Here is a short HOWTO which results in a custom Amazon AWS EC2 AMI image with the Puppet Enterprise agent installed and setup to connect to the Puppet master server. This method uses a 3rd party tool called Packer.io which greatly simplifies and automates the AMI build process in a scriptable and pragmatic way. This is a very easy way to build hypervisor OS template images with the Puppet agent pre-installed for AWS, Docker, Google Cloud, OpenStack, Parallels, QEMU, Virtualbox, or VMWare. more
I’ve written and published a Puppet module to load AWS EC2 tags into puppet as facts. So now when you tag your EC2 instance the tag can be a tag usable by Puppet. AWS cli tools are automatically installed and setup. you just have to provide your key and secret with read access to the tags. An example policy is provided. more
GRSecurity is a set of patches for the Linux kernel which emphasizes security enhancements. These are 3rd party patches not included in the vanilla Linux kernel. This means if you run an industry standard Linux OS like CentOS or Ubuntu you will need to compile your own package or get it from a 3rd party. This script aims to automate the process and make it easier to implement and administer.
GFA v1.0 is hard coded for 64bit OS’s and only tested on CentOS 6. If there is interest, APT (Debian/Ubuntu) compatible systems could be added.
- Easy to use
- Easy to update to latest supported GRSec and kernel versions
- Documented groups for easier management
- RPM creation capability for easier implementation and reproducible results
- Open source
- All sources from verifiable upstream locations
- Text based GUI for easy configurability and remote deployment
New Groups you will need to know about:
|Group GID 2000 grs-proc||This group is for non-root users that need access to the /proc system. Anyone that isn’t root and not in this group will not be able to even see other users processes or who else is logged in.|
|Group GID 2001 grs-tpe||All users in this group are only able to exec files in root owned dirs writable by root, nothing more. Not even ~/bin/|
|Group GID 2002 grs-sock-all||Group to disable all socket access.|
|Group GID 2003 grs-sock-client||Group to disable all client only socket access.|
|Group GID 2004 grs-sock-sever||Group to disable all server only socket access.|
|Group GID 2005 grs-audit||Group to enforce full auditing through syslog. Logs exec, ptrace, mount, sig, and chdir of these users.|
Installation / Implementation:
[root@colo3 src]# ./BryanAndrews.org-GFA.sh This script is an automation tool for downloading, patching, and compiling the Linux kernel with GRSec security patches. Supplemental GRSec related tools like gradm and paxctl are included. Optional RPM packaging and RPM .SPEC creation is done. These RPM and .SPEC files are saved in the current users home directory. This is hard coded for 64bit systems only. If you later install the produced kernel RPM package you will need to create the groups specified below. These are also adjustable in the sysctl settings before the system is locked.
The following groups will be created for you: Group GID 2000 grs-proc This group is for non-root users that need access to the /proc system. Group GID 2001 grs-tpe All users in this group are only able to exec files in root owned dirs writable by root, nothing more. Group GID 2002 grs-sock-all Group to disable all socket access. Group GID 2003 grs-sock-client Group to disable all client only socket access. Group GID 2004 grs-sock-sever Group to disable all server only socket access. Group GID 2005 grs-audit Group to enforce full auditing through syslog. Logs exec, ptrace, mount, sig, and chdir. Build root directory: /usr/src GRSEc version: 3.0 GRSec Release: 201407151835 GRAdmin Release: 201407162022 Linux Kernel version: 3.2.61 PAXctl version: 0.8 Make RPMs?: y This RPM release number: 7 BUILD ROOT /usr/src RPM RELEASE 7 KERNEL Version 3.2.61 GRSEC Version 3.0 GRSEC RELEASE 201407151835 GRADMN RELEASE 201407162022 CPU CORES 8 LOG File /usr/src/bryans_grsec-201407172043.log BOOT PATH /boot/ PAX URL http://pax.grsecurity.net/paxctl-0.8.tar.gz GRSEC URL http://grsecurity.net/stable/grsecurity-3.0-3.2.61-201407151835.patch GRADM URL http://grsecurity.net/stable/gradm-3.0-201407162022.tar.gz KERNEL URL https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.61.tar.xz KERNEL TARBALL linux-3.2.61.tar.xz DESTINATION PACKAGE DIR /root This will download, install, and compile the Linux GRSec kernel on this system. If you do not want to do this press CTRL+C now to quit. Press any key to continue... Installing prereq tools to build the kernel... OK Downloading kernel 3.2.61 and GRSec patch 3.0... OK Creating GRSec kernel configs in grsec_kernel_config.cfg with defaults OK Using live kernel config to create a compatible new GRSec 3.0 config... OK Building paxctl RPM... OK Building gradm RPM... OK Hacking the kernel repos generated spec file to install the kernel in grub when you install the RPM... OK Setting the kernel RPM release to 7... OK Building kernel 3.2.61-grsec RPM using 8 threads... OK Checking for Kernel SRC RPM... OK Checking for Kernel RPM... OK Checking for Kernel headers RPM... OK --------------------------------------------------------------------------------- RUN COMPLETED SUCCESSFULLY Created /root/paxctl-0.8-7.x86_64.rpm Created /root/gradm-3.0-7.x86_64.rpm Created /root/kernel-3.2.61_grsec-7.src.rpm Created /root/kernel-3.2.61_grsec-7.x86_64.rpm Created /root/kernel-headers-3.2.61_grsec-7.x86_64.rpm --------------------------------------------------------------------------------- [root@colo3 src]#
GRSec Full Automation by Bryan Andrews is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.