[SCCD] Review and update Amazon Linux 2 AMI

[gary-fallon]

User Story

As a security engineer, I want to update the base images so that we can pass the required compliance checks.

Tasks

• [ ] Create a new AMI image based on a STIG overlay.
• [ ] Install the BigFix agent.
• [ ] Deploy to a lower environment and confirm security checks are now above 90% compliance.

• [ ] Use this new image to deploy EKS, vets-api, vets-website, and any applications that run on Amazon Linux 2 to a lower environment and test to ensure applications continue functioning as expected.

Acceptance Criteria

• [ ] As a security engineer, I want the compliance checks to be above 90% and the applications to perform to their established baselines. The compliance checks are defined and tested by CSOC.

Additional information

Links to support request, any additional context someone needs, how it was found, where in the code it needs to be changed, any relevant internal or external docs.

---

How to configure this issue

• [x] Labeled with 'platform-cop'
• [x] Labeled with Practice Area (platform-cop-backend, platform-cop-frontend, platform-cop-devops)

[kenmayo]

Please make sure we understand the actual scope of the work i.e. the amount of time it's going to take us to meet the AC. Thanks!

[gary-fallon]

@kenmayo

The initial setup and deployment probably won't take that long, maybe a few days at the most, but testing the new image with all of the use cases could take a while, maybe a few weeks.

[jhouse-solvd]

Echoing what I sent via email just now

Here’s the SCCD BigFix checklist showing individual deficiencies in the AL2 base image. This might not be needed if we’re taking the ‘build on top of stig’ approach, which makes sense. But I wanted to share just in case it's helpful.

BigFix - Compliance with CIS Checklist for Amazon Linux 2.pdf

[npeterson54]

Making this issue an epic, @hgbarreto will create some discovery stories to work on

[gary-fallon]

I requested an XML or XCCDF file from CSOC on 9/13.

[jhouse-solvd]

This is in progress and will carry into the next sprint.

[jhouse-solvd]

This is in progress and will carry over to the next sprint.

[jhouse-solvd]

Update 11/15:

• After chatting w/ @gary-fallon and @hgbarreto yesterday, it sounds like there's more work to do, but this isn't technically in progress at the moment.
• I added some notes to the POAM issue tracking this deficiency with the next steps yesterday.

I'm moving this item to the backlog for now and recommend planning additional work for an upcoming sprint.

[npeterson54]

This is complete from the Infrastructure Services point of view, when removing CMS from the equation, we are above 90%. Also waiting for the VA to fix a few tests with Bigfix which will bring that % higher. Closing out for now.