konstruktoid / hardened-images

Packer templates to create hardened Ubuntu server images.
Apache License 2.0
72 stars 20 forks source link
amazon-web-services ansible aws azure azure-devops compliance hacktoberfest hardening ovf packer packer-template security ubuntu vagrant virtualbox

Hardened Ubuntu server templates

This is a repository containing Packer templates to create a hardened Ubuntu server.

There are templates available for creating a

Ubuntu 22.04 LTS (Jammy Jellyfish) and 24.04 (Noble Numbat) are supported.

The Ansible role used to make the server a bit more secure is available in the konstruktoid/ansible-role-hardening repository.

The role is installed and configured using config/local.yml.

See https://www.packer.io/docs/builders and https://www.packer.io/docs/post-processors on how to rewrite the template if you want to use it for another platforms.

Usage

Amazon Web Services

Requires Packer and a Amazon Web Services account.

Ensure that the correct values are set in ubuntu-aws-vars.json before validating the configuration and building the Amazon Machine Image.

{
  "aws_region": "eu-west-3",
  "instance_type": "t3.medium",
  "release": "24.04"
}
packer init -upgrade -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hcl
packer validate -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hcl
packer build -timestamp-ui -var-file ubuntu-aws-vars.json ubuntu-hardened-aws.pkr.hcl

Azure

Requires Packer and a Microsoft Azure account.

Ensure the correct values are set in ubuntu-azure-vars.json before validating the configuration and building the image.

azure_vars_export is a script that will create or reset the service principal, and export the necessary environment variables to authenticate with Azure.

{
  "image_offer": "0001-com-ubuntu-minimal-jammy",
  "image_sku": "minimal-22_04-lts-gen2",
  "principal_name": "PackerPrincipal",
  "resource_group": "PackerGroup",
  "vm_size": "Standard_D2s_v3"
}
packer init -upgrade -var-file ubuntu-azure-vars.json ubuntu-hardened-azure.pkr.hcl
packer validate -var-file ubuntu-azure-vars.json ubuntu-hardened-azure.pkr.hcl
packer build -timestamp-ui -var-file ubuntu-azure-vars.json ubuntu-hardened-azure.pkr.hcl

Local files

Requires Packer, Vagrant and VirtualBox.

To build the Vagrant boxes, run bash build_box.sh. The script will git clone https://github.com/chef/bento.git to a temporary directory and apply a .diff to add the Ansible role.

The generated boxes will be stored in the output directory and the temporary directory removed.

Verification

There's a SLSA artifact present under the slsa action workflow.

Using the box in a Vagrantfile

Vagrant.configure("2") do |config|
  config.vbguest.installer_options = { allow_kernel_upgrade: true }
  config.vm.provider "virtualbox" do |vb|
    vb.memory = 2048
    vb.customize ["modifyvm", :id, "--uart1", "0x3F8", "4"]
    vb.customize ["modifyvm", :id, "--uartmode1", "file", File::NULL]
  end

  config.vm.define "noble" do |noble|
    noble.vm.hostname = "hardened-noble"
    noble.vm.box = "ubuntu-noble/24.04"
    noble.vm.box_url = "file://output/ubuntu-24.04-x86_64.bento-hardened.box"
  end
end

Repository structure

.
├── azure_vars_export
├── build_box.sh
├── config
│   ├── ansible.cfg
│   ├── bento.diff
│   └── local.yml
├── LICENSE
├── README.md
├── renovate.json
├── scripts
│   ├── aws.sh
│   ├── azure.sh
│   ├── cleanup.sh
│   ├── hardening.sh
│   ├── minimize.sh
│   ├── postproc.sh
│   └── vagrant.sh
├── SECURITY.md
├── ubuntu-aws-vars.json
├── ubuntu-azure-vars.json
├── ubuntu-hardened-aws.pkr.hcl
├── ubuntu-hardened-azure.pkr.hcl
└── Vagrantfile

2 directories, 21 files

Contributing

Do you want to contribute? Great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to submit a issue, improve the code by creating a pull request, or by sponsoring this project.

License

Apache License Version 2.0

Author Information

https://github.com/konstruktoid