Build security hardened disk images from TripleO

Registered by Yolanda Robla on 2017-02-23

In the latest cycle support for whole disk images was added to TripleO. People can now bake heir own whole disk images, and upload with --whole-disk flag on the upload command.
The whole disk images feature specifically comes as a security request (needed for STIG and CIS). It's very usual that /var/log, /tmp, /home, etc... needs to live on different partitions or at least in different volumes. It's also a requirement in some of the systems, to encrypt home partition. That is only possible when created in the initial image, so that was the motivation to add whole disk image support.

Currently the only way the users have to create whole disk images, is building their own or transforming the existing overcloud image (a flat image one) to add partitions on top. However that's not official and is not a good way to tell the customer to operate, because it won't be supported. So security hardened images need to be created directly on the image builds for TripleO

Changes needed
- diskimage-builder is adding support for managing block device properly. It will allow to define partitions, volumes, mount points, encryption, etc... TripleO could make use of that to build the whole disk images. These changes are nearly finished on a feature/v2 branch, so as soon as they land, TripleO could make use of them to build the images.
- a new "security hardened" image needs to be declared on tripleo-common, along with the currently defined ones. So there will be a centos and a centos-hardened, a rhel and a rhel-hardened, etc...
- The partitions and volumes on an image are defined using an env var that is passed to diskimage-builder (in a json blob). tripleo-common already supports a way to export env vars so we can pass this setting. Additionally, we need to have another elements: a whole disk image doesn't need to have the baremetal element, but needs another elements to install bootloader, for example.
- The security hardened image needs to be as flexible as possible. So we can define that image with a /boot partition, a / partition, and then create volumes for /tmp, /var/log, etc... because it fits the security needs and volumes are easier to manipulate than hard partitions.
- Apart from the partitions/volumes, additional changes may be needed. Specifically we may need to add kernel boot flags, such as the audit=1
- once image is built on the system, is traditionally uploaded to RDO, packaged, etc...
- we will need to add CI to test the security images (turning it on on one of the existing jobs, updating the feature testing matrix)

Tasks to do
- Create the definition for the partitions/volumes needed on the image:
* Ensure /tmp Located On Separate volume -> rw,nosuid,nodev,noexec,r
* Ensure /var Located On Separate volume -> rw,relatime,data=ordered
* Ensure /var/log Located On Separate volume -> rw,relatime,data=ordered
* Ensure /var/log/audit located on a separate volume -> rw,relatime,data=ordered
* Ensure /home is located on a separate volume -> rw,nodev,relatime,data=ordered

- Include extra kernel boot flags needed for security:
* GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200 audit=1" -> enable auditing
* GRUB_CMD_LINUX="nousb" -> Disable Kernel Support for USB via Bootloader Configuration
* set boot loader password in grub -> pending, cannot be done now with diskimage-builder
* blacklist modules using modprobe element in diskimage-builder -> usb-storage, cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, vfat

- Remove unsecure boot flags:
* crashkernel=auto

- Remove unsecure packages: kdump (kexec-tools), telnet

- Add new package: screen

- Generate the proper image entry in tripleo-common.yaml, including the configuration for partitions and boot flags


Blueprint information

Emilien Macchi
Yolanda Robla
Yolanda Robla
Series goal:
Accepted for pike
Milestone target:
milestone icon pike-2
Started by
Yolanda Robla on 2017-06-07
Completed by
Yolanda Robla on 2017-06-07

Related branches




Work Items

This blueprint contains Public information 
Everyone can see this information.