The Enterprise Linux STIG Builder project is a Google Cloud Build automation to produce a DISA STIG-compliant RHEL 8 image, as well as an OpenSCAP Compliance report.
There are three separate Cloud Builds to support this automation:
The Packer Cloud Builder creates a HashiCorp Packer builder image for use in Google Cloud Build.
Arguments passed to this builder will be passed to packer directly, allowing
callers to run any Packer command.
The build-image cloud build instantiates a GCE Instance with the latest
RHEL-8 public image, and applies a configuration intended to be compliant
with the DISA STIG. It then creates a private image from the instance
disk.
The evaluate-image cloud build instantiates a new GCE Instance with the
output of the build-image step, produces an OpenSCAP evaluation report,
and uploads it to GCS in the configured bucket.
Create Service Account
export PROJECT_ID=example-project-id
export GCP_ZONE=us-central1-c
gcloud auth login
gcloud config set project $PROJECT_ID
export PROJECT_NUMBER=`gcloud projects list --filter="$PROJECT_ID" \
--format="value(PROJECT_NUMBER)"`
# Create Service Account for Packer
gcloud iam service-accounts create packer \
--project $PROJECT_ID \
--description="Packer Service Account" \
--display-name="Packer Service Account"
# Grant roles to Packer's Service Account
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:packer@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/compute.instanceAdmin.v1
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:packer@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/iam.serviceAccountUser
# Allow the Packer Service Account to use IAP Tunnels
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:packer@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/iap.tunnelResourceAccessor
# Allow CloudBuild to impersonate Packer service account
gcloud iam service-accounts add-iam-policy-binding \
packer@${PROJECT_ID}.iam.gserviceaccount.com \
--role="roles/iam.serviceAccountTokenCreator" \
--member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com"
# Allow CloudBuild to use IAP Tunnels (for STIG evaluation)
gcloud projects add-iam-policy-binding $PROJECT_ID \
--role=roles/iap.tunnelResourceAccessor \
--member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com
The generate-lockdown-script step downloads the OVAL file from Red Hat to
retrieve the latest CVEs. For this to work, internet access must be provided
within the VPC, by creating a Cloud Router and a
NAT Gateway
Example of how to create a Cloud Router and NAT Gateway:
gcloud compute routers create router1 \
--project=$PROJECT_ID \
--network=default \
--asn=64512 \
--region=$REGION
gcloud compute routers nats create nat1 \
--router=router1 \
--region=$REGION \
--auto-allocate-nat-external-ips \
--nat-all-subnet-ip-ranges \
--enable-logging
Example content:
DATE != date "+%Y-%m-%d-%H%M%S"
IMAGE_NAME = rhel8-stig-${DATE}
PROJECT_ID = example-project-id
PROJECT_NUMBER = 123456789012
ZONE = us-central1-c
BUILDER_SA = packer@example-project-id.iam.gserviceaccount.com
The packer cloud builder needs to exist in the registry for the project. This step must be completed only once per project.
make builder
The Makefile defines targets for build, evaluate, and rebuild, where:
build: creates RHEL-8 STIG Image
evaluate: produces an OpenSCAP Report of the STIG Image
rebuild: executes build and evaluate in sequence
make rebuild
This source code is licensed under Apache 2.0. Full license text is available in LICENSE.
We welcome contributions! See CONTRIBUTING for more information on how to get started.