Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make GitLab instance CIS level 2 compliant #5990

Open
nolunwa-ucsc opened this issue Feb 26, 2024 · 8 comments
Open

Make GitLab instance CIS level 2 compliant #5990

nolunwa-ucsc opened this issue Feb 26, 2024 · 8 comments
Assignees
@dsotirho-ucsc
Labels
-- [priority] Low compliance [subject] Information and software security enh [type] New feature or request infra [subject] Project infrastructure like CI/CD, build and deployment scripts operator [process] To be addressed by whoever is operator orange [process] Done by the Azul team spike:8 [process] Spike estimate of eight points

Comments

@nolunwa-ucsc
Copy link

nolunwa-ucsc commented Feb 26, 2024
edited by hannes-ucsc
Loading

We use AWS Config and AWS Security Hub for automated management and verification of configuration settings.
The Team should configure or verify Security Hub is configured to validate the AWS account against
CIS AWS Foundations Benchmark ( CIS level 2 Benchmark). This is required for NIST SP 800 53 rev 5 Standard.
@nolunwa-ucsc nolunwa-ucsc added the orange [process] Done by the Azul team label Feb 26, 2024
@nolunwa-ucsc nolunwa-ucsc changed the title Scanning should be done against CIS AWS Foundations Benchmark ( CIS level 2 Benchmark) Scanning should be done against CIS level 2 Benchmark. Feb 26, 2024
@dsotirho-ucsc dsotirho-ucsc changed the title Scanning should be done against CIS level 2 Benchmark. Make GitLab instance CIS level 2 compliant Feb 27, 2024
@dsotirho-ucsc
Copy link
Contributor

@hannes-ucsc: "During the 2023 assessment, we were asked to perform a scan of the GitLab instance against the CIS benchmark. There were a number of level 2 findings that we ignored because r4 of FedRamp only required CIS level 2. The scan was one-shot only and we used and still are using CIS level 1 hardened AMI, which we pay a subscription fee for. Spike to investigate if there is a similar AMI that is hardened against level 2."

@dsotirho-ucsc dsotirho-ucsc added the spike:1 [process] Spike estimate of one point label Feb 27, 2024
@dsotirho-ucsc dsotirho-ucsc self-assigned this Feb 27, 2024
@dsotirho-ucsc
Copy link
Contributor

…we used and still are using CIS level 1 hardened AMI, which we pay a subscription fee for. Spike to investigate if there is a similar AMI that is hardened against level 2.

CIS Amazon Linux 2 Benchmark - Level 2
By: Center for Internet Security - Latest Version: 2.0.0.29
$0.045/hr

Other CIS hardened images can be found here: https://www.cisecurity.org/cis-hardened-images/amazon

@dsotirho-ucsc dsotirho-ucsc removed their assignment Mar 11, 2024
@dsotirho-ucsc
Copy link
Contributor

Spike to test this image in anvildev.gitlab and confirm that all containers start up and that timer units are functional.

@dsotirho-ucsc dsotirho-ucsc self-assigned this Mar 12, 2024
@dsotirho-ucsc dsotirho-ucsc added spike:5 [process] Spike estimate of five points operator [process] To be addressed by whoever is operator and removed spike:1 [process] Spike estimate of one point labels Mar 12, 2024
@achave11-ucsc
Copy link
Member

Assignee to summarize spike results.

@dsotirho-ucsc
Copy link
Contributor

Assignee to summarize spike results.

Attempting to deploy the CIS Amazon Linux 2 Benchmark v2.0.0.29 AMI failed with an error attempting to connect the GitLab data volume to mount point /dev/sdf.
Upon creation of the new instance, two volumes are created instead of just one as with the previous AMI. The two volumes are a 20GB root volume and an 40GB volume of unknown purpose.

Subject: [PATCH] Make GitLab instance CIS level 2 compliant (#5990)
---
Index: terraform/gitlab/gitlab.tf.json.template.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
--- a/terraform/gitlab/gitlab.tf.json.template.py	(revision 2639f5bd9f768879e5623113b19f694d86c99686)
+++ b/terraform/gitlab/gitlab.tf.json.template.py	(revision e83203fdc3055fea2b669d8ee709c079f43475ea)
@@ -239,10 +239,10 @@
 # For instructions on finding the latest CIS-hardened AMI, see
 # OPERATOR.rst#upgrading-linux-ami
 #
-# CIS Amazon Linux 2 Kernel 4.14 Benchmark v2.0.0.29 - Level 1-4c096026-c6b0-440c-bd2f-6d34904e4fc6
+# CIS Amazon Linux 2 Benchmark v2.0.0.29 - Level 2-c41d38c4-3f6a-4434-9a86-06dd331d3f9c
 #
 ami_id = {
-    'us-east-1': 'ami-02adfaf34663c8edb'
+    'us-east-1': 'ami-044f22d25234fc98b'
 }
 
 gitlab_mount = '/mnt/gitlab'
aws_volume_attachment.gitlab: Still destroying... [id=vai-3140407683, 1m40s elapsed]
aws_volume_attachment.gitlab: Destruction complete after 1m45s
aws_instance.gitlab: Destroying... [id=i-00ebb81df55939cd8]
aws_instance.gitlab: Still destroying... [id=i-00ebb81df55939cd8, 10s elapsed]
aws_instance.gitlab: Destruction complete after 11s
aws_instance.gitlab: Creating...
aws_instance.gitlab: Still creating... [10s elapsed]
aws_instance.gitlab: Creation complete after 14s [id=i-08cd638ab8733ae08]
aws_volume_attachment.gitlab: Creating...
aws_lb_target_group_attachment.gitlab_git: Creating...
aws_lb_target_group_attachment.gitlab_http: Creating...
aws_lb_target_group_attachment.gitlab_ssh: Creating...
aws_lb_target_group_attachment.gitlab_ssh: Creation complete after 0s [id=arn:aws:elasticloadbalancing:us-east-1:289950828509:targetgroup/azul-gitlab-ssh/d2912ab83eb390e7-20240318214800354000000002]
aws_lb_target_group_attachment.gitlab_git: Creation complete after 0s [id=arn:aws:elasticloadbalancing:us-east-1:289950828509:targetgroup/azul-gitlab-git/385495552953ed11-20240318214800426900000003]
aws_lb_target_group_attachment.gitlab_http: Creation complete after 0s [id=arn:aws:elasticloadbalancing:us-east-1:289950828509:targetgroup/azul-gitlab-http/a8a428c48fbd0f85-20240318214800450600000004]
aws_volume_attachment.gitlab: Still creating... [10s elapsed]
╷
│ Error: attaching EBS Volume (vol-0cd71b694fc4dc181) to EC2 Instance (i-08cd638ab8733ae08): InvalidParameterValue: Invalid value '/dev/sdf' for unixDevice. Attachment point /dev/sdf is already in use
│ 	status code: 400, request id: c765e70a-4817-41a3-b22c-c9826c1cfb79
│
│   with aws_volume_attachment.gitlab,
│   on gitlab.tf.json line 1663, in resource[24].aws_volume_attachment[0].gitlab:
│ 1663:                     }
│
╵
make: *** [apply] Error 1

(.venv) daniel@Crispin ~/repo/azul2 $ aws ec2 describe-volumes
{
    "Volumes": [
        {
            ## The 20GB GitLab root volume
            "Attachments": [
                {
                    "AttachTime": "2024-03-18T21:47:47.000Z",
                    "Device": "/dev/xvda",
                    "InstanceId": "i-08cd638ab8733ae08",
                    "State": "attached",
                    "VolumeId": "vol-0e6d5842b41f80dba",
                    "DeleteOnTermination": true
                }
            ],
            "AvailabilityZone": "us-east-1a",
            "CreateTime": "2024-03-18T21:47:47.185Z",
            "Encrypted": true,
            "KmsKeyId": "<REDACTED>",
            "Size": 20,
            "SnapshotId": "snap-019804939f4d0ff49",
            "State": "in-use",
            "VolumeId": "vol-0e6d5842b41f80dba",
            "Iops": 100,
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        },
        {
            ## A unexpected additional 40GB volume attached to /dev/sdf
            "Attachments": [
                {
                    "AttachTime": "2024-03-18T21:47:47.000Z",
                    "Device": "/dev/sdf",
                    "InstanceId": "i-08cd638ab8733ae08",
                    "State": "attached",
                    "VolumeId": "vol-0bc91eba36f4454a9",
                    "DeleteOnTermination": true
                }
            ],
            "AvailabilityZone": "us-east-1a",
            "CreateTime": "2024-03-18T21:47:47.326Z",
            "Encrypted": false,
            "Size": 40,
            "SnapshotId": "snap-04dac21bdd3172661",
            "State": "in-use",
            "VolumeId": "vol-0bc91eba36f4454a9",
            "Iops": 120,
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        },
        {
            ## The GitLab data volume
            "Attachments": [],
            "AvailabilityZone": "us-east-1a",
            "CreateTime": "2023-10-10T17:45:57.560Z",
            "Encrypted": true,
            "KmsKeyId": "<REDACTED>",
            "Size": 150,
            "SnapshotId": "snap-0d8b9b5cfede82dad",
            "State": "available",
            "VolumeId": "vol-0cd71b694fc4dc181",
            "Iops": 450,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "azul-gitlab"
                },
                {
                    "Key": "owner",
                    "Value": "[email protected]"
                }
            ],
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        },
        {
            ## An older unused GitLab data volume (?)
            "Attachments": [],
            "AvailabilityZone": "us-east-1a",
            "CreateTime": "2023-08-01T21:29:38.920Z",
            "Encrypted": true,
            "KmsKeyId": "<REDACTED>",
            "Size": 101,
            "SnapshotId": "snap-06e8d6addfba7653f",
            "State": "available",
            "VolumeId": "vol-072b9ae2c42b3a206",
            "Iops": 303,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": ""
                }
            ],
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        }
    ]
}

@dsotirho-ucsc dsotirho-ucsc removed their assignment Mar 18, 2024
@hannes-ucsc hannes-ucsc removed the rev 5 label Mar 19, 2024
@dsotirho-ucsc dsotirho-ucsc added spike:8 [process] Spike estimate of eight points and removed spike:5 [process] Spike estimate of five points labels Mar 19, 2024
@dsotirho-ucsc
Copy link
Contributor

@hannes-ucsc: "It turns out that CIS level 2 requires /var to reside on a separate partition and that the hardened AMI we plan to use satisfies that requirement by mounting a second volume, in addition to the root volume. The mount point conflicts with where we usually mount the GitLab data volume. Repeat experiment with the data volume moved to a different mount point to avoid the conflict."

@dsotirho-ucsc
Copy link
Contributor 

Index: terraform/gitlab/gitlab.tf.json.template.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
--- a/terraform/gitlab/gitlab.tf.json.template.py	(revision d0713874b97e75a3413254ea566e74d346361610)
+++ b/terraform/gitlab/gitlab.tf.json.template.py	(date 1710875963591)
@@ -144,7 +144,7 @@
 # To then format the volume, you can then either attach it to some other Linux
 # instance and format it there or use `make terraform` to create the actual
 # Gitlab instance and attach the volume. For the latter you would need to ssh
-# into the Gitlab instance, format `/dev/xvdf` (`/dev/nvme1n1` on newer
+# into the Gitlab instance, format `/dev/xvdg` (`/dev/nvme2n1` on newer
 # instance types) and reboot the instance. For example:
 #
 # docker stop gitlab-runner
@@ -152,7 +152,7 @@
 # docker stop gitlab-dind
 # sudo mv /mnt/gitlab /mnt/gitlab.deleteme
 # sudo mkdir /mnt/gitlab
-# sudo mkfs.ext4 /dev/nvme1n1
+# sudo mkfs.ext4 /dev/nvme2n1
 # sudo reboot
 # sudo rm -rf /mnt/gitlab.deleteme
 #
@@ -1399,7 +1399,7 @@
         },
         'aws_volume_attachment': {
             'gitlab': {
-                'device_name': '/dev/sdf',
+                'device_name': '/dev/sdg',
                 'volume_id': '${data.aws_ebs_volume.gitlab.id}',
                 'instance_id': '${aws_instance.gitlab.id}',
                 'provisioner': {
@@ -1585,7 +1585,7 @@
                 'user_data_replace_on_change': True,
                 'user_data': '#cloud-config\n' + yaml.dump({
                     'mounts': [
-                        ['/dev/nvme1n1', gitlab_mount, 'ext4', '']
+                        ['/dev/nvme2n1', gitlab_mount, 'ext4', '']
                     ],
                     'packages': [
                         'docker',

@dsotirho-ucsc dsotirho-ucsc self-assigned this Mar 19, 2024
@dsotirho-ucsc
Copy link
Contributor

Wait with spike until spike on #6082 is done.

@DataBiosphere DataBiosphere deleted a comment from achave11-ucsc Apr 4, 2024
@hannes-ucsc hannes-ucsc added enh [type] New feature or request infra [subject] Project infrastructure like CI/CD, build and deployment scripts compliance [subject] Information and software security + [priority] High labels Apr 4, 2024
@dsotirho-ucsc dsotirho-ucsc self-assigned this Aug 29, 2024
@dsotirho-ucsc dsotirho-ucsc added - [priority] Medium and removed + [priority] High labels Aug 30, 2024
@dsotirho-ucsc dsotirho-ucsc added -- [priority] Low and removed - [priority] Medium labels Sep 18, 2024
dsotirho-ucsc added a commit that referenced this issue Nov 8, 2024
@dsotirho-ucsc
Make GitLab instance CIS level 2 compliant (#5990)
5cbe22b
@dsotirho-ucsc dsotirho-ucsc mentioned this issue Nov 8, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dsotirho-ucsc dsotirho-ucsc

Labels
-- [priority] Low compliance [subject] Information and software security enh [type] New feature or request infra [subject] Project infrastructure like CI/CD, build and deployment scripts operator [process] To be addressed by whoever is operator orange [process] Done by the Azul team spike:8 [process] Spike estimate of eight points
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hannes-ucsc @achave11-ucsc @dsotirho-ucsc @nolunwa-ucsc