spel icon indicating copy to clipboard operation
spel copied to clipboard

verified publisher icon plus3it

Metadata

STIG-Partitioned Enterprise Linux (spel)

pullreminders

spel

STIG-Partitioned Enterprise Linux (spel) is a project that helps create and publish Enterprise Linux images that are partitioned according to the DISA STIG. The resulting images also use LVM to simplify volume management. The images are configured with help from the scripts and packages in the AMIgen7, and AMIgen8 projects.

Why spel

VMs' root filesystems are generally not live-repartitionable once launced from their images. As a result, if a STIG-scan is performed against most of the community-published images for Red Hat and CentOS, those scans will note failures for each of the various "${DIRECTORY} is on its own filesystem" tests. The images produced through this project are designed to ensure that these particular scan-failures do not occur.

Aside from addressing the previously-noted partitioning findings, spel does not apply any STIG-related hardening. The spel-produced images are expected to act as a better starting-point in a larger hardening process.

If your organization does not already have an automated hardening process, please see our tool, Watchmaker. This tool is meant to help spel-users (and users of other Enterprise Linux images) by performing launch-time hardening activities.

We have a FAQ now!

We've added an FAQ to the project. Hopefully, your questions are answered there. If they aren't, please feel free to submit an issue requesting an appropriate FAQ entry.

Current Published Images

SPEL AMIs are published monthly. The AMI table below contains links to the AWS Console that search by AMI Name and sort the result by creation date. The most recent AMI of each build will be at the top when viewed in the AWS Console.

RPM Manifests for published images are available in the manifests directory.

AWS Region Builder Name / Link
us-east-1 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
us-east-2 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
us-west-1 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
us-west-2 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
us-gov-west-1 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
us-gov-east-1 spel-minimal-rhel-7-hvm
spel-minimal-centos-7-hvm
spel-minimal-rhel-8-hvm
spel-minimal-ol-8-hvm
spel-minimal-centos-8stream-hvm
Vagrant Cloud Name Vagrant Provider
plus3it/spel-minimal-centos-7 virtualbox

Deprecated CentOS 8 Images

With the move from CentOS 8 to CentOS Stream 8, the CentOS 8 images are deprecated. While they remain public for the moment, they are no longer updated and the CentOS org may remove the yum repos at their discretion.

AWS Region Builder Name / Link
us-east-1 spel-minimal-centos-8-hvm
us-east-2 spel-minimal-centos-8-hvm
us-west-1 spel-minimal-centos-8-hvm
us-west-2 spel-minimal-centos-8-hvm
us-gov-west-1 spel-minimal-centos-8-hvm
us-gov-east-1 spel-minimal-centos-8-hvm

Default username

The default username for all spel images is maintuser.

If you wish to change the default username at launch, you can do so via cloud-init with userdata something like the following. Change <USERNAME> to your desired value.

#cloud-config
system_info:
  default_user:
    name: <USERNAME>
    gecos: spel default user
    lock_passwd: true
    sudo: ["ALL=(root) NOPASSWD:ALL"]

Prerequisites

Packer by Hashicorp is used to manage the process of building images.

  1. Download and extract packer for your platform. Add it to your PATH, if you like. On Linux, watch out for other packer executables with the same name...

  2. If building AMIs for Amazon Web Services, ensure your AWS credentials are configured. You do not really need the aws cli utility, but it is a convenient way to configure the credential file. You can also export the environment variables. Or, if running packer in an EC2 instance, an instance role with the requisite permissions will also work. See the packer docs for details on the necessary permissions.

    NOTE: No packer templates in this project will contain variables for AWS credentials; this is intentional, to avoid mistakes where credentials get committed to the repository. Instead, packer knows to read the credentials from the credential file or from the environment variables, or to retrieve them from the instance role. See the docs.

  3. If building VirtualBox image(s), you will need to install VirtualBox and Vagrant.

  4. If building VMware image(s), depending on your platform, you will need to install either VMware Fusion, VMware Workstation Pro, or VMware Player. For all platforms, you will also need Vagrant.

  5. The template(s) push the Vagrant boxes for the VirtualBox and VMware images to Hashicorp Vagrant Cloud, which requires a Vagrant Cloud account.

  6. If building a VHD or Image for Azure, ensure you have authorized access to ARM. The creation of destination objects and a Service Principal can either be done manually or via script. If not building in Public region, use of device login is not possible and a Service Principal is required.

Usage

NOTE: In all steps below, the examples use syntax that works on Linux. If you are running packer from a Windows system, simply use the appropriate syntax for the relative path to the packer template. Most important, for Windows, use .\ preceding the path to the template. E.g. .\spel\minimal-linux.json.

  1. Clone the repository:

    git clone https://github.com/plus3it/spel && cd spel

  2. Validate the template (Optional):

    packer validate spel/minimal-linux.pkr.hcl

  3. Begin the build. This requires at least two variables, spel_identifier and spel_version. See the section Packer Variables for more details.

    packer build \
    -var 'spel_identifier=unique-project-id' \
    -var 'spel_version=dev001' \
    -var 'virtualbox_vagrantcloud_username=myvagrantclouduser' \
    spel/minimal-linux.pkr.hcl

    NOTE: This will build images for all the builders defined in the template. Use packer build --help to see how to restrict the build to to a subset of the builders using the -only or -except arguments.

    If building the VirtualBox or VMware images for use with Vagrant, the template is configured to host the resulting images with Hashicorp Vagrant Cloud. This requires passing the variable virtualbox_vagrantcloud_username and exporting the environment variable VAGRANT_CLOUD_TOKEN.

Minimal Linux Packer Template

The Minimal Linux template builds STIG-partitioned images with a set of packages that correspond to the "Minimal" install option in Anaconda. Further, the AWS images include a handful of additional packages that are intended to increase functionality in EC2 and make the images more comparable with Amazon Linux.

  • Template Path: spel/minimal-linux.pkr.hcl

Resources

No resources.

Inputs

Name Description Type Default Required
spel_identifier Namespace that prefixes the name of the built images string n/a yes
spel_version Version appended to the name of the built images string n/a yes
amigen7_filesystem_label Label for the root filesystem when creating bare partitions for EL7 images string "" no
amigen7_package_groups List of yum repo groups to install into EL7 images list(string) 
[
  "core"
]
 no
amigen7_package_manifest File containing a list of RPMs to use as the build manifest for EL7 images string "" no
amigen7_repo_names List of yum repo names to enable in the EL7 builders and images list(string) 
[
  "spel"
]
 no
amigen7_repo_sources List of yum package refs (names or urls to .rpm files) that install yum repo definitions in EL7 builders and images list(string) 
[
  "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",
  "https://spel-packages.cloudarmor.io/spel-packages/repo/spel-release-latest-7.noarch.rpm"
]
 no
amigen7_source_branch Branch that will be checked out when cloning AMIgen7 string "master" no
amigen7_source_url URL that will be used to clone AMIgen7 string "https://github.com/plus3it/AMIgen7.git" no
amigen7_storage_layout List of colon-separated tuples (mount:name:size) that describe the desired partitions for LVM-partitioned disks on EL7 images list(string) 
[
  "/:rootVol:4",
  "swap:swapVol:2",
  "/home:homeVol:1",
  "/var:varVol:2",
  "/var/log:logVol:2",
  "/var/log/audit:auditVol:100%FREE"
]
 no
amigen8_filesystem_label Label for the root filesystem when creating bare partitions for EL8 images string "" no
amigen8_package_groups List of yum repo groups to install into EL8 images list(string) 
[
  "core"
]
 no
amigen8_package_manifest File containing a list of RPMs to use as the build manifest for EL8 images string "" no
amigen8_repo_names List of yum repo names to enable in the EL8 builders and EL8 images list(string) 
[
  "spel"
]
 no
amigen8_repo_sources List of yum package refs (names or urls to .rpm files) that install yum repo definitions in EL8 builders and images list(string) 
[
  "https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm",
  "https://spel-packages.cloudarmor.io/spel-packages/repo/spel-release-latest-8.noarch.rpm"
]
 no
amigen8_source_branch Branch that will be checked out when cloning AMIgen8 string "master" no
amigen8_source_url URL that will be used to clone AMIgen8 string "https://github.com/plus3it/AMIgen8.git" no
amigen8_storage_layout List of colon-separated tuples (mount:name:size) that describe the desired partitions for LVM-partitioned disks on EL8 images list(string) [] no
amigen_amiutils_source_url URL of the AMI Utils repo to be cloned using git, containing AWS utility rpms that will be installed to the AMIs string "" no
amigen_aws_cfnbootstrap URL of the tar.gz bundle containing the CFN bootstrap utilities string "https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz" no
amigen_aws_cliv1_source URL of the .zip bundle containing the installer for AWS CLI v1 string "" no
amigen_aws_cliv2_source URL of the .zip bundle containing the installer for AWS CLI v2 string "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" no
amigen_build_device Path of the build device that will be partitioned to create the image string "/dev/nvme0n1" no
amigen_extra_rpms List of package specs (rpm names or URLs to .rpm files) to install to the builders and images list(string) 
[
  "python36",
  "spel-release",
  "ec2-hibinit-agent",
  "ec2-instance-connect",
  "ec2-net-utils",
  "https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm"
]
 no
amigen_fips_disable Toggles whether FIPS will be disabled in the images bool false no
amigen_grub_timeout Timeout value to set in the grub config of each image number 1 no
amigen_use_default_repos Modifies the behavior of amigen_repo_names. When true, amigen_repo_names are appended to the enabled repos. When false, amigen_repo_names are used exclusively bool true no
aws_ami_groups List of groups that have access to launch the resulting AMIs. Keyword all will make the AMIs publicly accessible list(string) [] no
aws_ami_regions List of regions to copy the AMIs to. Tags and attributes are copied along with the AMIs list(string) [] no
aws_ami_users List of account IDs that have access to launch the resulting AMIs list(string) [] no
aws_force_deregister Force deregister an existing AMI if one with the same name already exists bool false no
aws_instance_type EC2 instance type to use while building the AMIs string "t3.2xlarge" no
aws_region Name of the AWS region in which to launch the EC2 instance to create the AMIs string "us-east-1" no
aws_source_ami_filter_centos7_hvm Object with source AMI filters for CentOS 7 HVM builds 
object({
    name   = string
    owners = list(string)
  })
 
{
  "name": "CentOS 7.* x86_64,*-Recovery (No-LVM)-ACB-CentOS7-HVM-SRIOV_ENA",
  "owners": [
    "125523088429",
    "701759196663",
    "039368651566"
  ]
}
 no
aws_source_ami_filter_centos8stream_hvm Object with source AMI filters for CentOS Stream 8 HVM builds 
object({
    name   = string
    owners = list(string)
  })
 
{
  "name": "CentOS Stream 8 x86_64 ,spel-bootstrap-centos-8stream-hvm-.x86_64-gp2",
  "owners": [
    "125523088429",
    "701759196663",
    "039368651566"
  ]
}
 no
aws_source_ami_filter_ol8_hvm Object with source AMI filters for Oracle Linux 8 HVM builds 
object({
    name   = string
    owners = list(string)
  })
 
{
  "name": "OL8.-x86_64-HVM-,spel-bootstrap-oraclelinux-8-hvm-*.x86_64-gp2",
  "owners": [
    "131827586825",
    "039368651566"
  ]
}
 no
aws_source_ami_filter_rhel7_hvm Object with source AMI filters for RHEL 7 HVM builds 
object({
    name   = string
    owners = list(string)
  })
 
{
  "name": "RHEL-7._HVM--x86_64--Hourly-GP2",
  "owners": [
    "309956199498",
    "219670896067"
  ]
}
 no
aws_source_ami_filter_rhel8_hvm Object with source AMI filters for RHEL 8 HVM builds 
object({
    name   = string
    owners = list(string)
  })
 
{
  "name": "RHEL-8._HVM--x86_64--Hourly-GP2",
  "owners": [
    "309956199498",
    "219670896067"
  ]
}
 no
aws_ssh_interface Specifies method used to select the value for the host in the SSH connection string "public_dns" no
aws_subnet_id ID of the subnet where Packer will launch the EC2 instance. Required if using an non-default VPC string null no
aws_temporary_security_group_source_cidrs List of IPv4 CIDR blocks to be authorized access to the instance list(string) 
[
  "0.0.0.0/0"
]
 no
azure_build_resource_group_name Existing resource group in which the build will run string null no
azure_client_id Application ID of the AAD Service Principal. Requires either client_secret, client_cert_path or client_jwt to be set as well string null no
azure_client_secret Password/secret registered for the AAD Service Principal string null no
azure_cloud_environment_name One of Public, China, Germany, or USGovernment. Defaults to Public. Long forms such as USGovernmentCloud and AzureUSGovernmentCloud are also supported string "Public" no
azure_custom_managed_image_name_centos7 Name of a custom managed image to use as the base image for CentOS7 builds string null no
azure_custom_managed_image_name_rhel7 Name of a custom managed image to use as the base image for RHEL7 builds string null no
azure_custom_managed_image_resource_group_name_centos7 Name of the resource group for the custom image in azure_custom_managed_image_name_centos7 string null no
azure_custom_managed_image_resource_group_name_rhel7 Name of the resource group for the custom image in azure_custom_managed_image_name_rhel7 string null no
azure_image_offer Name of the publisher offer to use for your base image (Azure Marketplace Images only) string null no
azure_image_publisher Name of the publisher to use for your base image (Azure Marketplace Images only) string null no
azure_image_sku SKU of the image offer to use for your base image (Azure Marketplace Images only) string null no
azure_keep_os_disk Boolean toggle whether to keep the managed disk or delete it after packer runs bool false no
azure_location Azure datacenter in which your VM will build string null no
azure_managed_image_resource_group_name Resource group name where the result of the Packer build will be saved. The resource group must already exist string null no
azure_private_virtual_network_with_public_ip Boolean toggle whether a public IP will be assigned when using azure_virtual_network_name bool null no
azure_subscription_id n/a string null no
azure_virtual_network_name Name of a pre-existing virtual network in which to run the build string null no
azure_virtual_network_resource_group_name Name of the virtual network resource group in which to run the build string null no
azure_virtual_network_subnet_name Name of the subnet in which to run the build string null no
azure_vm_size n/a string "Standard_DS5_v2" no
openstack_flavor ID, name, or full URL for the desired flavor for the server to be created string null no
openstack_floating_ip_network_name ID or name of an external network that can be used for creation of a new floating IP string null no
openstack_insecure Boolean whether the connection to OpenStack can be done over an insecure connection bool false no
openstack_networks List of networks by UUID to attach to this instance list(string) [] no
openstack_security_groups List of security groups by name to add to this instance list(string) [] no
openstack_source_image_name Name of the base image to use string null no
spel_description_url URL included in the AMI description string "https://github.com/plus3it/spel" no
spel_http_proxy Used as the value for the git config http.proxy setting in the builder nodes string "" no
spel_root_volume_size Size in GB of the root volume number 20 no
spel_ssh_username Name of the user for the ssh connection to the instance. Defaults to spel, which is set by cloud-config userdata. If your starting image does not have cloud-init installed, override the default user name string "spel" no
virtualbox_iso_url_centos7 URL to the CentOS7 .iso to use for Virtualbox builds string "http://mirror.facebook.net/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-2009.iso" no
virtualbox_iso_url_centos8 URL to the CentOS8 .iso to use for Virtualbox builds string "http://mirror.facebook.net/centos/8-stream/isos/x86_64/CentOS-Stream-8-x86_64-latest-dvd1.iso" no
virtualbox_vagrantcloud_username Vagrant Cloud username, used to namespace the vagrant boxes string null no

Minimal Linux Packer Builders

The Minimal Linux packer template includes the following builders:

Builder Name Description
amazon-ebs.minimal-centos-8stream-hvm amazon-ebs builder for a minimal CentOS Stream 8 HVM AMI
amazon-ebs.minimal-ol-8-hvm amazon-ebs builder for a minimal Oracle Linux 8 HVM AMI
amazon-ebs.minimal-rhel-8-hvm amazon-ebs builder for a minimal RHEL 8 HVM AMI
amazon-ebs.minimal-centos-7-hvm amazon-ebs builder for a minimal CentOS 7 HVM AMI
amazon-ebs.minimal-rhel-7-hvm amazon-ebs builder for a minimal RHEL 7 HVM AMI
azure-arm.minimal-centos-7-image azure-arm builder for a minimal CentOS 7 Image
azure-arm.minimal-rhel-7-image azure-arm builder for a minimal RHEL 7 Image
openstack.minimal-centos-7-image openstack builder for a minimal CentOS 7 Image
virtualbox-iso.minimal-centos-7-image virtualbox-iso builder for a minimal CentOS 7 Vagrant Box

Minimal Linux Packer Post-Provisioners

The Minimal Linux packer template includes the following post-provisioners:

  • vagrant: The vagrant post-provisioner creates vagrant boxes from on the virtualbox and vmware images.

  • vagrant-cloud: The vagrant-cloud post-provisioners upload the vagrant boxes to Hashicorp Vagrant Cloud.

Building for the AWS US GovCloud Region

To build images for the AWS US GovCloud regions, us-gov-west-1 or us-gov-east-1, it is necessary to pass several variables that are specific to the region. The AMI filters below have been tested and/or created in us-gov-west-1 to work with the spel template(s). Also, the builders should be restricted so as not to build the Vagrant images.

packer build \
    -var 'spel_identifier=unique-project-id' \
    -var 'spel_version=dev001' \
    -var 'aws_region=us-gov-west-1' \
    -var 'aws_source_ami_filter_centos7_hvm={name = "*-Recovery (No-LVM)-ACB-CentOS7-HVM-SRIOV_ENA", owners = ["039368651566"]}' \
    -var 'aws_source_ami_filter_centos8stream_hvm={name = "spel-bootstrap-centos-8stream-hvm-*.x86_64-gp2", owners = ["039368651566"]}' \
    -exclude 'virtualbox-iso.*' \
    spel/minimal-linux.pkr.hcl

Building for Microsoft Azure

A source Marketplace Image Offer or Custom Image Name and Resource Group are required from which to start the SPEL Azure build.

The resultant SPEL Image will be configured to use the Azure Linux agent, WALinuxAgent per recommended configurations. Currently, the use of cloud-init exclusively does not enable execution/installation of Azure VM Extensions. The below variables also disable FIPS mode in the resultant SPEL VHD or Image. Currently, the Azure Linux agent does not support FIPS mode when utilizing Azure VM Extensions. If no plans exist to utilize Azure VM Extensions on VMs provisioned from SPEL VHDs or Images, FIPS mode can be enabled, but the waagent configuration must also be modified accordingly.

The variables referenced in the packer builds below should be modified with appropriate parameters for your environment. Any content between and including the < and > characters should be replaced.

Login to azure using the az cli. Packer will use the session setup by the az cli.

packer build \
    -var 'spel_identifier=unique-project-id' \
    -var 'spel_version=0.0.1' \
    -var 'amigen_extra_rpms=["WALinuxAgent"]' \
    -var 'amigen_fips_disable=true' \
    -var 'amigen7_repo_names=["rhui-microsoft-azure-rhel7"]' \
    -var 'azure_image_offer=rhel-raw' \
    -var 'azure_image_publisher=RedHat' \
    -var 'azure_image_sku=7-raw' \
    -var 'azure_managed_image_resource_group_name=<resource group short name>' \
    -only 'azure-arm.minimal-rhel-7-image' \
    spel/minimal-linux.pkr.hcl

Building for OpenStack

To build images for an OpenStack environment, it is necessary to pass several variables that are specific to the environment. The CentOS 7 Generic Cloud image has been tested to work with the spel template(s). Also, the builders should be restricted so as not to build the Vagrant images.

source your_openstack_credentials_file.sh
packer build \
    -var 'spel_identifier=spel' \
    -var 'spel_version=0.0.1' \
    -var 'openstack_insecure=false' \
    -var 'openstack_flavor=your_flavor_name_for_temporary_instance' \
    -var 'openstack_floating_ip_network=your_provider_network_name' \
    -var 'openstack_networks=your_network_id_for_temporary_instance,second_network_id,etc.' \
    -var 'openstack_security_groups=your_security_group_name_for_temporary_instance,second_sg_name,etc.' \
    -var 'openstack_source_image_name=your_source_image_name' \
    -only 'openstack.*' \
    spel/minimal-linux.pkr.hcl

For expected values, see links below:

Testing With AMIgen

The spel automation leverages the AMIgen7 project as a build-helper for creation of Amazon Machine Images. Due to the closely-coupled nature of the two projects, it's recommended that any changes made to AMIgen7 be tested with spel prior to merging changes to the AMIgen master branch.

To facilitate this testing, the runtime-variable amigen7_source_branch was added to spel. Using this runtime-variable, in combination with the amigen7_source_url runtime-variable, allows one to point spel to a fork/branch of AMIgen7 during a integration-test build. To test, update your packer invocation by adding elements like:

packer build \
    -var 'amigen7_source_url=https://github.com/<FORK_USER>/AMIgen7.git' \
    -var 'amigen7_source_branch=IssueNN' \
    ...
    minimal-linux.pkr.hcl

Metadata

90
Stars
59
Forks
Watchers

Owner

verified publisher icon plus3it

Metadata

STIG-Partitioned Enterprise Linux (spel)

Back