Voyager18 (research)

What the death of CentOS means for security

The days of CentOS are coming to an end. Here's everything you need to know, including the measures you can take.

Lior Ben Dayan | July 02, 2023

More than two years ago, the CentOS Stream project was announced. It was the day that Red Hat dropped the bomb and said to the market, in black and white, that the days of using Red Hat Enterprise Linux for free are ending. If you previously relied on CentOS for your infrastructure, you will soon need to overhaul it. 

For clarity, let’s define CentOS Linux, discuss its relationship with Red Hat, and introduce the new “star”, CentOS Stream. 

What is CentOS? 

Red Hat Enterprise Linux (RHEL) is a commercial Linux distribution renowned for its stability, added security features, and, most importantly, its long-term support services. 

CentOS Linux is a downstream distro of Red Hat, which means that this operating system is recompiled from Red Hat’s source code. To reiterate – when a Red Hat version is produced and published, Red Hat is obliged to release the source code due to the GNU license. 

Consequently, developers can use this code to build a system akin to Red Hat Enterprise Linux, but with some differences. The primary difference? It’s free. 

People could enjoy an operating system developed and tested using source code that was designed by Red Hat engineers to support stability in production environments, and all for free. 

Many organizations could enjoy the benefits of using RedHat, just without paying for it. 

In December 2020, Red Hat dropped the bombshell. They called it “shifting focus” to CentOS Stream. CentOS Stream is a different creature. It’s no longer downstream of Red Hat, but upstream. The meaning is that CentOS is no longer a descendant of Red Hat, but as Chris Wright, CTO at Red Hat, said   –  

“an upstream development platform designed for CentOS community members, Red Hat partners, ecosystem developers, and many other groups to more quickly and easily see what’s coming next in Red Hat Enterprise Linux (RHEL) and to help shape the product”.  

In simpler terms, CentOS Stream is going to be Red Hat’s development sandbox before they release a stable version of their commercial operating system. 

This shift of CentOS from being downstream of RHEL to upstream positions this project as a midpoint between Fedora and RHEL. According to Chris, CentOS Stream isn’t a replacement but a natural progression of CentOS Linux, and this transition offers many advantages. However, it is clear that there is no longer a free fork of Red Hat Enterprise Linux. 

What’s changed?  

Last week, Mike McGrath, Vice President at Red Hat, shook up the Linux community again and announced Red Hat’s last decision to limit access to their source code, push RHEL source code upstream to CentOS Stream repository, and provide direct access to RHEL source code itself only for paying customers.  

The reactions from the community were furious due to its impact on other RHEL downstream distributions such as Alma Linux, Rocky Linux, that were considered optional alternatives to CentOS Linux. 

You should read Mike’s monologue to take an insight to Red Hat’s perspective to the situation in the last two years, and their side to the claims against them. 

There’s a lot to be said about the advantages and disadvantages of this move, as well as the financial motivations attributed to it, and more. 

But our focus here is on your next steps to ensure security after this significant shift. 



What’s next?  

By the end of June 2024, CentOS Linux 7 will no longer be supported, and no further security updates will be provided. So, what should you do if your infrastructure largely relies on CentOS Linux? 

Any new vulnerabilities reported after July 2024 will not be patched, potentially impacting many organizations’ processes, from vulnerability management to risk management, and even compliance with customer SLAs. 

Organizations that do not act promptly may find themselves grappling with a sea of unpatchable vulnerabilities. 

To be clear, you must plan to migrate your organization from CentOS Linux to another operating system. Sooner or later, every CentOS Linux user will have to switch platforms. 

People thought that moving to other free RHEL downstream distributions like Rocky Linux or Alma Linux was a logical step, but after the latest announcement from Mike McGrath, this is not so clear. 

In addition, doubts have been raised about Rocky’s and Alma’s ability to maintain a large-scale ubiquitous operating system like CentOS Linux.

We recommend considering a migration to Red Hat Enterprise and suggest reading their guide for a seamless transition. This option offers many benefits – long-term support and maintenance services, additional security features, compatibility with recent technologies, and more. 

Another alternative is Fedora, but choosing this isn’t straightforward. 

Fedora focuses on delivering cutting-edge technology and innovation. As an upstream for RHEL, it is known as a testing ground for modern technologies that will later be incorporated into RHEL. 

Fedora has a fairly rapid release cycle, with new versions released approximately every six months, and each release has a lifespan of only one year. This short lifespan can add significant workload for DevOps and system administrators. 

There are numerous factors to consider when choosing an operating system, including support and maintenance periods, RPM or DEB based package management, business and technical purposes, container versus virtual machine support, compatibility with the latest technologies versus stability, and more. 

Among these, it is vital to prioritize security aspects. 

Navigating the challenges 

This migration process will be challenging and time-consuming for many organizations, so you must also plan for contingency actions if you still have active CentOS Linux machines by July 2024. 

First, ensure your asset management works properly. Track all CentOS Linux servers and monitor deployments of new CentOS servers in your environments. 

This is also a good time to decommission unnecessary or shadow servers in your network. 

Once you have an inventory of your servers, it’s time to be proactive. Create a robust defense strategy around them: 

  1. Map the networking configurations and restrict access to and from these assets. Utilize network and host firewalls to isolate them where possible, and ensure that only dedicated trusted network entities are allowed to access these vulnerable assets. 
  2. After taking care of network access, move your focus to authorized user access. 
    Implement strict access control configurations and follow the least privilege principles. 
  3. Boost your monitoring and deploy detection and prevention tools where needed. Network IDS/IPS and hosts EDR/XDR will increase your visibility into what is going on in this area, and will help you act as quickly as possible in case of vulnerabilities exploitation. 
  4. Know the data on your assets and treat it accordingly – ensure sensitive data of your business, customers, and employees is encrypted at rest, and ensure it is backed up to minimize chances for data loss. 
  5. Educate your technical teams to be aware of the risks of using end-of-life products in your environment. Make sure all engineers and system administration are aligned, 
    and avoid a situation where an unaware employee opens a network port right after it has been decided to close it for access. 
  6. Be a step ahead of your threat actors and have an incident response plan ready for execution. You have enough time to exercise your IR team, to master these assets and their environments. 
  7. It is not a one-time procedure. Schedule regular dedicated audits and assessments to these assets, and always identify potential breaches and misconfigurations prior to the threat actor. 

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. CVSS v4.0 – what you need to know
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. OWASP Top 10 vulnerabilities 2022: what we learned 

And finally… 

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today. 

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy