spel

STIG-Partitioned Enterprise Linux (spel) is a project that helps create and publish Enterprise Linux images that are partitioned according to the [DISA STIG][0]. The resulting images also use LVM to simplify volume management. The images are configured with help from the scripts and packages in the [AMIgen7][31], [AMIgen8][40], and [AMIgen9][47] projects[^1].

Notes on Lifecycle:

1. Images are released on a monthly cadence. This cadence ensures that, if a user launches a brand new instance from the most-recently published AMI, that there will be less than a month's worth of system-patches to apply as part of the system-owner's system-provisioning processes.
2. "Free" Enterprise Linux distributions are configured to use the public repositories offered by the distribution-owner. If running EC2s inside of a VPC with no access to the internet at large, it will not be possible to install additional RPMs or patch systems without the use of either a proxy or standing up a private yum mirror
3. Red Hat images are configured to use a given cloud service provider's (CSP) Red Hat Update Infrastructure (a.k.a., "RHUI") repositories. These repositories are managed by Red Hat engineers and provide local RPM update-service within each CSP-partner's networks. Unlike RPM-access via RHN or Satellite, RHUI access is tied to and paid for via your CSP's billing-mechanisms. RHUI access also entitles cloud-VMs' owners to limited operating system support through the respective CSP's support channels.
4. AWS Specific notes:

   • Access to the RHUI repositories is gated, in part, by an attribute attached to EC2s. This attribute is inherited from their corresponding AMIs. To view this attribute external to the EC2, execute:

     aws ec2 describe-instances --query 'Reservations[].Instances[].UsageOperation' --instance-ids
     

     This should return a value of RunInstances:0010. If the value is just RunInstances the necessary attribute is missing from the EC2.

     The attribute may also be viewed internal to the EC2 by executing:

     curl http://169.254.169.254/latest/dynamic/instance-identity/document | \
     grep "billingProducts"
     

     This should return a value of "billingProducts" : [ "bp-6fa54006" ]. If not, the necessary attribute is missing from the EC2.

     In either case, lack of the requisite attribute will mean that attempts to install or update RPMs from RHUI will fail.

   • If patch-updates should come from RHN, Satellite or other private repository, do not use the AMIs published by the maintainers of this project. Because the previously-mentioned EC2-attribute is attached to such AMIs, you will be billed for the RHUI access even if you never use it. Feel free to use this project's code to generate your own, unencumbered AMIs.

   • Further information about AWS polices for Red Hat EC2s may be found in AWS's RHEL FAQ

Why spel

VMs' root filesystems are generally not live-repartitionable once launced from their images. As a result, if a STIG-scan is performed against most of the community-published images for Red Hat and related distros (CentOS/CentOS Stream, [Oracle Linux][41], [Rocky][42], [Alma][43] or [Liberty][44]), those scans will note failures for each of the various "${DIRECTORY} is on its own filesystem" tests. The images produced through this project are designed to ensure that these particular scan-failures do not occur.

Aside from addressing the previously-noted partitioning findings, spel applies only those STIG-related hardenings that need to be in place "from birth" (i.e., when a system is first created from KickStart, VM-template, Amazon Machine Image, etc.). This includes things like:

• Activation of SELinux
  • Application of SELinux user-confinement to the default-user[^2]
  • Application of SELinux role-transition rules for the default-user
• Activation of FIPS mode
• Support for BIOS- and/or EFI-boot modes (the latter being a requisite for use of SecureBoot)

The spel-produced images are expected to act as a better starting-point in a larger hardening process.

If your organization does not already have an automated hardening process, please see our tool, Watchmaker. This tool is meant to help spel-users (and users of other Enterprise Linux images) by performing launch-time hardening activities.

We have a FAQ now!

We've added an FAQ to the project. Hopefully, your questions are answered there. If they aren't, please feel free to submit an issue requesting an appropriate FAQ entry.

Current Published Images

SPEL AMIs are published monthly. The AMI table below contains links to the AWS Console that search by AMI Name and sort the result by creation date. The most recent AMI of each build will be at the top when viewed in the AWS Console. From there it is simple to launch an instance from the chosen image. Note that you must be logged in for the console link to work.

AMI IDs for each region are also published as a table in manifests/IMAGES.md.

RPM Manifests for published images are available in the manifests directory.

Please note: the RPM-manifests published to this directory are generated for the AWS (CONUS) commercial regions. Due to potential deltas between the repositories used for the commercial and govcloud regions, there may also exist deltas between what is found in the manifests in this project and the version-numbers found in the GovCloud region AMIs.

| AWS Region | Builder Name / Link | |---------------|-----------------------------------------| | us-east-1 | [spel-minimal-rhel-8-hvm][1027] | | | [spel-minimal-ol-8-hvm][1045] | | | [spel-minimal-rhel-9-hvm][1051] | | | [spel-minimal-ol-9-hvm][1063] | | | [spel-minimal-centos-9stream-hvm][1069] | | | [spel-minimal-amzn-2023-hvm][1057] | | us-east-2 | [spel-minimal-rhel-8-hvm][1029] | | | [spel-minimal-ol-8-hvm][1046] | | | [spel-minimal-rhel-9-hvm][1052] | | | [spel-minimal-ol-9-hvm][1064] | | | [spel-minimal-centos-9stream-hvm][1070] | | | [spel-minimal-amzn-2023-hvm][1057] | | us-west-1 | [spel-minimal-rhel-8-hvm][1031] | | | [spel-minimal-ol-8-hvm][1047] | | | [spel-minimal-rhel-9-hvm][1053] | | | [spel-minimal-ol-9-hvm][1065] | | | [spel-minimal-centos-9stream-hvm][1071] | | | [spel-minimal-amzn-2023-hvm][1057] | | us-west-2 | [spel-minimal-rhel-8-hvm][1033] | | | [spel-minimal-ol-8-hvm][1048] | | | [spel-minimal-rhel-9-hvm][1054] | | | [spel-minimal-ol-9-hvm][1066] | | | [spel-minimal-centos-9stream-hvm][1072] | | | [spel-minimal-amzn-2023-hvm][1057] | | us-gov-west-1 | [spel-minimal-rhel-8-hvm][1035] | | | [spel-minimal-ol-8-hvm][1049] | | | [spel-minimal-rhel-9-hvm][1055] | | | [spel-minimal-ol-9-hvm][1067] | | | [spel-minimal-centos-9stream-hvm][1073] | | | [spel-minimal-amzn-2023-hvm][1057] | | us-gov-east-1 | [spel-minimal-rhel-8-hvm][1037] | | | [spel-minimal-ol-8-hvm][1050] | | | [spel-minimal-rhel-9-hvm][1056] | | | [spel-minimal-ol-9-hvm][1068] | | | [spel-minimal-centos-9stream-hvm][1062] | | | [spel-minimal-amzn-2023-hvm][1074] |

| Vagrant Cloud Name | Vagrant Provider | |---------------------------------------------|------------------| | [plus3it/spel-minimal-centos-9stream][2002] | virtualbox |

Official AWS Owner Account IDs for Images

The following table lists the official owner accounts for the images.

| AWS Partition | Account ID | Effective Release | |---------------|--------------|-----------------------| | aws | 174003430611 | 2023.08.1 and later | | aws-us-gov | 216406534498 | 2023.08.1 and later |

Deprecated AWS Owner Account IDs

The following table lists AWS account IDs previously used to host SPEL images. These accounts are now closed, and the associated images are no longer available.

| AWS Partition | Account ID | Effective Release | |---------------|--------------|-----------------------| | aws | 701759196663 | 2023.07.1 and earlier | | aws-us-gov | 039368651566 | 2023.07.1 and earlier |

Deprecated Images

Deprecated Images have become end-of-life and no longer have available yum repos. The images remain public until the image deprecation period expires, typically 1 year after publishing.

| AWS Region | Builder Name / Link | |---------------|-----------------------------------------| | us-east-1 | [spel-minimal-rhel-7-hvm][1000] | | | [spel-minimal-centos-7-hvm][1002] | | | [spel-minimal-centos-8stream-hvm][1039] | | us-east-2 | [spel-minimal-rhel-7-hvm][1005] | | | [spel-minimal-centos-7-hvm][1007] | | | [spel-minimal-centos-8stream-hvm][1040] | | us-west-1 | [spel-minimal-rhel-7-hvm][1010] | | | [sp