Ubuntu 14.04 LTS is FISMA Ready.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.chef
docs
files/ubuntu
recipes
templates/default/etc/grub.d
.gitignore
.tm_properties
Berksfile
CONTRIBUTING.md
LICENSE.md
README.md
ami.sh
cert_gen.sh
hardening.md
metadata.rb
packer.json

README.md

Ubuntu LTS is FISMA Ready

This project creates hardened, FISMA Ready Ubuntu LTS Amazon Machine Instances (AMIs) that are suitable for use in Amazon Web Services (AWS). To be FISMA Ready, the AMI must be instantitated in either the US-East or US-West regions of AWS, or the AWS GovCloud, in order to properly inherit the AWS controls assessed by the FedRAMP program. We recommend additional customer level controls on top of the FedRAMP authorization for the AWS Console, and will be releasing those soon.

We are also working to expand support for other deployment environments and image types.

Prepared and maintained by 18F, a Federal digital services team.

What this does

  • Takes a fresh Ubuntu 14.04 LTS AMI (ami-9eaa1cf6), as published by Canonical:

1404-lts

  • Launches an m3.medium instance from this AMI in your AWS account's Classic region (not a VPC).

  • Uses the included Chef cookbooks and templates to connect to the instance and configures to controls recommended by the Center for Internet Security.

  • Creates a new AMI from the configured instance, and prints out the AMI ID.

Setup

$ brew doctor
$ brew tap homebrew/binary
$ brew install packer

At press time, we used Packer 0.7.5

$ packer version
Packer v0.7.5
  • Set two environmental variables.
export AWS_ACCESS_KEY_ID=[your AWS access key]
export AWS_SECRET_ACCESS_KEY=[your AWS secret key]
  • Clone the repository
$ git clone https://github.com/fisma-ready/ubuntu-lts.git
$ cd ubuntu-lts

Building the AMI

  1. Run ami.sh.

That's it! Take note of the AMI ID this spits out to your console after it's done.

Involvement of 18F

The team at 18F decided to start work where FedRAMP stops for open source components in a true infrastructure as a service environment - at the operating system layer. Secure baselines were available for Windows, Solaris, and Red Hat Enterprise Linux. But, there were no generally available — and certainly not public — baselines, for Ubuntu or the Debian version of Linux generally.

18F is committed to free and open source software - our intention is that the software we write can be run anywhere, without the need to pay for licensing fees.

Caveat emptor

Our hardened version of Ubuntu is still in active development. It is subject to change rapidly. Our intention is that no changes will be system breaking, and testing both in local virtual machines and the AWS is ongoing. We have also started to put common web workloads on servers running the hardened OS and no issues have yet arisen. Always use a testing environment before deploying a new OS configuration into production, and please report back with any Issues or Pull Requests.