditing, and system services. On request, we implement compliance withISO 27001 Annex A controls, NIST Cybersecurity Framework, NIST SP 800-53, GDPR technical requirements, HIPAA Security Rulefor healthcare,SOC 2 Type II controls, and any other custom standards or requirements specified by the customer.

Types of Baseline and Specialized Profiles

We create differentiated bases for specific roles and use-cases, optimizing configurations for functional requirements while maintaining maximum safety. We manufactureOS minimal baselinecontaining only hardened operating system without application stacks, usable as a foundation for custom installations or as a basis for further specializations. Realizeweb server baselinespre-configured with Apache or Nginx hardened, essential modules, TLS optimized configuration, security headers, rate limiting, and ModSecurity WAF where required. Let's createdatabase server baselinesfor MySQL/MariaDB, PostgreSQL, or Oracle Database with specific hardening, robust authentication, encryption at rest, full audit logging, and network isolation. We manufactureapplication server baseswith runtime environments (Java/Tomcat, Python/Django, Node.js, PHP-FPM) configured according to best security practices. Realizecontainer-specific basesfor Docker or LXC optimized for reduced weight, minimal surface attack, and robust insulation. Let's createbastion/jump host baselineswith two-factor authentication, session recording, restricted command execution, and comprehensive auditing for secure administrative access. On request, we developfully custom baselinewith specific application stacks, middleware, monitoring agents, backup clients, and any software requested by the pre-installed and pre-configured customer.

Hardening and Security Configurations

Each baseline implements full multi-layer hardening covering kernels, filesystems, networking, authentication, services and application-level security. Configuringkernel hardeningthrough optimized sysctl parameters, disabling of unnecessary protocols and functionality, ASLR, stack protection, and other kernel-level mitigations. Implementfilesystem hardeningwith secure partitioning, restrictive mount options (noexec, nosuid, nodev), rigorous permissions according to principle of least privilege, unnecessary SUID/SGID binary removal, and file integrity monitoring configuration. Applynetwork hardeningDisabling unnecessary services, configuring restrictive firewalls (iptables/nftables), disabling IPv6 if not used, implementing TCP/IP stack hacking, and configuring suspicious network traffic logging. Configuringrobust authenticationwith complex password policies, lockout account, unnecessary account disabling, granular sudo configuration, SSH hardening (key-based auth, disabled root login, restricted ciphers), and PAM configuration optimized. Implementwarranty access controlthrough AppArmor or SELinux with critical service enforcement profiles. Configuringauditdfor logging complete with security events, appropriate log retention, and remote logging where required. Installing and Configuringsecurity toolingessential such as fail2ban, rkhunter, AIDE, and other security monitoring and incident detection utilities.

Container Security for LXC and Docker

For container-based bases, we implement specific hardening for containerization technologies. ForLXC containers, we configure unprivileged containers whenever possible, AppArmor profiles restrictive, capability dropping, resource limits (CPU, memory, I/O disk) to prevent resource exhaustion, and network isolation. ForDocker images, we create minimal images based on Alpine Linux or Distroless for reduced attack surface, we implement multi-stage builds to minimize final size, we configure non-root USER for process execution, we implement read-only filesystems where possible, we drop unnecessary Linux capabilities, we set up restrictive drymp profiles, and we scan images for known vulnerabilities. We supplyDockerfilesfully documented allowing rebuild and customisation, anddocker-composeconfigurations for multi-container orchestration where applicable.

Multi-Platform Formats and Compatibility

We provide baselines inall required formatsensuring universal compatibility with any virtualization platform. We produce imagesqcow2(QEMU Copy-On-Write) optimized for KVM/Proxmox/OpenStack with thin provisioning and compression where appropriate. Generating Imagesrawfor maximum compatibility and predictable performance, usable with any hypervisor. Creating ImagesVDI (VirtualBox Disk Image)for VirtualBox environments. We manufactureVMDK (Virtual Machine Disk)for VMware ESXi, vSphere, Workstation and Fusion. Let's goVHD/VHDXfor Microsoft Hyper-V and Azure. We provideOVA/OVF(Open Virtualization Format) packages containing VM configuration metadata and virtual disks for maximum portability between heterogeneous platforms. For cloud deployments, we createcloud-init enabled imagescompatible with AWS, Azure, GCP, DigitalOcean and other cloud providers, allowing automated bootstrapping with metadata service. Productioncontainer imagesin OCI-compliant format for Docker, Podman, and Kubernetes, published on private or public registry. For LXC, we provide tarball templates or rootfs images directly imported into Proxmox or other LXC hosts.

Automation Scripts and Provisioning

We accompany each baseline withautomation scripts completefor scalable deployment, configuration management, and validation. We provideAnsible playbooksfor automated provisioning, post-deployment configuration, application installation, and configuration drift correction, allowing Infrastructure-as-Code approach and repeatable and consistent deployment through multiple instances. We includePacker templatesfor automated image building, allowing customers to reconstruct baseline with custom modifications or updates, integrated into CI/CD pipelines for continuous image building. We provideshell scriptsfor quick deployment in scenarios where Ansible is not available or for one-off simple tasks. We includecloud-init configurationsfor automated bootstrapping in cloud environments, configuring hostname, networking, SSH keys, user accounts, and other initializations at the first boot. We developTerraform moduleson request for full orchestration of infrastructure provisioning integrating hardened images in automated multi-tier deployments.

Compliance Validation and Continuous Checking

We providecompliance checking scriptsthat validate configurations compared to the implemented frameworks, allowing periodic auditing and detection of configuration drift. The scripts run hundreds of automated checkpoints by checking kernel parameters, file permissions, service configurations, network settings, authentication policies, and every other aspect relevant to compliance. They produce detailed reports identifying deviations from baseline, total compliance scoring, and remediation guidance for identified issues. The scripts are schedulabili via cron for continuous compliance monitoring and can integrate with SIEM or monitoring platforms for automated alerting when compliance degrades. We use standard tools likeOpenSCAP, Lynis, CIS-CATwhere appropriate, or we develop custom scripts for specific requirements not covered by existing tooling.

Detailed Technical Documentation

Each baseline is accompanied bycomplete documentationthat documents every aspect of the configurations implemented. Documentation includes full list ofchanges compared to vanilla distributions, detailing each package installed or removed, modified configuration files with modification diffs, kernel parameters configured with rationale, enabled/disabled services, firewall rules implemented, and any other applied configuration. We providecompliance mappingthat correlates every configuration implemented to specific framework controls (e.g., "kernel parameter X implements CIS control 3.2.1 and PCI-DSS requirement 2.2.4"), allowing auditing and demonstration of compliance. Documentationdefault credentialsconfigured (if present) with recommendations for immediate post-deployment change. We includeknown limitsand trade-offs made between security and usability. We providequick start guidefor initial deployment andoperational proceduresfor common administrative tasks respecting hardened configurations.

Delivery and Support

We deliver baseline through secure and convenient modes for customers: direct download from secure storage, transfer via SFTP/SCP, delivery on encrypted physical media for high-security environments, or direct upload to customer infrastructure. For large images, we use optimized compression (gzip, xz, zstd) balancing compression ratio and decompression speed. We providecryptographic checksum(SHA256) for integrity verification and optionallysignature GPGfor authenticity verification. We offerpost-delivery supportfor troubleshooting deployments, clarifications on implemented configurations, and assistance in integrating the baselines into customer environment.Baseline updatesare available upon explicit request of the customer when new versions of distributions are released, compliance frameworks are updated, or the customer requires changes to the original specifications, ensuring flexibility without imposition of maintenance ongoing unsolicited. Our service transforms the traditionally laborious process of hardening and compliance configuration into immediate deployment of production-ready systems, drastically reducing time-to-production, eliminating manual configuration errors, and ensuring consistency and auditability across the entire customer infrastructure.

---