--- myst: html_meta: "description lang=en": "Kasm Workspaces hardening base operating system." "keywords": "Kasm, Server, Configuration, STIGs, Security, CIS, DISA, Workspaces" "property=og:locale": "en_US" --- ```{title} Operating System ``` # Operating System Kasm Workspaces requires underlying Linux systems to run on. While Workspaces will run on a number of Linux based operating systems, organizations that are concerned with security and/or having to run in an air-gapped network without internet access, typically have more restrictions that will dictate which underlying operating system to use. The US Federal Government and Department of Defense have historically been tied to RedHat, however, that has changed recently with [DISA releasing a STIG checklist](https://public.cyber.mil/announcement/stig-update-disa-has-released-the-canonical-ubuntu-20-04-lts-stig/) for [Ubuntu Pro](https://ubuntu.com/security/disa-stig) 20.04 LTS, which has been specifically created to help organizations meet FedRAMP, FISMA, FIPS and/or DISA-STIG compliance. The Kasm Technologies recommended operating system for organizations that need to meet DISA STIG requirements or NIST 800-53 controls in general, is Ubuntu 20.04 LTS with a strong preference for the paid support version, which is required to enable FIPS enforcement. Kasm Technologies has worked directly with many different DoD organizations using both Red Hat and Ubuntu 20.04 LTS and this recommendation is based on our experience. Kasm Technologies does **not** support the underlying operating system or the hardening of the operating system. The following table lists hardening requirements on the underlying operating system which need to be considered carefully on systems that support Kasm Workspaces: | Name | Severity | Summary | Caution | |------|----------|---------|---------| | [V-238367](https://www.stigviewer.com/stig/canonical_ubuntu_20.04_lts/2022-09-07/finding/V-238367) | Medium | Configure rate limiting on the host-based firewall. | All Kasm components use HTTPS for client communication and inter-service communications. Given that Kasm is a server application that handles requests from many users, a high limit should be used on the Kasm port. The default port is 443, but per this guide, you should use a high port number during installation. The DISA documented method for rate limiting using ufw on Ubuntu is an on or off proposition. Kasm's recommendation is to place rate limiting on a traditional firewall in the security stack and/or the front-end reverse proxy. If rate limiting on each server is absolutely required, you will need to manually edit iptables, rather than using ufw for the port Kasm is listening on, in order to specify what the limits should be. A higher limit should be chosen, to accommodate high traffic demands expected for your deployment. | | [V-230525](https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-12-06/finding/V-230525) | Medium | Configure rate limiting on the host-based firewall. | All Kasm components use HTTPS for client communication and inter-service communications. Given that Kasm is a server application that handles requests from many users, it would not be wise to rate limit the port Kasm listens on. The default port is 443, but per this guide, you should use a high port number during installation. A higher limit should be chosen for the port Kasm is listening on, to accommodate high traffic demands expected for your deployment. |