Giters

lhaig / base

CIS v2.0.1-compliant bash-driven Ubuntu 18 Packer AWS AMI build with Terraform unit test and Vagrant option.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Development status MIT license CIS version CIS CAT CIS Compliance Packer version Vagrant version Terraform version Ubuntu version Written with

base

  • MacOS: Packer + virtualbox-iso + Ubuntu OVA = single EBS volume AWS AMI + Vagrant dev box
  • Partitioned, single-volume images.
  • CIS benchmark compliance.
  • Free to create and free to analyse/confirm compliance.
  • Scored Level 1 CIS benchmarks, not unscored or Level 2 requirements.
  • GCP/Azure builds to follow in due course, but !breath(hold).

Current Picture

  • Parameterised Packer & Bash, with a little bit of Terraform & Vagrant. That's it.

Prerequisites

  • Packer and Terraform.
  • An AWS account, with locally configured credentials (by which I mean AWS AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY and if you require it, AWS_SESSION_TOKEN).
  • A working AWS cli tool.
  • Permissions to create EC2 instances, volumes, S3 buckets, s3 objects, user roles, role policies.
  • A privately accessible AWS S3 bucket. Packer will deposit the image in OVA format in this bucket, and then create the AMI from it using the standard AWS process leaving the bucket empty.
  • A separate Ubuntu machine for Grub password generation.
  • Gmail account for system sSMTP configuration - the box will email this account during the build and on boot.

Initialisation

  • Use a Linux machine somewhere and generate yourself a Linux boot password with grub-mkpasswd-pbkdf2 - save this for later.
  • Use this to configure your environment variables; read the file before sourcing it. Check this post, credence to Jake.
. init.sh
  • Run the build using make as below. This will ask for any outstanding variable values in order for it to trigger the run.sh which itself runs the packer build and nominal Terraform unit test:
make
  • The run.sh will delete all but the latest AMI in your account with the tag name base and their corresponding snapshots. Read the code.

Notes

  • The build should take ~40 minutes mostly due to the import process to AWS and copying the AMI into the chosen region. Multi-region copies are not currently supported, but are penned for dev.
  • For abortive builds use the below, ensuring to destroy an errored Packer-created VMs and SSH public keys on the cloud:
make clean
  • Running the above build means the Ubuntu default user password used will be on your file system only during the build.
  • Once you have your base, differentiate it with equivalent Packer build pipelines to create AMIs for all your favourite toys and stacks and make them trigger when this one succeeds. Bear in mind the %%PHOENIX%% replacement in the Phoenix builds (see below).
  • Default locale is GB in preseed.src.
  • I build a 60Gb root disk - update preseed.src if needed.
  • This build is currently designed to operate one-way on a new default distribution of Ubuntu 18, and is not idempotent due to CIS implementation conveniences.
  • The preseed.src file includes gawk which supercedes mawk as it has strftime, and is required by the cis.sh script.
  • The default user on board is ubuntu, not vagrant which means a vagrant up will fail the login step and will have to be interrupted. Running ssh -p 2222 ubuntu@localhost should succeed after vagrant up.
  • Other notes pertaining to the CIS v2.0.1 Ubuntu CIS benchmarking document:
    • 1.3.1: This config sets up sSMTP in order for aide to be able to send email requires a hostname which defaults to ${HOST}.vm and a gmail account.
    • 1.5.2: Generate your own grub password as this repo has one only the author knows. See above.
    • 3.4.3: It is recommended to populate the hosts.deny once you have an idea of the networking from which you will attach to your machines. Optionally look at HashiCorp Boundary when you get there.
    • 3.6: For now, I'm leaving network manager switched on to check to see whether or not this is required in order to turn the radio module off.
    • 3.7/4.1.1.4 IPv6 is disabled but firewall rules are included and commented out in case use is required.
    • 4.1.2.3 auditd.conf has a %%PHOENIX%% parameter added intending for this to be replaced as part of your phoenix build which consumes this repo.
    • 5.2.14: SSHD is configured to AllowUsers ubuntu so only this user will be able to login unless the cis.sh script is amended.
  • Packer will also output a u18.box vbox Vagrant image type if you want to have a look locally prior to running your build. Optional.
  • Note the terms of use for CIS-CAT Lite: https://learn.cisecurity.org/cis-cat-trial-terms
  • Note that this software is provided as-is, and hardens an Ubuntu image built with Packer. The recommendation is to comply with the above terms of use as they apply in your use case.
  • Running
echo -e "GRUB_PASSWORD: ${GRUB_PASSWORD}\nGMAIL: $GMAIL\nHOST: $HOST\nDOMAIN: $DOMAIN\nREGION: $REGION\nREMOTELOGHOST: $REMOTELOGHOST\nS3_BUCKET: ${S3_BUCKET}\nAWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID\nAWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY\nAWS_SESSION_TOKEN: $AWS_SESSION_TOKEN\nGMAILPASSWORD: $GMAILPASSWORD\nUBUNTUPASSWORD: $UBUNTUPASSWORD\n"

might be convenient during development.

  • Certain environments require AWS_SESSION_TOKEN to be set such as your place of work, but although this needs to be set correctly for those environments to work, it is not specifically tested during the Packer run.
  • Put your site-specific base image unit test content in the baseUnitTest.sh script which distributes as a nominal Internet connectivity test.

About

CIS v2.0.1-compliant bash-driven Ubuntu 18 Packer AWS AMI build with Terraform unit test and Vagrant option.

License:MIT License

Languages

Language:Shell 99.8%Language:Makefile 0.2%