Hardening of vm images (cis compliance, partitioning) experience, guides?

1

I am putting this in general, since it is a basic VM usecase, but would of course like to solve it with incus tooling. :slight_smile:

Has anyone here implemented cis compliance / hardening for vm images or containers?

I know that there are ansible playbooks to check and configure the hosts post deployment.
I would prefer to handle it one step earlier and include it in the vm profile and for example solve some of it via cloudinit.
Or is this something distrobuilder would solve?

Especially the partitioning with separate (logical) volumes for /var /var/log /home makes great sense to me but it seams quite hard to implement after the os installation is done.

I really love the idea of prepackaged images
and would try to avoid dealing with packer wherever possible.

Currently we are installing a debian vm once a new release gets published and during installation process we switch in another terminal an do the partitioning by hand. and then convert the vm into a template.
Our partitioning scheme looks like this currently:
sda1 /boot
sda2 /boot/efi
sdb root-vg:
rootvg-root
rootvg-home
rootvg-var
rootvg-log
And then do the other hardening part using ansible playbooks post deployment for each vm.

How are you guys handling this topic?
If this is an long solved problem then feel free to link any talks/repos on that topic.

Thank you in advance.

2

Hey, I use custom images with Incus, including custom partitioning for CIS. Sadly, I do use Packer ;( , I don’t think Distrobuilder can configure partitions but I’ll defer to anyone else who’s actually used it.

This is a pretty outdated repo (I’m up to Fedora 43, I’ve changed to gitea actions, etc) but it contains the Packer and kickstart files you could use to build a RHEL image.

For Debian, there are 2 ways I know about to do partitionining: FAI , which is used by the Debian cloud images , or partman/preseed. The Wikimedia Foundation’s puppet repo has a lot of examples of partman recipes. Here’s a link to their tech docs on Partman.

I work for WMF and I can tell you that we don’t love partman. In fact, I am trying to learn FAI just to get away from it. To that end, I have some extremely sloppy ansible playbooks that:

  1. Install libvirt
  2. Install/configure FAI
  3. Install a Debian VM

This is all crap I threw together over a weekend, so it may or may not work for you. Hopefully it gives you at least some direction though. Good luck!