-
Notifications
You must be signed in to change notification settings - Fork 1
/
ubi8-hardening.pkr.hcl
131 lines (118 loc) · 3.4 KB
/
ubi8-hardening.pkr.hcl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
packer {
required_plugins {
docker = {
version = " >= 1.0.8"
source = "github.com/hashicorp/docker"
}
ansible = {
source = "github.com/hashicorp/ansible"
version = "~> 1"
}
}
}
variable "ansible_vars" {
type = map(string)
default = {
"ansible_host" = "default",
"ansible_connection" = "docker", # use docker socket instead of default SSH
"python_version" = "3.9"
}
}
# the unhardened image we will use as in input
variable "input_image" {
type = map(string)
default = {
"tag" = "redhat/ubi8"
"version" = "latest"
}
}
# how we want to tag the hardened output image
variable "output_image" {
type = map(string)
default = {
"name" = "test-harden"
}
}
variable "scan" {
type = map(string)
default = {
"report_dir" = "reports",
"inspec_profile" = "spec/inspec_wrapper",
"inspec_report_filename" = "inspec_results.json",
"inspec_input_file" = "spec/inspec_wrapper/inputs.yml"
}
}
variable "report" {
type = map(string)
default = {
"report_to_heimdall" = true
}
}
source "docker" "target" {
image = "${var.input_image.tag}:${var.input_image.version}"
commit = true
pull = false
run_command = ["-d", "-i", "-t", "--name", var.output_image.name, "{{.Image}}", "/bin/bash"]
}
build {
name = "harden"
sources = [
"source.docker.target"
]
#ansible needs python and pip to be installed on the target
provisioner "shell" {
inline = [
"dnf install -y python${var.ansible_vars.python_version} python3-pip",
"ln -s /usr/bin/python3 /usr/bin/python",
]
}
provisioner "ansible" {
playbook_file = "spec/ansible/rhel8-stig-hardening-playbook.yml"
galaxy_file = "spec/ansible/requirements.yml"
extra_arguments = [
"--extra-vars", "ansible_host=${var.output_image.name}",
"--extra-vars", "ansible_connection=${var.ansible_vars.ansible_connection}",
"--extra-vars", "ansible_python_interpreter=/usr/bin/python3",
"--extra-vars", "ansible_pip_executable=pip3"
]
}
### SCAN
# use raw bash script to invoke scanning tools that don't have their own plugin
provisioner "shell-local" {
environment_vars = [
"CHEF_LICENSE=accept",
"PROFILE=${var.scan.inspec_profile}",
"CONTAINER_ID=${var.output_image.name}",
"REPORT_DIR=${var.scan.report_dir}",
"REPORT_FILE=${var.scan.inspec_report_filename}",
"INPUT_FILE=${var.scan.inspec_input_file}",
"TARGET_IMAGE=${var.output_image.name}"
]
valid_exit_codes = [0, 100, 101] # inspec has multiple valid exit codes
scripts = ["spec/scripts/scan.sh"]
}
### REPORT
provisioner "shell-local" {
environment_vars = [
"REPORT_DIR=${var.scan.report_dir}",
"REPORT_TO_HEIMDALL=${var.report.report_to_heimdall}",
"API_KEY=****"
]
scripts = ["spec/scripts/report.sh"]
}
### VERIFY
provisioner "shell-local" {
environment_vars = [
"TARGET_IMAGE=${var.output_image.name}",
"REPORT_DIR=${var.scan.report_dir}"
]
valid_exit_codes = [0, 1] # the threshold checks return 1 if the thresholds aren't met
# this does not mean we want to halt the run
scripts = ["spec/scripts/verify_threshold.sh"]
}
### TAG
post-processor "docker-tag" {
repository = "${var.output_image.name}"
tags = ["latest"]
}
}