How to build hardened Image using Packer

Introduction

Hello Friends 👋 , hope everyone doing well. In this blog, I am going to share how we can use Packer to secure the underlying GCP Compute Instance

Pre-requisite

What is Packer and what problem it solves

Packer is the tool that helps to create custom images in an automated fashion. Imagine You want to make sure each instance that you create should have Nginx installed You could go with the following solutions.

The first solution is not the efficient way because

So the second solution may seem efficient one

Creation of custom images may be achieved in two ways

Packer helps to create the custom images in an automated way

Below are the few advantages of the Packer

Achieving security using Packer

Let’s see how we can achieve security using Packer. Many people tend to think using the cloud makes us secure by default but it’s not true in many cases. Cloud works in the way of shared responsibility, which means there is some level where cloud providers take care of the security where customers have to take care of some security thing

Let’s take the example in Compute Instance Google cloud take care of the underlying infrastructure where users take care of the security at the Operating System level. We have to make sure the software installed in the Instance is updated one and configured in a secured way

Enough of theory lets see in action For the demo I am going to spin up the Simple Compute instance with Ubuntu as the base Image with Docker Installed

Now I am running Docker-CIS-benchmark script on the instance that we have created

You could see the script able to find many security flaws and currently, we are getting Score-11 to let’s see how we can improve it

Creating Hardened Image using Packer

Creating Hardened Image is the two step process

First, we have to create the Service account with the necessary permission to create the custom Image

Go to the Service account under IAM and Click CREATE SERVICE ACCOUNT option

Enter the Service account name and the description and Click create

Add the Compute-admin and Service-Account-user Role to the Service account and click Done

Click the created Service-account name on the Service account Page Select the Keys and click ADD KEY and click create a new key

Select the JSON option and click create

Note: Make sure to store the downloaded key somewhere safe if the key gets compromised the attacker can access the resources in the GCP

Build the custom Image

Clone the repo using the below command

$ git clone https://github.com/JOSHUAJEBARAJ/packer-demo.git

Now move into the cloned folder

cd packer-demo

The folder has three files

Replace the below content of the build.json file

Image name

The image name of the resultant Image(It should be unique)

account file

Name of the Service account file

Project_id

Replace the Project ID with your Project ID

Now type the below command in the terminal to validate the packer configuration file

$ packer validate build.json

Now build the image using the below command

$ packer build build.json

Now create the instance using the custom image that we created above During creation of the instance change the boot disk of the disk by clicking change

Now under custom image select harden-image and click select

Now I am again running the Benchmark script on the instance with the customized base Image you could we bumped the score from 11 to 19

This is the simple example that I have shown in the blog you can leverage the provisioner like ansible to create the more secure and custom image of your choice for various builders

Conclusion

Thank you for reading my blog I hope you learned something ,If you have any comments or questions feel free to reach out to me on Twitter Feel free to check out my other articles at my-website

References

Originally published at https://www.joshuajebaraj.com.