Virtual Machine Image Endorsement

From EGIWiki
Jump to: navigation, search

Contents

Description

Goal

Set up a process assuring that a Virtual Machine Image (VMI)/ Virtual Appliance (VA) published in AppDB is well-configured, secure and up-to-date.

Members

Contacts

SSO group available: vm-image-endorsement@mailman.egi.eu

Image types

Type Description Managed by
EGI General purpose images. Based on broadly used OSes EGI
VO-specific VO specific images, available to a specific VO and customized for specific purposes VO-expert

Activities and workflow

Endorsement-workflow-process.png

Activity Description
A1. Creation Set up an image ready to be used by a Resource Provider
A2. Configuration Configuration assures that packages are up to date and no wrong default configurations are left for any applications/services
A3. Hardening Security is provided by applying CSIRT guidelines for the VMI Endorsement
A4. Publishing Make image available on AppDB with proper tags, metadata, links

Documents and Policies

Policies are defined by the SPG group and are published in the https://wiki.egi.eu/wiki/SPG:Documents

It is particularly relevant the Security Policy for the Endorsement and Operation of Virtual Machine Images and a draft of a Virtualisation Policy.

SPG Drafts under development

Hardening guidelines

Checklist kindly provided by David Groep. CSIRT working on official guidelines.

Securing services

Follow the best practice guides for each service that's offered to the outside world. For instance, guides for:

Configuration

For more details, see AWS Security Best Practices, in particular Creating Custom AMIs, page 41+

Vulnerability assessment

Instantiate the image on a local network (without global connectivity) and run vulnerability assessment tools against it.

Web applications

For web applications, run one or more of

Then explain notices on the false positives that are there.

Publishing

When publishing, each image will bring its own tags and metadata in AppDB (TBD).

Registering appliance

Managing appliance

APPDB REST API

Continuous improvement

It is important to understand how much each image is used. The "popularity" of a given image can be:

Also important to have feedback from CSIRT on each image to understand if the procedure is effective.

Procedures for EGI images

Activity Initial activity Ongoing activity
A1. Creation Set up the procedure for a given image Use the procedure to create/update the image according to a given policy (on security issue, on request, every X days… )
A2. Configuration Create VMI configuration procedure for a given image Apply VMI configuration procedure to a given image
A3. Hardening Create VMI hardening procedure for a given image based on guidelines Apply VMI hardening procedure to a given image
A4. Publishing Publish the image on AppDB Publish the image on AppDB

Ubuntu 12 and Ubuntu 14

Creation

Ubuntu images are create from the net install images with minimal installations. Once installed, the packages MUST be upgraded to the latest version available. Size of the image should be as small as possible (recommended below 1.5GB) to ease distribution.

Extra packages to install (from the basic installation):

See https://github.com/EGI-FCTF/VMI-endorsement/tree/master/ubuntu for a Packer configuration to build and configure such images

Configuration

Hardening

Only service running is SSH. TODO: add firewall configuration in Ubuntu

Publishing

Image must be published as OVA package including:

OVA should be uploaded to the EGI Appliance Repository at http://appliance-repo.egi.eu/images/EGI-endorsed/ubuntu/ and named as follows:

ubuntu-14.04-YYYYMMDD.ova

or

ubuntu-12.04-YYYYMMDD.ova

where YYYYMMDD is the date of creation.

The image will be linked into AppDB at the https://appdb.egi.eu/store/vappliance/egi.ubuntu.14.04 and https://appdb.egi.eu/store/vappliance/egi.ubuntu.12.04

Image must be updated for every security update related with the base system.

CentOS6

Creation

CentOS provides minimal images (e.g. net install images) that allow to perform minimal installations. These should be used as basis for the creation of images to avoid large image sizes and the installation of non-needed software. Once installed, the packages MUST be upgrade to the latest version available. Size of the image should be as small as possible (recommended below 1.5GB) to ease distribution.

Extra packages to install (from the basic installation):

See https://github.com/EGI-FCTF/VMI-endorsement/tree/master/centos for a Packer configuration to build and configure such image.

Configuration

Hardening

CentOS default installation already comes with firewall enabled, configuration as described above should be ok for SSH. Postfix is running in the VM (dependency of cron and cloud-init), but only listens on localhost.

TODO: fix firewall configuration in CentOS 6.

Publishing

Image must be published as OVA package including:

OVA should be uploaded to the EGI Appliance Repository at http://appliance-repo.egi.eu/images/EGI-endorsed/centos/6/ and named as follows:

centos-6-YYYYMMDD.ova

where YYYYMMDD is the date of creation.

The image will be linked into AppDB at the https://appdb.egi.eu/store/vappliance/egi.centos.6

Image must be updated for every security update related with the base system.

Procedures for VO images

The procedure is similar as to EGI images, but a VO expert (endorser) is fully responsible for the process of the endorsement of a specific VM. For the fedcloud.egi.eu VO the VO expert will get special help from EGI experts.

References

AppDB

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export