Click to expand
GoldCent 7 is a Gold Image pipeline for CentOS 7. It results in an AWS AMI that is hardened, secured, and pre-approved for use by development and deployment teams. To reduce the vulnerability footprint, it contains a minimal set of software required to run, for instance sshd, firewalld, subscription-manager, katello, McAfee Antivirus, Splunk forwarder, Tanium, and a few other necessary agents.
The image has been through the RedHat STIG process, has SeLinux enforcing, firewalld enabled, but has disabled (or never enabled in the first place) katello, subscription-manager, Splunk forwarder. Those services are disabled so that the end user does not run into registration conflicts. For that reason, users of this Gold Image will need to enable those services at deploy time and re-register with subscription-manager.
By using the latest Gold Image in your deployment, you take advantage of updates and security fixes that have already been approved for use on the network. Your development teams will no longer have to address operating system vulnerabilities that were not introduced by your team.
Using the Gold Image is not as simple as just standing up an instance, applying your code, and forgetting about it. You also have to change your mindset about your deployments. Gone are the days of doing monthly or quarterly deployments and patching the infrastructure when issues arise.
Rather, you are expected to deploy every day, or even many times a day.
[Jenkins][jenkins-link] is used to automate the provisioning and scanning of the Gold CentOS 7 AMI. First, an instance is launched using Terraform, then it is provisioned with Ansible Tower, finally it is scanned using Nessus. If the build is successful, a snapshot is taken of the instance, and made available in AWS.
You will need a dv directory for your dev deployments. Eventually,
you will need a prod directory for your production environment and
directories for any other environments into which you deploy.
This launch template is used to launch an EC2 instance using the "Grey" CentOS 7 AMI, which is simply an AMI that was created from the base CentOS 7.5 ISO using Packer (for more info, see the [GreyCent7 repository][greycent7-link]).
Also in this template, Ansible local is used to install some basic software, add ansible and nessus users, scan the image with OpenSCAP, and finally STIG the image.
Inside the dv (deployment environment) directory, you will need a
main.tf and an output.tf file.
The main.tf will define the backend store and the node description.
In the Ansible Tower stage of the Jenkins build, we call various Ansible playbooks to provision the Gold AMI.
- [connection_test][connection_test-link]: tests Ansible connection
- [required_software][required_software-link]: installs various agents
and software, including Encase, Katello, McAfee, Nessus, Splunk, and
Tanium
** Note: this will install but only register Katello, all other agents will not be registered - [scapscan][scapscan-link]: runs a compliance scan against the instance using OpenSCAP
- [unregister][unregister-link]: unregisters from katello and other agents
The Nessus API is used to run a scan against the instance. See the
launchNessusScan function at the bottom of the Jenkinsfile.
The report will be accessible in Nessus, but will also be archived
as a build artifact in Jenkins.
The Jenkins build results in the creation of an "Au-Cent7" AMI, which can be used by teams to deploy applications.
The [Gold Tomcat Overlay repo][overlay_tomcat-link] provides an example of Terraform code that instantiates a Gold Cent7 image. The result of the Tomcat Overlay Jenkins build is a pre-scanned, pre-STIG'd CentOS 7 AMI with Tomcat pre-installed and configured. This AMI is ready to be used by application teams who would like to use Tomcat to deploy their applications.
[JPetStore][jpetstore-link] is an example application used to demonstrate end-to-end use of the Gold CentOS 7 AMI. The Jenkins build uses Terraform to instantiate an instance using the latest "Au-Tomcat" AMI and then deploy JPetStore.