diff --git a/README.md b/README.md index 15c2703..3be2622 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Ubuntu LTS is FISMA Ready -This project creates hardened, FISMA Ready Ubuntu LTS Amazon Machine Instances (AMIs) that are suitable for use in Amazon Web Services (AWS). To be FISMA Ready, the AMI must be instantitated in either the US-East or US-West regions of AWS, or the AWS GovCloud, in order to properly inherit the AWS controls assessed by the [FedRAMP program](http://cloud.cio.gov/fedramp). We recommend additional customer level controls on top of the FedRAMP authorization for the AWS Console, and will be releasing those soon. +This project creates both hardened, FISMA Ready Ubuntu LTS Amazon Machine Instances (AMIs) that are suitable for use in Amazon Web Services (AWS) and Virtual Machine images for use in Microsoft Azure. To be FISMA Ready and if deployed to AWS, the AMI must be instantiated in either the US-East, US-West, or GovCloud regions in order to properly inherit the AWS controls assessed by the [FedRAMP program](http://cloud.cio.gov/fedramp). If using Microsoft Azure, the image can be deployed to any region in order to inherit controls defined by FedRAMP. We recommend additional customer level controls on top of the FedRAMP authorization for the AWS or Azure consoles, and we'll be releasing those soon. We are also working to expand support for other deployment environments and image types. @@ -8,7 +8,9 @@ Prepared and maintained by **[18F](https://18f.gsa.gov)**, a Federal digital ser ## What this does -* Takes a **fresh Ubuntu 14.04 LTS AMI** (`ami-9eaa1cf6`), as published by Canonical: +### Amazon Web Services + +* Takes a **fresh Ubuntu 14.04 LTS AMI ** (`ami-9eaa1cf6`), as published by Canonical: ![1404-lts](docs/ubuntu-1404.png) @@ -18,6 +20,12 @@ Prepared and maintained by **[18F](https://18f.gsa.gov)**, a Federal digital ser * Creates a new AMI from the configured instance, and prints out the AMI ID. +### Microsoft Azure + +* Takes a **daily build of Ubuntu 14.04 LTS** from the Azure VM Image Gallery + +* Launches an instance from this image based on a size defined by the `AZURE_INSTANCE_SIZE` environment variable and in to an Azure region defined by the `AZURE_REGION` environment variable. + ## Setup * Install the [Chef Development Kit for your OS](http://downloads.getchef.com/chef-dk/mac/#/). This includes both Knife and [Berkshelf](http://berkshelf.com/), which are critical dependencies. @@ -36,6 +44,10 @@ $ packer version Packer v0.7.5 ``` +* In order to deploy to Microsoft Azure, follow the instructions for installing the [packer-azure plugin](https://github.com/MSOpenTech/packer-azure). It is recommended that the REST API implementation of the packer-azure plugin be used vs. the PowerShell wrapper as indicated on the README for that project. + +### Amazon Web Services + * Set two environmental variables. ```bash @@ -43,12 +55,33 @@ export AWS_ACCESS_KEY_ID=[your AWS access key] export AWS_SECRET_ACCESS_KEY=[your AWS secret key] ``` -## Building the AMI +#### Building the AMI 1. Run `ami.sh`. That's it! Take note of the AMI ID this spits out to your console after it's done. +### Microsoft Azure + +* If on Linux, set six environment variables: + +```bash +export AZURE_PUBLISH_SETTINGS_PATH="[your Azure publishsettings file path]" +export AZURE_SUBSCRIPTION_NAME="[your Azure Subscription name]" +export AZURE_STORAGE_ACCOUNT="[your Azure Storage Account name]" +export AZURE_STORAGE_ACCOUNT_CONTAINER="[your Azure Storage Account container name]" +export AZURE_REGION="[your chosen Azure region]" +export AZURE_INSTANCE_SIZE="[your Azure VM instance size]" +``` + +* A helper `azure_env` file has been included for sourcing. + +* If on Windows, execute the `azure.ps1` PowerShell script and pass the appropriate values to the parameters. + +#### Building the Azure Image + +1. Run `azure.ps1` if on Windows or `azure.sh` if on Linux. + ### Involvement of 18F The team at [18F](https://18f.gsa.gov) decided to start work where FedRAMP stops for open source components in a true infrastructure as a service environment - at the operating system layer. Secure baselines were available for Windows, Solaris, and Red Hat Enterprise Linux. But, there were no generally available — and certainly not public — baselines, for Ubuntu or the Debian version of Linux generally. diff --git a/azure.ps1 b/azure.ps1 new file mode 100644 index 0000000..2bae48d --- /dev/null +++ b/azure.ps1 @@ -0,0 +1,40 @@ +param +( + [Parameter(Mandatory=$true)] + [string] + $AzurePublishSettingsPath, + + [Parameter(Mandatory=$true)] + [string] + $AzureSubscriptionName, + + [Parameter(Mandatory=$true)] + [string] + $AzureStorageAccount, + + [Parameter(Mandatory=$true)] + [string] + $AzureStorageAccountContainer, + + [Parameter(Mandatory=$true)] + [string] + $AzureRegion, + + [Parameter(Mandatory=$true)] + [string] + $AzureInstanceSize +) + +if (Test-Path -Path "..\vendor\cookbooks") { + Remove-Item -Path "..\vendor\cookbooks" -Recurse -Force +} + +berks vendor "..\vendor\cookbooks" +packer build ` + -var "azure_publish_settings_path=$AzurePublishSettingsPath" ` + -var "azure_subscription_name=$AzureSubscriptionName" ` + -var "azure_storage_account=$AzureStorageAccount" ` + -var "azure_storage_account_container=$AzureStorageAccountContainer" ` + -var "azure_region=$AzureRegion" ` + -var "azure_instance_size=$AzureInstanceSize" ` + azure\packer-azure.json diff --git a/azure.sh b/azure.sh new file mode 100755 index 0000000..acd4c74 --- /dev/null +++ b/azure.sh @@ -0,0 +1,11 @@ +#!/bin/bash +rm -rf ../vendor/cookbooks +berks vendor ../vendor/cookbooks +packer build \ + -var "azure_publish_settings_path=$AZURE_PUBLISH_SETTINGS_PATH" \ + -var "azure_subscription_name=$AZURE_SUBSCRIPTION_NAME" \ + -var "azure_storage_account=$AZURE_STORAGE_ACCOUNT" \ + -var "azure_storage_account_container=$AZURE_STORAGE_ACCOUNT_CONTAINER" \ + -var "azure_region=$AZURE_REGION" \ + -var "azure_instance_size=$AZURE_INSTANCE_SIZE" \ + azure/packer-azure.json diff --git a/azure/packer-azure.json b/azure/packer-azure.json new file mode 100644 index 0000000..667ef63 --- /dev/null +++ b/azure/packer-azure.json @@ -0,0 +1,35 @@ +{ + "variables": { + "azure_publish_settings_path": "", + "azure_subscription_name": "", + "azure_storage_account": "", + "azure_storage_account_container": "", + "azure_region": "", + "azure_instance_size": "" + }, + "builders": [ + { + "type": "azure", + "publish_settings_path": "{{user `azure_publish_settings_path`}}", + "subscription_name": "{{user `azure_subscription_name`}}", + "storage_account": "{{user `azure_storage_account`}}", + "storage_account_container": "{{user `azure_storage_account_container`}}", + "os_type": "Linux", + "os_image_label": "Ubuntu Server 14.04 LTS", + "location": "{{user `azure_region`}}", + "instance_size": "{{user `azure_instance_size`}}", + "user_image_label": "FISMA-Ready-Baseline-Ubuntu-Packer" + } + ], + "provisioners": [ + { + "type": "chef-solo", + "cookbook_paths": [ + "../vendor/cookbooks" + ], + "run_list": [ + "packer::azure" + ] + } + ] +} diff --git a/azure_env b/azure_env new file mode 100644 index 0000000..9857fa6 --- /dev/null +++ b/azure_env @@ -0,0 +1,6 @@ +export AZURE_PUBLISH_SETTINGS_PATH="" +export AZURE_SUBSCRIPTION_NAME="" +export AZURE_STORAGE_ACCOUNT="" +export AZURE_STORAGE_ACCOUNT_CONTAINER="" +export AZURE_REGION="" +export AZURE_INSTANCE_SIZE="" diff --git a/recipes/azure.rb b/recipes/azure.rb new file mode 100644 index 0000000..e0d94e6 --- /dev/null +++ b/recipes/azure.rb @@ -0,0 +1,199 @@ +# +# Cookbook Name:: packer +# Recipe:: azure + +include_recipe 'apt' +include_recipe 'git' + +### +# /etc/modprobe.d Safe Defaults +# See https://github.com/18F/ubuntu/blob/master/hardening.md +### +cookbook_file "/etc/modprobe.d/18Fhardened.conf" do + source "etc/modprobe.d/18Fhardened.conf" + mode 0644 + owner "root" + group "root" +end + + +### +# Redirect protections +# See https://github.com/18F/ubuntu/blob/master/hardening.md#redirect-protections +### +icmp_settings = [ + "net.ipv4.conf.default.rp_filter=1", + "net.ipv4.conf.all.rp_filter=1", + "net.ipv4.conf.all.accept_redirects=0", + "net.ipv6.conf.all.accept_redirects=0", + "net.ipv4.conf.default.accept_redirects=0", + "net.ipv6.conf.default.accept_redirects=0", + "net.ipv4.conf.all.secure_redirects=0", + "net.ipv4.conf.default.secure_redirects=0", + "net.ipv4.conf.all.send_redirects=0", + "net.ipv4.conf.default.send_redirects=0", + "net.ipv4.conf.all.accept_source_route=0", + "net.ipv6.conf.all.accept_source_route=0", + "net.ipv4.conf.default.accept_source_route=0", + "net.ipv6.conf.default.accept_source_route=0", + "net.ipv4.conf.all.log_martians=1", + "net.ipv4.conf.default.log_martians=1" +] +cookbook_file "/etc/sysctl.conf" do + source "etc/sysctl.conf" + mode 0644 + owner "root" + group "root" +end + +icmp_settings.each do |icmp_setting| + execute "update_#{icmp_setting}" do + command "/sbin/sysctl -w #{icmp_setting}" + notifies :run, 'execute[flush-sysctl]', :delayed + end +end +execute 'flush-sysctl' do + command '/sbin/sysctl -w net.ipv4.route.flush=1 && /sbin/sysctl -w net.ipv6.route.flush=1' +end + +### +# Audit Strategy! +# See https://github.com/18F/ubuntu/blob/master/hardening.md#audit-strategy +### + +# Time and Space +directory "/etc/audit" do + owner "root" + group "root" + mode 00640 + action :create +end + +cookbook_file "/etc/audit/audit.rules" do + source "etc/audit/audit.rules" + mode 0640 + owner "root" + group "root" +end + +### +# System Access, Authentication and Authorization +# See https://github.com/18F/ubuntu/blob/master/hardening.md#system-access-authentication-and-authorization +### +file "/etc/at.deny" do + action :delete +end +file "/etc/cron.allow" do + owner "root" + group "root" + mode "0700" + action :create +end +file "/etc/at.allow" do + owner "root" + group "root" + mode "0700" + action :create +end +file "/etc/crontab" do + owner "root" + group "root" + mode "0700" + action :create +end +crons = [ + "/etc/cron.hourly", + "/etc/cron.daily", + "/etc/cron.weekly", + "/etc/cron.monthly", + "/etc/cron.d" +] +crons.each do |cron| + directory "#{cron}" do + owner "root" + group "root" + mode "0700" + action :create + end +end + +### +# Password Policy +# See https://github.com/18F/ubuntu/blob/master/hardening.md#password-policy +### +package "libpam-cracklib" do + action :install +end +cookbook_file "/etc/pam.d/common-password" do + source "etc/pam.d/common-password" + mode 0644 + owner "root" + group "root" +end +cookbook_file "/etc/pam.d/login" do + source "etc/pam.d/login" + mode 0644 + owner "root" + group "root" +end +cookbook_file "/etc/login.defs" do + source "etc/login.defs" + mode 0644 + owner "root" + group "root" +end + +### +# SSH Settings +# See https://github.com/18F/ubuntu/blob/master/hardening.md#ssh-settings +### +cookbook_file "/etc/ssh/sshd_config" do + source "etc/ssh/sshd_config" + mode 0600 + owner "root" + group "root" +end + +### +# Get some banners up and running! +# See https://github.com/18F/ubuntu/blob/master/hardening.md#ssh-settings +### +cookbook_file "/etc/update-motd.d/00-header" do + source "etc/update-motd.d/00-header" + mode 0755 + owner "root" + group "root" +end + +### +# Install NTP for better time management +### +apt_package "ntp" do + action :upgrade # see actions section below +end + +=begin +### +# Install LVM for partitioning +### + +apt_package "lvm2" do + action :upgrade # see actions section below +end + +### +# Partition +### + +cookbook_file "tmp/partitioning.sh" do + source "config/partitioning.sh" + mode 0700 + owner "root" + group "root" +end + +execute "partition the second disk" do + command "bash /tmp/partitioning.sh" +end + +=end