Skip to content
/ rocky-cis Public

Packer template for a QEMU image of Rocky Linux w/ CIS Level 1 applied

License

MIT license
4 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

proudier/rocky-cis

BranchesTags

Repository files navigation

QEMU image for Rocky Linux w/ CIS Level 1

This repository hold a Packer template for a CIS Level 1 compliant Rocky Linux (RHEL) QEMU/KVM virtual machine.

Compared to other implementations that run an Ansible playbook, as a second setup phase to harden the system (thus leaving the system exposed until Ansible is ran), this implementation hardens the system as part of the Anaconda installation process (ie. before the first boot).

The image is effectively 'passwordless':

  • SSH won't accept passwords for authentification (block remote access with passwords)
  • Users have a random password that nobody knows (block local access with passwords)
  • Local sudo is made possible with PAM SSH Agent.

Content of resulting image

  • Rocky Linux minimal install with CIS applied
  • Python3 for later management with Ansible
  • An admin user with the login and public key provided at build time; its password has been randomized during the build process
  • A leftover Packer user with no sudo access and a randomized password

Building the VM image

Pre-requisite

A Linux box. Building on MacOS is somewhat supported: I dont have a Mac at my disposal so testing relies on external feedback. Default values will always favor Linux hosts.

Required on the build host:

  • Packer
  • QEMU with KVM (Linux) or HVF (MacOS)

User configuration

  • Create a user.auto.pkrvars.hcl file at the root of this repository that follows this format
  • Populate values for the variables declared in variables.pkr.hcl

For builds on MacOS, make sure to have

qemu_accelerator=hvf
qemu_display=cocoa

Building

# Run once to download plugins
packer init -upgrade .

# Packer refuses to run if `packer_output` already exits
rm -fr packer_output

packer build -timestamp-ui .

The output VM image is packer_output/packer-vm.

Build logs are available in the image under /var/log/anaconda in the image.

Using the image

Use the tool you like to create a VM from the image. Here's an example with virt-install

virt-install --name rockycis --memory 1536 --vcpus 2 --import --boot hd --os-variant rocky8-unknown --disk path=packer_output/packer-vm,driver.discard=unmap --network network=default,model=virtio --graphics none --virt-type kvm --cpu host-passthrough --rng backend=/dev/random,model=virtio

You must use SSH agent forwarding to be able to sudo in the VM. Read more on PAM SSH Agent here.

ssh -A admin@rockycis

Troubleshooting

Sudo asks for password

Make sure you SSHed into the instance with agent forwarding: ssh -A

Design notes

A packer user is created so the Packer communicator can connect to the VM and detect when it can be shutdown. Because CIS prevent password auth when SSHing, a SSH key is required this user. It's generated randomly using at build time. Currently, this user is left activated in the output image. It's password is randomized using openssl.

About

Packer template for a QEMU image of Rocky Linux w/ CIS Level 1 applied

Topics

cis kvm qemu hardening rockylinux

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages