A sample workflow for hardening a UBI8 container against a STIG using Packer and Ansible, including a scanning step and a threshold validation step to verify compliance.
- Docker - Container engine.
- Packer - A container image builder tool.
- Ansible - An orchestration tool that can target containers. Used as the provisioner to STIG-harden the container under Packer's direction.
- Ansible Lockdown's STIG-hardening Ansible playbook for hardening Red Hat 8 to STIG standard. (This dependency is pulled in automatically by Packer's management of Ansible; you don't need to install this one yourself.)
- Progress Chef's InSpec testing framework.
- MITRE SAF(c)'s InSpec profile for the RHEL8 STIG for testing the results of the hardening process.
- SAF CLI for validating the results of the InSpec scan against a defined threshold (e.g. "95% of tests pass", or "no high-severity failures")
- Install dependencies. See their respective docs linked above.
- Clone this repo and change directory into it.
git clone https://github.com/mitre/ubi8-hardening-demo.git && cd ubi8-hardening-demo - Run
packer init .to get Packer to install the Ansible and Docker plugins. - Run
packer build ubi8-hardened.pkr.hclto build, test, and save the hardened image.
- You can add additional types of scanning beyond InSpec (or get InSpec to run more than one testing profile) by modifying the
scripts/scan.shfile. See the MITRE SAF(c) Validation Library for more InSpec profiles, or use your favorite image scanning tool. - The
verify_threshold.shscript will tag the generated image as "passing" if it exceeds the compliance threshold set inthreshold.yml, and "failing" if it does not. A real hardening pipeline would instead do something like push an image that passes the threshold to a registry, and simply ignore it if it does not.