AWS imagebuilder documentation change
Summary
Added commands to securely delete systemd random-seed file in Linux hardening script
Security assessment
This change enhances security documentation by adding a hardening measure to delete sensitive system files. While it improves security posture, it doesn't address a specific known vulnerability or security incident.
Diff
diff --git a/imagebuilder/latest/userguide/security-best-practices.md b/imagebuilder/latest/userguide/security-best-practices.md index cdf4191e3..e18178cf3 100644 --- a//imagebuilder/latest/userguide/security-best-practices.md +++ b//imagebuilder/latest/userguide/security-best-practices.md @@ -240,0 +241,6 @@ If you override **User data** in your recipe, the script doesn't run. In that ca + if [[ -f "/var/lib/systemd/random-seed" ]]; then + echo "Deleting /var/lib/systemd/random-seed" + sudo shred -zuf /var/lib/systemd/random-seed + sudo rm -f /var/lib/systemd/random-seed + fi +