Repository files navigation

STIG-Partitioned Enterprise Linux (spel) is a project that helps create andpublish Enterprise Linux images that are partitioned according to theDISA STIG. The resulting images also use LVM to simplify volume management.The images are configured with help from the scripts and packages in theAMIgen7,AMIgen8, andAMIgen9 projects¹.

Notes on Lifecycle:

1. Images are released on a monthly cadence. This cadence ensures that, if auser launches a brand new instance from the most-recently published AMI,that there will be less than a month's worth of system-patches to apply aspart of the system-owner's system-provisioning processes.
2. "Free" Enterprise Linux distributions are configured to use the publicrepositories offered by the distribution-owner. If running EC2s inside of aVPC with no access to the internet at large, it will not be possible toinstall additional RPMs or patch systems without the use of either a proxyor standing up a private yum mirror
3. Red Hat images are configured to use a given cloud service provider's (CSP)Red Hat Update Infrastructure(a.k.a., "RHUI") repositories. These repositories are managed by RedHat engineers and provide local RPM update-service within eachCSP-partner's networks. Unlike RPM-access via RHN or Satellite, RHUI accessis tied to and paid for via your CSP's billing-mechanisms. RHUI access alsoentitles cloud-VMs' owners to limited operating system support through therespective CSP's support channels.
4. AWS Specific notes:

   • Access to the RHUI repositories is gated, in part, by an attributeattached to EC2s. This attribute is inherited from their correspondingAMIs. To view this attribute external to the EC2, execute:

     aws ec2 describe-instances --query 'Reservations[].Instances[].UsageOperation' --instance-ids

     Thisshould return a value ofRunInstances:0010. If the value is justRunInstances the necessary attribute is missing from the EC2.

     The attribute may also be viewed internal to the EC2 by executing:

     curl http://169.254.169.254/latest/dynamic/instance-identity/document | \grep "billingProducts"

     Thisshould return a value of"billingProducts" : [ "bp-6fa54006" ].If not, the necessary attribute is missing from the EC2.

     In either case, lack of the requisite attribute will mean that attempts toinstall or update RPMs from RHUI will fail.

   • If patch-updates should come from RHN, Satellite or other privaterepository, do not use the AMIs published by the maintainers of thisproject. Because the previously-mentioned EC2-attribute is attached tosuch AMIs, you will be billed for the RHUI access even if you never useit. Feel free to use this project's code to generate your own,unencumbered AMIs.

   • Further information about AWS polices for Red Hat EC2s may be found inAWS'sRHEL FAQ

VMs' root filesystems are generally not live-repartitionable once launced fromtheir images. As a result, if a STIG-scan is performed against most of thecommunity-published images for Red Hat and related distros (CentOS/CentOSStream,Oracle Linux,Rocky,Alma orLiberty), thosescans will note failures for each of the various "${DIRECTORY} is on its ownfilesystem" tests. The images produced through this project are designed toensure that these particular scan-failures do not occur.

Aside from addressing the previously-noted partitioning findings, spel appliesonly those STIG-related hardenings that need to be in place "from birth" (i.e.,when a system is first created from KickStart, VM-template, Amazon MachineImage, etc.). This includes things like:

• Activation of SELinux
  • Application of SELinux user-confinement to the default-user²
  • Application of SELinux role-transition rules for the default-user
• Activation of FIPS mode
• Support for BIOS- and/or EFI-boot modes (the latter being a requisite for useofSecureBoot)

The spel-produced images are expected to act as a better starting-point in alarger hardening process.

If your organization does not already have an automated hardening process,please see our tool,Watchmaker.This tool is meant to help spel-users (and users of other Enterprise Linuximages) by performing launch-time hardening activities.

We've added anFAQ to the project. Hopefully, your questions areanswered there. If they aren't, please feel free to submit an issue requestingan appropriate FAQ entry.

SPEL AMIs are published monthly. The AMI table below contains links to the AWSConsole that search by AMI Name and sort the result by creation date. The mostrecent AMI of each build will be at the top when viewed in the AWS Console.

RPM Manifests for published images are available in themanifestsdirectory.

Please note: the RPM-manifests published to this directory are generatedfor the AWS (CONUS) commercial regions. Due to potential deltas between therepositories used for the commercial and govcloud regions, theremay alsoexist deltas between what is found in the manifests in this project and theversion-numbers found in the GovCloud region AMIs.

The following table lists the official owner accounts for the images.

The following table lists AWS account IDs previously used to host SPEL images.These accounts are now closed, and the associated images are no longer available.

Deprecated Images have become end-of-life and no longer have available yum repos.The images remain public until the image deprecation period expires, typically1 year after publishing.

The default username for all spel images ismaintuser.

If you wish to change the default username at launch, you can do so viacloud-init with userdata³ something like the following. Change<USERNAME> toyour desired value.

#cloud-configsystem_info:default_user:name:<USERNAME>gecos:spel default userlock_passwd:true

Due to updates to the STIGs – currently just for EL7, but it is assumedthat similar changes for EL8 and later distros will be added to futureSTIG-releases – the default-user's accountmay have additional SELinuxrules applied to it. These rules will typically manifest in processes thatstart as the default-user (i.e., processes run as theroot userafterprivilege-escalation via thesudo subsystem) receivingpermission deniederrors when attempting to access "sensitive" files. These "sensitive" filesare any that have theshadow_t SELinux context-label applied to them. Bydefault, these will only include:

• /etc/security/opasswd
• /etc/shadow
• /etc/gshadow

A definitive list may be gathered by executing the command:

find / -context "*shadow_t*"`

If your workflows absolutelyrequire the ability to access these files aftera role-transition from the default-user account toroot, it will be necessaryto update the userData payload'scloud-config content to include a blocksimilar to:

#cloud-configsystem_info:default_user:name:<USERNAME>gecos:spel default userlock_passwd:trueselinux_user:unconfined_usudo:["ALL=(root) NOPASSWD:ALL"]

However, doing so will result in security scan-failures when the scanning-tooltries to ensure that all locally-managed, interactive users areproperly-constrained users and, where appropriate, have SELinuxprivilege-transition rules defined.

Packer byHashicorp is used to manage the process of buildingimages.

1. Download and extractpacker for your platform. Add it to your PATH,if you like. On Linux, watch out for otherpacker executables with thesame name (if building from an Enterprise Linux distro,/sbin/packer maybe present due to thecracklib-dicts RPM).

2. If building AMIs for Amazon Web Services, ensure yourAWS credentials areconfigured. You do not really need theaws cli utility, but it is aconvenient way to configure the credential file. You can also export theenvironment variables. Or, if runningpacker in an EC2 instance, aninstance role with the requisite permissions will also work. See thepacker docs for details on the necessary permissions.

   NOTE: No packer templates in this project will contain variables for AWScredentials; this is intentional, to avoid mistakes where credentials getcommitted to the repository. Instead,packer knows to read thecredentials from the credential file or from the environment variables, orto retrieve them from the instance role. See thedocs.

3. If building VirtualBox image(s), you will need to installVirtualBoxandVagrant.

4. If building VMware image(s),depending on your platform, you willneed to install eitherVMware Fusion,VMware Workstation Pro, orVMware Player. For all platforms, you will also needVagrant.

5. The template(s) push the Vagrant boxes for the VirtualBox and VMware imagestoHashicorp Vagrant Cloud, which requires aVagrant Cloud account.

6. If building a VHD or Image for Azure, ensure you haveauthorized accessto ARM. The creation of destination objects and a Service Principalcan either be donemanually or viascript. If not building inPublic region, use of device login is not possible and a Service Principalis required.

NOTE: In all steps below, the examples use syntax that works on Linux. If youare runningpacker from a Windows system, simply use the appropriate syntaxfor therelative path to the packer template. Most important, for Windows,use.\ preceding the path to the template. E.g..\spel\minimal-linux.json.

1. Clone the repository:

   git clone https://github.com/plus3it/spel&&cd spel

2. Validate the template (Optional):

   packer validate spel/minimal-linux.pkr.hcl

   The project-included Packer HCL files have been pre-validated. If youencounter validation-errors with the included HCL files, it means thatyou're using a newer Packer version than the project has been testedagainst. Please open anissue to report the problem, ensuring toinclude the Packer version you were using when you encountered the problem.

3. Begin the build. This requires at least two variables,spel_identifier andspel_version. See the sectionPacker Variablesfor more details.

   packer build \    -var'spel_identifier=unique-project-id' \    -var'spel_version=dev001' \    -var'virtualbox_vagrantcloud_username=myvagrantclouduser' \    spel/minimal-linux.pkr.hcl

   NOTE: This will build images forall thebuilders defined in thetemplate. Usepacker build --help tosee how to restrict the build to to a subset of the builders using the-onlyor-except arguments.

   If building the VirtualBox or VMware images for use with Vagrant, thetemplate is configured to host the resulting images withHashicorp Vagrant Cloud. This requires passing the variablevirtualbox_vagrantcloud_username and exporting the environment variableVAGRANT_CLOUD_TOKEN.

The Minimal Linux template builds STIG-partitioned images with a set ofpackages that correspond to the "Minimal" install option in Anaconda. Further,the AWS images include a handful of additional packages that are intended toincrease functionality in EC2 and make the images more comparable with AmazonLinux. Similarly, the Azure builder will attempt to install theWALinuxAgentRPM into the VM-template to make the template more integratable intoAzure-based deployments.

• Template Path:spel/minimal-linux.pkr.hcl

For all inputs to the template, seespel/README.md

The Minimal Linuxpacker template includes the following builders:

The Minimal Linuxpacker template includes the following post-provisioners:

• vagrant: The vagrant post-provisioner creates vagrant boxes from on thevirtualbox andvmware images.

• vagrant-cloud: The vagrant-cloud post-provisioners upload the vagrantboxes toHashicorp Vagrant Cloud.

To build images for the AWS US GovCloud regions,us-gov-west-1 orus-gov-east-1,it is necessary to pass several variables that are specific to the region. TheAMI filters below have been tested and/or created inus-gov-west-1 to work with thespel template(s). Also, the builders should be restricted so asnot to buildthe Vagrant images.

packer build \    -var'spel_identifier=unique-project-id' \    -var'spel_version=dev001' \    -var'aws_region=us-gov-west-1' \    -exclude'virtualbox-iso.*' \    spel/minimal-linux.pkr.hcl

A source Marketplace Image Offer or Custom Image Name and Resource Group are requiredfrom which to start the SPEL Azure build.

The resultant SPEL Image will be configured to use the Azure Linux agent,WALinuxAgentper recommendedconfigurations. Currently, the use of cloud-init exclusivelydoes not enable execution/installation ofAzure VM Extensions. The belowvariables also disable FIPS mode in the resultant SPEL VHD or Image. Currently,the Azure Linux agentdoes not support FIPS mode when utilizing Azure VMExtensions. If no plans exist to utilize Azure VM Extensions on VMs provisionedfrom SPEL VHDs or Images, FIPS mode can be enabled, but thewaagent configurationmust also be modified accordingly.

The variables referenced in the packer builds below should be modified withappropriate parameters for your environment. Any content between and includingthe < and > characters should be replaced.

Login to azure using the az cli. Packer will use the session setup by the az cli.

packer build \    -var'spel_identifier=unique-project-id' \    -var'spel_version=0.0.1' \    -var'amigen_extra_rpms=["WALinuxAgent"]' \    -var'amigen_fips_disable=true' \    -var'amigen8_repo_names=["rhui-microsoft-azure-rhel8"]' \    -var'azure_image_offer=rhel-raw' \    -var'azure_image_publisher=RedHat' \    -var'azure_image_sku=8_8' \    -var'azure_managed_image_resource_group_name=<resource group short name>' \    -only'azure-arm.minimal-rhel-8-image' \    spel/minimal-linux.pkr.hcl

To build images for an OpenStack environment, it is necessary to pass several variablesthat are specific to the environment. Also, the builders should be restricted soasnot to build the Vagrant images.

source your_openstack_credentials_file.shpacker build \    -var'spel_identifier=spel' \    -var'spel_version=0.0.1' \    -var'openstack_insecure=false' \    -var'openstack_flavor=your_flavor_name_for_temporary_instance' \    -var'openstack_floating_ip_network=your_provider_network_name' \    -var'openstack_networks=your_network_id_for_temporary_instance,second_network_id,etc.' \    -var'openstack_security_groups=your_security_group_name_for_temporary_instance,second_sg_name,etc.' \    -var'openstack_source_image_name=your_source_image_name' \    -only'openstack.*' \    spel/minimal-linux.pkr.hcl

For expected values, see links below:

• openstack_allow_insecure (true|false)
• openstack_flavor_name (string)
• openstack_floating_ip_network_name (string)
• openstack_network_ids (comma-separated list of strings)
• openstack_security_group_names (comma-separated list of strings)
• openstack_source_image_name (string)

The spel automation leverages the AMIgen8 and AMIgen9 projects as abuild-helpers for creation of EL8 and EL9 Amazon Machine Images (AzureVM-templates, etc.), respectively. Due to the closely-coupled nature of thetwo projects, it's recommended that any changes made to AMIgen8 or AMIgen9 betested with spel prior to merging changes to either project's master branch.

To facilitate this testing, the following runtime-variables were added to spel:

• amigen8_source_branch
• amigen8_source_url
• amigen9_source_branch
• amigen9_source_url

Using these runtime-variables allows one to point spel toa fork/branch of AMIgen8 or AMIgen9 during a integration-test build. To test,update yourpacker invocation by adding elements like:

packer build \    -var'amigen8_source_url=https://github.com/<FORK_USER>/AMIgen8.git' \    -var'amigen8_source_branch=IssueNN' \    ...    minimal-linux.pkr.hcl

Similarly, these variables may be specified as environment variables by usingPKR_VAR_<var_name>declarations⁴ (e.g.,PKR_VAR_amigen8_source_branch). To do so, change theabove example to:

export PKR_VAR_amigen8_source_branch="=https://github.com/<FORK_USER>/AMIgen8.git"export PKR_VAR_amigen8_source_branch="IssueNN"packer build \    [...options elided...]    minimal-linux.pkr.hcl