This is a repository containing Packer templates to create a hardened Ubuntu server.
There are templates available for creating a
- Vagrant server base box
.ovapackage- Amazon Machine Image (AMI)
20.04 LTS (Focal Fossa) and 22.04 LTS (Jammy Jellyfish) are supported.
The Ansible role used to make the server a bit more secure is available in the konstruktoid/ansible-role-hardening repository.
The role is installed and configured using config/local.yml.
See https://www.packer.io/docs/builders and https://www.packer.io/docs/post-processors on how to rewrite the template if you want to use it for another platforms.
Requires Packer and a Amazon Web Services account.
Ensure that the correct release and aws_region are set in
ubuntu-aws-vars.json before validating the configuration and building the
Amazon Machine Image.
export AWS_ACCESS_KEY_ID="<YOUR_AWS_ACCESS_KEY_ID>"
export AWS_SECRET_ACCESS_KEY="<YOUR_AWS_SECRET_ACCESS_KEY>"
packer init -upgrade -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hcl
packer validate -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hcl
packer build -timestamp-ui -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hclNote
There are various issues when building a Ubuntu release using subiquity
Requires Packer, Vagrant and VirtualBox.
To build the Vagrant boxes and the .ova files , run bash build_box.sh.
The script will validate the Packer template, the Vagrantfile and the shell
scripts. It will then remove any old versions of the box before generating a new
one.
packer build -force -timestamp-ui -var-file <var-file> ubuntu-hardened-box.pkr.hcl
is the packer command used if all files are valid.
There's a SLSA artifact present under the slsa action workflow.
Verification of the built local files can be done using
sha256sum -c ubuntu-hardened-server.sha256 or using similar commands.
Vagrant.configure("2") do |config|
config.vbguest.installer_options = { allow_kernel_upgrade: true }
config.vm.provider "virtualbox" do |vb|
vb.memory = 2048
vb.customize ["modifyvm", :id, "--uart1", "0x3F8", "4"]
vb.customize ["modifyvm", :id, "--uartmode1", "file", File::NULL]
end
config.vm.define "focal" do |focal|
focal.vm.hostname = "hardened-focal"
focal.vm.box = "ubuntu-focal/20.04"
focal.vm.box_url = "file://output/ubuntu-20.04.4-hardened-server.box"
end
config.vm.define "jammy" do |jammy|
jammy.vm.hostname = "hardened-jammy"
jammy.vm.box = "ubuntu-jammy/22.04"
jammy.vm.box_url = "file://output/ubuntu-22.04-hardened-server.box"
end
end.
├── build_box.sh
├── config
│ ├── ansible.cfg
│ └── local.yml
├── http
│ ├── meta-data
│ └── user-data
├── LICENSE
├── output
│ ├── ubuntu-20.04.6-hardened-server.box
│ ├── ubuntu-20.04.6-hardened-server.ova
│ ├── ubuntu-22.04.3-hardened-server.box
│ ├── ubuntu-22.04.3-hardened-server.ova
│ └── ubuntu-hardened-server.sha256
├── README.md
├── renovate.json
├── scripts
│ ├── aws.sh
│ ├── cleanup.sh
│ ├── hardening.sh
│ ├── minimize.sh
│ ├── postproc.sh
│ └── vagrant.sh
├── SECURITY.md
├── ubuntu-20.04-vars.json
├── ubuntu-22.04-vars.json
├── ubuntu-aws-vars.json
├── ubuntu-hardened-aws.pkr.hcl
├── ubuntu-hardened-box.pkr.hcl
└── Vagrantfile
4 directories, 26 filesDo you want to contribute? Great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to submit a issue, improve the code by creating a pull request, or by sponsoring this project.
Apache License Version 2.0