Create Security-Compliant Cloud Images

With Image Builder

Stef Walter Eric “IT Guy” Hendricks
Senior Director Software Engineering Operations Advocate
Create security-compliant cloud images with RHEL image builder

Stef Walter
Stef leads much of Linux Engineering at Red Hat. He’s
been involved in Open Source for 20 years and
{IMAGE} contributed to over a hundred projects. Stef lives in
Germany, and works at Red Hat.

https://www.linkedin.com/in/stefwalter

https://twitter.com/stefthewalter
Create security-compliant cloud images with RHEL image builder

Eric Hendricks
Fighting against the forces of burnout and poor work-life
balance, The IT Guy stands for DevOps, Open Source,
and a ton of energy!

linkedin.com/in/itguyeric @itguyeric:fedora.im

mastodon.social/@itguyeric twitter.com/itguyeric
Create security-compliant cloud images with RHEL image builder

Agenda
- What is RHEL image builder?
- Compliance and OpenSCAP
- DEMO: image builder
- Extra Credit
Create security-compliant cloud images with RHEL image builder

Agenda
- What is RHEL image builder?
- Compliance and OpenSCAP
- DEMO: image builder
- Extra Credit
What is RHEL image builder?

Image Builder use cases for the hybrid cloud

Consistency across all runtime environments—from the datacenter to edge

Physical Private cloud Public cloud Edge

Replace classic installations
with pre-assembled images,
benefitting from the same best
practices of virtual
environments.
Consistent and streamlined Accelerate cloud workload Create edge-optimized images
assembly of updated images migrations with a single with delta updates, intelligent
optimized for private cloud assembly pipeline for all rollbacks, and ideal for
infrastructure. popular public cloud platforms. containerized workloads.
What is RHEL image builder?

Multiple ways to use image builder

composer-cli Web console GUI Insights image builder

Command Line tool wrapper for API Graphical User Interface in the RHEL Cloud hosted experience

Provided within RHEL web-console console.redhat.com

On-premises build node Provided within RHEL No infrastructure required

On-premises build node Included as part of RHEL subscription
and Red Hat Insights
What is RHEL image builder?
$ sudo yum install cockpit-composer
$ sudo systemctl start cockpit

… and then access http://localhost:9090

 228,876
images built since last Summit
Product: RHEL images (KVM, AWS, Azure)
SAP Marketplace images
JBoss Marketplace images
 On-premises tool Insights image builder
Configuration Options
(RHEL 9.2) (April 2023)

Edit, Import, Export Blueprints 🗸 Planned

Packages 🗸 🗸
Kernel 🗸 Planned

File system 🗸 🗸
Services 🗸 Planned

Firewall 🗸 Planned

Users, Groups, SSH keys, Hostname 🗸 Planned, in Edge management

Timezone & Locale 🗸 ⨯

Security Profiles (OpenSCAP) 🗸 Planned

Extensible using cloud-init 🗸 🗸

FIDO device onboarding 🗸 in Edge management

Ignition (first boot configurations) 🗸 in Edge management

Launch instances in cloud ⨯ 🗸

Auto-subscribing new instances ⨯ 🗸
Out of the box multi-arch support (x86, ARM) ⨯ 🗸
WIP
 APIs and Architecture

cockpit-
weldr-client
composer

Unix socket

Weldr API (REST)

osbuild-worker
osbuild-composer

Worker API (REST)

osbuild
systemd service
Unix socket systemd service

user’s host machine

APIs and Architecture
Create security-compliant cloud images with RHEL image builder

Agenda
- What is RHEL image builder?
- Compliance and OpenSCAP
- DEMO: image builder
- Extra Credit
Verified security certifications help meet
regulatory requirements

▸ Benefit from Red Hat’s market-leading

commitment to security certifications
▸ Strong, independent FIPS validation of
cryptography for Red Hat Enterprise Linux
▸ Security claims validated by Common
Criteria certification program
▸ Frequent validations allow flexibility of which
hardware and software point releases to use
Common Security Compliance Baselines

Considered baselines or benchmarks to help achieve various security

compliance requirements.

● Likely will need to be adjusted

● Red Hat provides tools to:

○ Quickly achieve these baseline requirements
○ Create tailored profiles for your specific requirements
○ Tools to Apply and Audit compliance
OpenSCAP built-in compliance scanning and remediation

▸ Perform configuration and vulnerability scans on a

local system to validate compliance
▸ Generate reports and configuration baselines
▸ Automatically remediate systems that have been
found in a non-compliant state
▸ Integrate with Red Hat Satellite and Red Hat
Insights for managing at scale
Scalable vulnerability management with Red Hat Insights

▸ Included with your Red Hat

Enterprise Linux subscription
▸ Manage, remediate, and report on RHEL CVEs
▸ Configure, deploy, and monitor
OpenSCAP policies
▸ Use executive reports for at-a-glance
reporting on exposures
▸ Tailor rules made easier via simple interface
Common Security Compliance Baselines
CIS Benchmarks
Center for Internet Security

DISA STIG
Defense Information Systems Agency

PCI-DSS
helps to protect payment card data

HIPPA
helps with Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Create security-compliant cloud images with RHEL image builder

Agenda
- What is RHEL image builder?
- Compliance and OpenSCAP
- DEMO: image builder
- Extra Credit
Create security-compliant cloud images with RHEL image builder

GOAL
An ecosystem of shared blueprints for:

● Workloads where ISVs have expertise

○ eg: SQL server, or SAP
● Workloads where Red Hat has expertise
○ eg: security profiles
● Workloads where you have expertise.
Create security-compliant cloud images with RHEL image builder

Agenda
- What is RHEL image builder?
- Compliance and OpenSCAP
- DEMO: image builder
- Extra Credit
Try out our labs!

Using Web Console to build virtual machine images

Design and build virtual machine images using

command-line tools
Extra Credit

Connect with us
Red Hat® and Red Hat Enterprise Linux® are continuing
our commitment to being involved in the community!

twitter.com/RHEL

reddit.com/r/redhat

youtube.com/c/RedHatEnterpriseLinux
Extra Credit

Check out our shows

Red Hat® and Red Hat Enterprise Linux® are continuing
our commitment to being involved in the community!

RHEL Presents
Live every other Wednesday at 2PM ET
https://red.ht/rhelPresents

Into the Terminal

Live every Friday at 12PM ET
https://red.ht/intoTheTerminal
Extra Credit

Check Out our RHEL Content for Developers

developers.redhat.com

▸ Learn about Red Hat Enterprise Linux

▸ Join the Red Hat Developer Program
▸ Download RHEL
▸ Read the latest blogs, articles, and how-tos
 Red Hat Accelerators is an elite, community of technology
practitioners and experts who help solve technical challenges.

Members inspire and encourage one another and learn, share, and grow
together. With involvement and participation, Red Hat Accelerators can help
boost your self confidence, build your skills, boost your influence and credibility,
and escalate your career.

red.ht/accelerators

Give Get
“The high degree of technical Product feedback Peer-to-peer networking
aptitude is number one for me. Product validation Access to Red Hat
Use cases Broaden your exposure
There’s a lot of very influential
Real world experience Build your domain expertise
thought leaders involved in the
program. When you’re faced with a
challenge, you’re always one
message away from someone in the
Red Hat customer Passionate about Red Hat
program. This is a real time saver.”
- Red Hat Accelerator Strong “hands-on” IT background Willing to share their opinion

29
Extra Credit

Additional Resources
Documentation Blog posts and media

Composing a customized RHEL system image RHEL 9
Creating customized RHEL images using the Image Builder
service at console.redhat.com
Using the no-cost Developer Subscription with the new Red Hat
Enterprise Linux Image Builder hosted service
Start your RHEL Trial
Build RHEL images for Azure with Image Builder

Insights Remote Host Configuration and Management

Announcing full support for new Red Hat Enterprise Linux image
builder service
Insights Compliance
Golden Images with Image Builder Service | RHEL Presents 42
Using hosted image builder via its API

Install and Migration | RHEL - YouTube

Thank you
linkedin.com/company/red-hat facebook.com/redhatinc

youtube.com/user/RedHatVideos twitter.com/RedHat
Create security-compliant cloud images with RHEL image builder

Q&A
We would love to talk to you!
Our Red Hat User Experience team would love to talk to you If you see us, come say hi!

about your experience using console.redhat.com, Image

Builder, Red Hat Insights, or any Red Hat Product!

Sign up to give user feedback:

Katie Riker Melissa Grimes

[email protected] [email protected]

Or come visit the Experience Zone!

Common Security Compliance Baselines

DISA STIG
Defense Information Systems Agency
- Security Technical Implementation Guides

Required for U.S.A. Federal Government agencies

Often adopted by other countries

Common Security Compliance Baselines

What you need for image builder

Install the following packages in your image builder node

# yum install -y scap-security-guide openscap-utils openscap-scanner

Datastream files for RHEL 8 & 9, CentOS Stream, & Fedora

/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

Query profiles defined in the datastream files (Hint, they are different)
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
# oscap info --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Common Security Compliance Baselines

DISA STIG - What you need for image builder

Datastream files for RHEL 8 & 9

/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Profiles
[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
xccdf_org.ssgproject.content_profile_stig

[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
xccdf_org.ssgproject.content_profile_stig_gui
 Common Security Compliance Baselines

CIS Benchmarks - What you need for image builder

Datastream files for RHEL 8 & 9
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Profiles Profiles
Health Insurance Portability and Accountability Act (HIPAA) [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
xccdf_org.ssgproject.content_profile_hipaa xccdf_org.ssgproject.content_profile_cis

PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_cis_workstation_l2

Protection Profile for General Purpose Operating Systems CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
xccdf_org.ssgproject.content_profile_ospp xccdf_org.ssgproject.content_profile_cis_server_l1

CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1
 What is RHEL image builder?

41
 What is RHEL image builder?

42
 What is RHEL image builder?

43
 What is RHEL image builder?

44
 What is RHEL image builder?

45
 What is RHEL image builder?

46