Support #22030
closed
Have a testing environment where /tmp is noexec
Added by Peter Amstutz 3 months ago.
Updated 2 months ago.
Description
Need to emulate the hardened images that certain users use.
Evaluate options:
- Existing hardened images (may be commercial)
- Building a custom image with /tmp noexec
Find a starting point that is more like the hardened images user's use.
- Target version changed from Development 2024-08-28 sprint to Development 2024-09-11 sprint
- Description updated (diff)
- Subject changed from Have a testing environment where /tmp is noexec to Have a testing VM image (AMI) where /tmp is noexec
- Blocks Bug #21999: Support compute nodes with /tmp mounted with "noexec" flag added
- Assigned To set to Lucas Di Pentima
- Subject changed from Have a testing VM image (AMI) where /tmp is noexec to Have a testing environment where /tmp is noexec
- Description updated (diff)
- Description updated (diff)
- Status changed from New to In Progress
I've found a couple of viable options, depending on the use case:
Continuous use¶
There's a GitHub project called Ansible Lockdown that provides a list of ansible repositories to configure different OSes to be compliant with CIS Level 1.
This would allow us to create our own "golden AMIs" at no cost other than the time required to apply them to our packer scripts.
Quick testing¶
If we just want to do a one-off test, there're preexisting AMIs offered by the CIS itself on AWS. They cost $0.022/h in addition to the EC2 costs, so that would be around $15 per month per instance.
This would allow us to focus on only making sure our packer scripts work nicely with these kind of images without investing time in creating the CIS-1 compliant images ourselves.
- Status changed from In Progress to Resolved
Marking this as resolved as we have a couple of options to analyze on our next sprint review.
Also available in: Atom
PDF
Updated by 
Updated by