Support #22030
closedHave a testing environment where /tmp is noexec
Description
Need to emulate the hardened images that certain users use.
Evaluate options:
- Existing hardened images (may be commercial)
- Building a custom image with /tmp noexec
Find a starting point that is more like the hardened images user's use.
Related issues
Updated by Peter Amstutz 3 months ago
- Target version changed from Development 2024-08-28 sprint to Development 2024-09-11 sprint
Updated by Peter Amstutz 3 months ago
- Description updated (diff)
- Subject changed from Have a testing environment where /tmp is noexec to Have a testing VM image (AMI) where /tmp is noexec
Updated by Peter Amstutz 3 months ago
- Blocks Bug #21999: Support compute nodes with /tmp mounted with "noexec" flag added
Updated by Peter Amstutz 3 months ago
- Assigned To set to Lucas Di Pentima
- Subject changed from Have a testing VM image (AMI) where /tmp is noexec to Have a testing environment where /tmp is noexec
Updated by Lucas Di Pentima 3 months ago
I've found a couple of viable options, depending on the use case:
Continuous use¶
There's a GitHub project called Ansible Lockdown that provides a list of ansible repositories to configure different OSes to be compliant with CIS Level 1.
This would allow us to create our own "golden AMIs" at no cost other than the time required to apply them to our packer scripts.
Quick testing¶
If we just want to do a one-off test, there're preexisting AMIs offered by the CIS itself on AWS. They cost $0.022/h in addition to the EC2 costs, so that would be around $15 per month per instance.
This would allow us to focus on only making sure our packer scripts work nicely with these kind of images without investing time in creating the CIS-1 compliant images ourselves.
Updated by Lucas Di Pentima 2 months ago
- Status changed from In Progress to Resolved
Marking this as resolved as we have a couple of options to analyze on our next sprint review.