aws / elastic-beanstalk-roadmap

AWS Elastic Beanstalk roadmap
https://aws.amazon.com/elasticbeanstalk/
Creative Commons Attribution Share Alike 4.0 International
283 stars 11 forks source link

Several SELinux Challenges with ElasticBeanstalk (Bring Over from AWS Support Issue) #284

Open michaelsmoody opened 1 year ago

michaelsmoody commented 1 year ago

(As mentioned, I was asked to open a GitHub Issue here in this repository, despite it not being the ElasticBeanstalk bootstrap scripts; with these details, by AWS Support)

Original Message as Submitted to AWS Support:

It appears that ElasticBeanstalk, unlike several other projects, doesn't have a Github page for its "setup" scripts and packages. Otherwise, we would submit this via a Github issue to that repository.

ElasticBeanstalk has several errors relating to SELinux, making it VERY difficult to run ElasticBeanstalk on an instance/image in which SELinux has been enabled. However, this is something that is typically necessary for compliance purposes.

Very specifically, a few things we noted:

  1. The Filesystem Contexts for /var/app are being set wrong when applications are deployed to it. This a major blocking issue.
    semanage fcontext -a -t httpd_sys_content_t '/var/app(/.*)?
    restorecon -R -v /var/app/current
  2. Similarly, the Filesystem Contexts for /var/app are being set wrong when applications are deployed to it. This is a major blocking issue.
    semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?
    restorecon -R -v /var/www
  3. Nginx logs aren't owned by the Nginx user:group - This is a major blocking issue chown -R nginx:nginx /var/log/nginx
  4. Nginx Config Files aren't owned by the Nginx user:group - This is a major blocking issue chown -R nginx:nginx /var/proxy/staging/nginx
  5. MANY SELinux Booleans are missing
              "echo '# Setup SELINUX Booleans - httpd_execmem == TRUE ... '"
              "setsebool -P httpd_execmem on"
              "echo '# Setup SELINUX Booleans - httpd_run_stickshift == TRUE ... '"
              "setsebool -P httpd_run_stickshift on"
              "echo '# Setup SELINUX Booleans - httpd_setrlimit == TRUE ... '"
              "setsebool -P httpd_setrlimit on"
              "echo '# Setup SELINUX Booleans - httpd_can_sendmail == TRUE ... '"
              "setsebool -P httpd_can_sendmail on"
              "echo '# Setup SELINUX Booleans - httpd_can_network_memcache == TRUE ... '"
              "setsebool -P httpd_can_network_memcache on"
              "echo '# Setup SELINUX Booleans - httpd_read_user_content == TRUE ... '"
              "setsebool -P httpd_read_user_content on"
              "echo '# Setup SELINUX Booleans - httpd_can_network_connect == TRUE ... '"
              "setsebool -P httpd_can_network_connect on"
              "echo '# Setup SELINUX Booleans - httpd_can_network_connect_db == TRUE ... '"
              "setsebool -P httpd_can_network_connect_db on"
  6. The basic package "unzip" isn't validated as existing before attempting to bootstrap ElasticBeanstalk. This leads to boot failures. yum -y -q install unzip
  7. The Chrony SELinux Contexts are wrong (AND this causes the steps relating to Chrony to fail). A custom module must be loaded instead.
    restorecon -R -v /run/chrony/
    semodule -i /usr/local/${lower(local.cust)}/chronyd_selinux.pp
  8. ElasticBeanstalk doesn't ensure that iptables allows HTTP and HTTPS (or whatever ports are opened!)
              "iptables -A INPUT -p tcp -s ${local.application_cidr} --dport http -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment '${local.application_cidr}_allow_http_IN'"
              "iptables -A INPUT -p tcp -s ${local.application_cidr} --dport https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment '${local.application_cidr}_allow_https_IN'"
  9. ElasticBeanstalk doesn't support the injection of user-data (which could be VERY useful for setting systems in Government-mandated FIPS mode). We worked around this via the use of SSM Documents, but reboots are still required!

These, and many other potential changes need to be escalated to the ElasticBeanstalk Development Team who is responsible for the EB bootstrapping. I would highly recommend that instead of the default Amazon Linux 2 AMI, that the Center for Internet Security Amazon Linux 2 AMI be used (5.10 kernel) for testing, in order to help "harden" ElasticBeanstalk's bootstrapping process, and support SELinux and iptables out of the box, as well as ensure that "unzip", a simple dependency, exists on the system.

Thanks, Michael S. Moody

michaelsmoody commented 1 year ago

The most critical changes would be:

yum -y -q install unzip (ensuring that unzip is available before attempting the rest of the bootstrap

Also, setting the correct filesystem contexts on /var/app and /var/www

The rest of it can be handled with commands, but the incorrect filesystem contexts is problematic as it is reset on every app deployment.

(Additionally, setting the nginx config and log filesystem ownership is fairly critical, as it seems that at least the config gets reset on each deployment)