STIG-Partitioned Enterprise Linux (spel) is a project that helps create and
publish Enterprise Linux images that are partitioned according to the DISA
STIG. The resulting images also use LVM to simplify volume management. The
images are configured with help from the scripts and packages in the
AMIgen6 and Lx-GetAMI-Utils projects.
RPM Manifests for published images are available in the manifests directory.
| AMI Name | AMI ID | AWS Region |
|---|---|---|
| spel-minimal-rhel-7.3-hvm-2017.07.1.x86_64-gp2 | ami-28b5b23e | us-east-1 |
| spel-minimal-rhel-6.9-hvm-2017.07.1.x86_64-gp2 | ami-f9b0b7ef | us-east-1 |
| spel-minimal-centos-7.3-hvm-2017.07.1.x86_64-gp2 | ami-f0b0b7e6 | us-east-1 |
| spel-minimal-centos-6.9-pvm-2017.07.1.x86_64-gp2 | ami-a74345b1 | us-east-1 |
| spel-minimal-centos-6.9-hvm-2017.07.1.x86_64-gp2 | ami-93b1b685 | us-east-1 |
| spel-minimal-rhel-7.3-hvm-2017.07.1.x86_64-gp2 | ami-cff5d4aa | us-east-2 |
| spel-minimal-rhel-6.9-hvm-2017.07.1.x86_64-gp2 | ami-ecf6d789 | us-east-2 |
| spel-minimal-centos-7.3-hvm-2017.07.1.x86_64-gp2 | ami-e0f7d685 | us-east-2 |
| spel-minimal-centos-6.9-pvm-2017.07.1.x86_64-gp2 | ami-0ef7d66b | us-east-2 |
| spel-minimal-centos-6.9-hvm-2017.07.1.x86_64-gp2 | ami-5df5d438 | us-east-2 |
| spel-minimal-rhel-7.3-hvm-2017.07.1.x86_64-gp2 | ami-79d3fc19 | us-west-1 |
| spel-minimal-rhel-6.9-hvm-2017.07.1.x86_64-gp2 | ami-a6d2fdc6 | us-west-1 |
| spel-minimal-centos-7.3-hvm-2017.07.1.x86_64-gp2 | ami-bbd1fedb | us-west-1 |
| spel-minimal-centos-6.9-pvm-2017.07.1.x86_64-gp2 | ami-13d1fe73 | us-west-1 |
| spel-minimal-centos-6.9-hvm-2017.07.1.x86_64-gp2 | ami-06d3fc66 | us-west-1 |
| spel-minimal-rhel-7.3-hvm-2017.07.1.x86_64-gp2 | ami-a37765da | us-west-2 |
| spel-minimal-rhel-6.9-hvm-2017.07.1.x86_64-gp2 | ami-71766408 | us-west-2 |
| spel-minimal-centos-7.3-hvm-2017.07.1.x86_64-gp2 | ami-7a776503 | us-west-2 |
| spel-minimal-centos-6.9-pvm-2017.07.1.x86_64-gp2 | ami-b27a68cb | us-west-2 |
| spel-minimal-centos-6.9-hvm-2017.07.1.x86_64-gp2 | ami-1677656f | us-west-2 |
| spel-minimal-rhel-7.3-hvm-2017.07.1.x86_64-gp2 | ami-09c84968 | us-gov-west-1 |
| spel-minimal-rhel-6.9-hvm-2017.07.1.x86_64-gp2 | ami-08c84969 | us-gov-west-1 |
| spel-minimal-centos-7.3-hvm-2017.07.1.x86_64-gp2 | ami-9ac445fb | us-gov-west-1 |
| spel-minimal-centos-6.9-pvm-2017.07.1.x86_64-gp2 | ami-5bc4453a | us-gov-west-1 |
| spel-minimal-centos-6.9-hvm-2017.07.1.x86_64-gp2 | ami-f2c44593 | us-gov-west-1 |
| Vagrant Cloud Name | Version | Vagrant Provider |
|---|---|---|
| plus3it/spel-minimal-centos-6.9 | 2017.07.1 | virtualbox |
Packer by Hashicorp is used to manage the process of building
images.
-
Download and extract
packerfor your platform. Add it to your PATH, if you like. On Linux, watch out for otherpackerexecutables with the same name... -
If building the AMIs for Amazon Web Services, ensure your AWS credentials are configured. You do not really need the
awscli utility, but it is a convenient way to configure the credential file. You can also export the environment variables. Or, if runningpackerin an EC2 instance, an instance role with the requisite permissions will also work. See thepackerdocs for details on the necessary permissions.NOTE: No packer templates in this project will contain variables for AWS credentials; this is intentional, to avoid mistakes where credentials get committed to the repository. Instead,
packerknows to read the credentials from the credential file or from the environment variables, or to retrieve them from the instance role. See the docs. -
If building VirtualBox image(s), you will need to install VirtualBox and Vagrant.
-
If building VMware image(s), depending on your platform, you will need to install either VMware Fusion, VMware Workstation Pro, or VMware Player. For all platforms, you will also need Vagrant.
-
The template(s) push the Vagrant boxes for the VirtualBox and VMware images to Hashicorp Vagrant Cloud, which requires a Vagrant Cloud account.
NOTE: In all steps below, the examples use syntax that works on Linux. If you
are running packer from a Windows system, simply use the appropriate syntax
for the relative path to the packer template. Most important, for Windows,
use .\ preceding the path to the template. E.g.
.\spel\minimal-linux.json.
-
Clone the repository:
git clone https://github.com/plus3it/spel && cd spel
-
Validate the template (Optional):
packer validate spel/minimal-linux.json
-
Begin the build. This requires at least two variables,
spel_identifierandspel_version. See the section Packer Variables for more details.NOTE: This will build images for all the builders defined in the template. Use
packer build --helpto see how to restrict the build to to a subset of the builders.packer build \ -var 'vagrantcloud_username=myvagrantclouduser' \ -var 'spel_identifier=unique-project-id' \ -var 'spel_version=0.0.1' \ spel/minimal-linux.jsonIf building the VirtualBox or VMware images for use with Vagrant, the template is configured to host the resulting images with Hashicorp Vagrant Cloud. This requires passing the variable
vagrantcloudand exporting the environment variableVAGRANTCLOUD_TOKEN.
The Minimal Linux template builds STIG-partitioned images with a set of packages that correspond to the "Minimal" install option in Anaconda. Further, the AWS images include a handful of additional packages that are intended to increase functionality in EC2 and make the images more comparable with Amazon Linux.
- Template Path:
spel/minimal-linux.json
The Minimal Linux packer template supports the following user variables (and
defaults):
"variables": {
"ami_force_deregister": "false",
"ami_groups": "",
"ami_regions": "",
"ami_users": "",
"vagrantcloud_username": "",
"vagrantcloud_token": "{{env `VAGRANTCLOUD_TOKEN`}}",
"aws_region": "us-east-1",
"spel_amigen6source": "https://github.com/ferricoxide/AMIgen6.git",
"spel_amigen7source": "https://github.com/lorengordon/AMIgen7.git",
"spel_amiutilsource": "https://github.com/ferricoxide/Lx-GetAMI-Utils.git",
"spel_awsclisource": "https://s3.amazonaws.com/aws-cli",
"spel_customreporpm6": "",
"spel_customreporpm7": "",
"spel_customreponame6": "",
"spel_customreponame7": "",
"spel_disablefips": "",
"spel_desc_url": "https://github.com/plus3it/spel",
"spel_epel6release": "https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm",
"spel_epel7release": "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",
"spel_epelrepo": "epel",
"spel_extrarpms": "",
"spel_identifier": "",
"spel_version": "",
"iso_url_centos6": "http://mirror.yellowfiber.net/centos/6.9/isos/x86_64/CentOS-6.9-x86_64-minimal.iso",
"source_ami_centos6_hvm": "ami-bfb356d2",
"source_ami_centos6_pvm": "ami-e2120888",
"source_ami_centos7_hvm": "ami-650a1672",
"source_ami_rhel6_hvm": "ami-1b05b10d",
"source_ami_rhel7_hvm": "ami-cdc999b6",
"ssh_private_ip": "false",
"subnet_id": "",
"vpc_id": ""
}| Variable Name | Description |
|---|---|
vagrantcloud_username |
Username in Hashicorp Vagrant Cloud |
vagrantcloud_token |
Authentication token for Vagrant Cloud (env: VAGRANTCLOUD_TOKEN) |
spel_identifier |
Project ID to associate to the resulting images |
spel_version |
Version to assign to the resulting image(s) |
spel_amigen6source |
URL to the git repository for the AMIGen6 project |
spel_amigen7source |
URL to the git repository for the AMIGen7 project |
spel_amiutilsource |
URL to the git repository for the Lx-GetAMI-Utils project |
spel_awsclisource |
URL to the site hosting the file awscli-bundle.zip |
spel_customreporpm6 |
URL to a custom release RPM containing base repos for EL6 |
spel_customreporpm7 |
URL to a custom release RPM containing base repos for EL7 |
spel_customreponame6 |
Name(s) of the custom yum repos (* or comma-separated) for EL6 |
spel_customreponame7 |
Name(s) of the custom yum repos (* or comma-separated) for EL7 |
spel_disablefips |
Flag that disables FIPS in EL7 AMIs |
spel_desc_url |
URL to detailed description of AMI |
spel_epel6release |
URL to the release RPM for the EPEL 6 repo |
spel_epel7release |
URL to the release RPM for the EPEL 7 repo |
spel_epelrepo |
Name of the epel repo (if different than "epel") |
spel_extrarpms |
Comma-separated list of extra package/@group names to pass to yum |
All other variables in the packer template map directly to variables defined
in the packer docs for the amazon-ebs builder or the virtualbox-iso
builder or the vmware-iso builder.
The Minimal Linux packer template includes the following builders:
| Builder Name | Description |
|---|---|
minimal-centos-6.9-hvm |
amazon-ebs builder that results in a minimal CentOS 6.9 HVM AMI |
minimal-centos-6.9-pvm |
amazon-ebs builder that results in a minimal CentOS 6.9 PVM AMI |
minimal-rhel-6.9-hvm |
amazon-ebs builder that results in a minimal RHEL 6.9 HVM AMI |
minimal-centos-7.3-hvm |
amazon-ebs builder that results in a minimal CentOS 7.3 HVM AMI |
minimal-rhel-7.4-hvm |
amazon-ebs builder that results in a minimal RHEL 7.4 HVM AMI |
minimal-centos-6.9-virtualbox |
virtualbox-iso builder that results in a minimal CentOS 6.9 OVA |
minimal-centos-6.9-vmware |
vmware-iso builder that results in a minimal CentOS 6.9 OVF |
The Minimal Linux packer template includes the following post-provisioners:
-
vagrant: The vagrant post-provisioner creates vagrant boxes from on thevirtualboxandvmwareimages. -
vagrant-cloud: The vagrant-cloud post-provisioners upload the vagrant boxes to Hashicorp Vagrant Cloud.
To build images for the AWS US GovCloud region, us-gov-west-1, it is
necessary to pass several variables that are specific to the region. The AMIs
below have been tested and/or created in us-gov-west-1 to work with the
spel template(s). Also, the builders should be restricted so as not to
build the Vagrant images.
packer build \
-var 'spel_identifier=unique-project-id' \
-var 'spel_version=0.0.1' \
-var 'aws_region=us-gov-west-1' \
-var 'source_ami_centos6_hvm=ami-03bb0462' \
-var 'source_ami_centos6_pvm=ami-62b70803' \
-var 'source_ami_rhel6_hvm=ami-caee51ab' \
-except 'minimal-centos-6.9-virtualbox,minimal-centos-6.9-vmware' \
spel/minimal-linux.json- Create a versioned vagrant box catalog and push boxes to a self-hosted vagrant "cloud".