how_to_creating_and_making_an_AMI_public.mkd

How to creating and making a public AMI

Creating an Amazon EBS-Backed Linux AMI

The creation process is as follows:

How to making

Pre-Install

# apt update 
# apt install -y bc net-tools  bc net-tools pciutils network-manager vim unzip

Get harbian-audit project

$ cd /opt
/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip 
/opt# unzip master.zip 
/opt$ cd harbian-audit-master/ 

How to use harbian-audit to audit and apply

//maybe not need

Set passwd to all user:

admin@ip:/opt/harbian-audit-master# passwd
admin@ip:/opt/harbian-audit-master# passwd admin

Audit && Apply:

First audit && apply:

admin@ip:/opt/harbian-audit-master# cp etc/default.cfg /etc/default/cis-hardening
admin@ip:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening 
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --init
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all 
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply 
admin@ip:/opt/harbian-audit-master# reboot 

Second audit && apply(After reboot)

Configuring the firewall:

admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0"
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME 
admin@ip:/opt/harbian-audit-master# bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME 
admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 
admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6
admin@ip:/opt/harbian-audit-master# exit

Apply need to apply twice items and that items of must apply after first apply:

admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.2
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.1.3
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.12
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.35_freeze_auditd_conf.cfg 
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.1.35 
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 4.5
admin@ip:/opt/harbian-audit-master# reboot 

Third apply(after reboot)

Apply need to apply three times items:

admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg 
admin@ip:/opt/harbian-audit-master# sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.1
admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --apply --only 8.4.2
admin@ip:/opt/harbian-audit-master# reboot 

Set issues

# sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/Linux 9/g" /etc/issue* 

Hacking

If need adds a project on AMI, add the project on such as /opt, /usr/local/bin dir etc.

Clean up for sharing AMIs safely

Use the following guidelines to reduce the attack surface and improve the reliability of the AMIs you create, please reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/building-shared-amis.html

Clean harbian-audit temp file and conf

# rm /opt/master.zip 
# rm /opt/harbian-audit-master/tmp/backups/*
# rm /opt/harbian-audit-master/etc/conf.d/*.cfg 

Uninstall

# apt-get purge --autoremove unzip -y 

Clear the current log:

$ echo > ~/.ssh/known_hosts
# find /var/log/ -name "*.log" -exec shred -u {} \; 
# find /var/log/ -name "*.log.*" -exec shred -u {} \; 
# find / -name "authorized_keys" -exec shred -u {} \; 
# rm  /root/.wget-hsts 
# rm  /root/.viminfo 
# echo > /var/log/debug 
# echo > /var/log/btmp 
# echo > /var/log/error 
# echo > /var/log/exim4/mainlog 
# echo > /var/log/exim4/paniclog 
# echo > /var/log/faillog 
# echo > /var/log/messages  
# echo > /var/log/syslog 
# echo > /var/log/tallylog 
# echo > /var/log/lastlog 
# echo > /var/log/wtmp 
# echo > /var/log/sudo.log

Final apply

Reset password for all users and reinit aide database:

admin@ip:/opt/harbian-audit-master# ./bin/hardening.sh --final 

Clear bash hostory

# echo > ~/.bash_history 
# history -cw 
$ echo > ~/.bash_history 
$ history -cw 

Create AMI

Cross-Region AMI Copy

Reference

https://github.com/hardenedlinux/harbian-audit/blob/master/README.md https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
https://aws.amazon.com/cn/articles/public-ami-publishing-hardening-and-clean-up-requirements/
https://aws.amazon.com/cn/articles/how-to-share-and-use-public-amis-in-a-secure-manner/