Skip to main content

Build Secure VM Images in Google Cloud with cnspec and HashiCorp Packer

Packer plugin cnspec by Mondoo lets you run security scans during HashiCorp Packer builds of Google Cloud VM images. This ensures that new VM images meet your security standards before they even reach production.

caution

This tutorial provisions resources in your Google Cloud project. Mondoo is not responsible for charges that you incur.

Requirements

You must have:

Packer Plugin cnspec by Mondoo

Packer Plugin cnspec by Mondoo scans Linux and Windows HashiCorp Packer builds for vulnerabilities and security misconfigurations. The plugin is designed to work with any of the supported Packer builders, including containers.

Plugin modes

Packer plugin cnspec is designed to work in one of two modes:

  • Unregistered - In unregistered mode, the plugin works without being registered to Mondoo Platform, and is designed to provide baseline security scanning with minimal configuration. The plugin runs either the Linux Security by Mondoo policy on Linux builds, or the Windows Security by Mondoo policy on Windows builds. Each of these policies provides security hardening checks based off of industry standards for Linux and Windows. Scan results are shown in STDOUT during the Packer run.
  • Registered - In registered mode, the plugin is registered to your account in Mondoo Platform using a service account. Registered mode allows you to configure and customize any of the policies in Mondoo Platform including CIS benchmarks and more. Scan results are shown in STDOUT and sent back to Mondoo Platform for your records.
info

To scan for vulnerabilities, you must register cnspec with Mondoo Platform. Sign up for a free account today.

Plugin configuration

Packer plugin cnspec provides this configuration:

  • score_threshold - This configuration sets an int score threshold for security scans. If the scan produces a score that falls below the threshold, the build will fail.
  • on_failure = "continue" - This configuration ensures that the Packer build will not fail even if the scan produces a score that falls below the score_threshold.
  • sudo - Some of the security configuration checks require elevated permissions to scan a given resource such as the sshd_config. Setting the sudo option to active = true configures the plugin to run in sudo mode.
  • asset_name - Override the asset name on Mondoo Platform. This configuration is only used in registered mode.
  • annotations - Custom annotations can be applied to Packer build assets to provide additional metadata for asset tracking. This configuration is only used in registered mode.

Register with Mondoo Platform

To configure the plugin to work in registered mode, you must first create a Base64-encoded service account. If you do not wish to use custom policies and store results on Mondoo Platform you can skip this step.

To create a Base64-encoded service account:

  1. Navigate to the space you want to create a service account in.
  2. Select Settings followed by Service Accounts.
  3. Select ADD ACCOUNT.
  4. Check the Base64-encoded box to Base64-encode the credentials.
  5. Select GENERATE NEW CREDENTIALS.
  6. Copy the Base64-encoded credentials to the clipboard.
  7. Open a terminal and run:
export MONDOO_CONFIG_BASE64=<paste Base64-encoded token>

Google Cloud setup

Before building an image, you must install the Google Cloud SDK and authenticate using User Application Default Credentials. You don't need to specify an account file if you are using this method. The user or service account must have these roles:

To learn more about creating service accounts, read Create and manage service accounts in the Google Cloud documentation.

tip

You can find more authentication methods for the googlecompute builder in the Packer documentation.

Configure the Google Cloud project

You must create machine images within a Google Cloud project. Run gcloud projects list to get a list of the projects you have access to, or run gcloud projects create to create a new project to build your images in.

Enable the required APIs

Enable these APIs in the project:

gcloud services enable sourcerepo.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable storage-api.googleapis.com

Run Packer

A Packer template is a configuration file that defines the image you want to build and how to build it. Packer templates use the HashiCorp Configuration Language (HCL).

Create a new directory named mondoo_packer. This directory will contain your Packer template for this tutorial.

mkdir mondoo_packer

Navigate into the directory.

cd mondoo_packer

Ubuntu 2004 Packer Template

Create a file gcp-ubuntu2004.pkr.hcl, add this HCL block to it, and save the file.

packer {
  required_plugins {
    googlecompute = {
      version = ">= 1.0.0"
      source  = "github.com/hashicorp/googlecompute"
    }
    cnspec = {
      version = ">= 6.1.3"
      source  = "github.com/mondoohq/cnspec"
    }
  }
}

variable "zone" {
  default = "us-east5-a"
  description = "GCP zone to build the image in"
}

variable "project_id" {
  type = string
  description = "GCP Project ID to build the image in"
}

variable "image_prefix" {
  type        = string
  description = "Prefix to be applied to image name"
  default     = "cnspec-tested-ubuntu-2004"
}

locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }

source "googlecompute" "ubuntu2004" {
  image_name              = "${var.image_prefix}-${local.timestamp}"
  machine_type            = "e2-small"
  source_image            = "ubuntu-pro-2004-focal-v20220627a"
  ssh_username            = "packer"
  temporary_key_pair_type = "rsa"
  temporary_key_pair_bits = 2048
  zone                    = var.zone
  project_id              = var.project_id
}

build {
  sources = ["source.googlecompute.ubuntu2004"]
  provisioner "shell" {
    inline = [
      "echo Hello From ${source.type} ${source.name}"
    ]
  }

  provisioner "cnspec" {
    score_threshold = 80
    on_failure = "continue"
    sudo {
      active = true
    }
  }
}

This is a complete Packer template that you will use to build an Ubuntu 20.04 image in the us-east5-a zone. In these sections, you will review each block of this template in more detail.

Configure template variables

The template provides a variables section used to configure the builds.

info

To learn about the various options to override variables set in the Packer template, see Setting Variables in the HashiCorp Packer documentation.

Zone

By default the template will build the image in GCP's us-east5-a zone:

variable "zone" {
  default = "us-east5-a"
  description = "GCP zone to build the image in"
}

Project ID

You must set the project_id variable with the ID of the project from your GCP account:

variable "project_id" {
  type = string
  description = "GCP Project ID to build the image in"
}

Image prefix

By default the template will create the VM image using a default naming prefix of cnspec-tested-ubuntu-2004. You can override this with the image_prefix variable:

variable "image_prefix" {
  type = string
  description = "Prefix to be applied to image name"
  default = "cnspec-tested-ubuntu-2004"
}

Initialize the Packer configuration

Initialize your Packer configuration.

packer init gcp-ubuntu2004.pkr.hcl

Executing packer init instructs Packer to download the plugins defined in the required_plugins section in the template. Plugins are typically downloaded to the ~/.packer.d/pluginsdirectory. You can run packer init as many times as you'd like. If you already have the plugins you need, Packer will exit without an output.

Build the Packer image

Build the image with the packer build gcp-ubuntu2004.pkr.hcl command. Packer prints output similar to what is shown below.

packer build gcp-ubuntu2004.pkr.hcl
<image-name>: output will be in this color.

==> <image-name>: Checking image does not exist...
==> <image-name>: Creating temporary RSA SSH key for instance...
==> <image-name>: Using image: ubuntu-pro-2004-focal-v20220627a
==> <image-name>: Creating instance...
    <image-name>: Loading zone: us-east5-a
    <image-name>: Loading machine type: e2-small
    <image-name>: Requesting instance creation...
    <image-name>: Waiting for creation operation to complete...
    <image-name>: Instance has been created!
==> <image-name>: Waiting for the instance to become running...
    <image-name>: IP: 34.162.0.117
==> <image-name>: Using SSH communicator to connect: 34.162.0.117
==> <image-name>: Waiting for SSH to become available...
...
    <image-name>:
    <image-name>:
    <image-name>: Summary
    <image-name>: ========================
    <image-name>:
    <image-name>: Target:     cnspec-tested-ubuntu-2004-20220630154951
    <image-name>: Score:      A    86/100     (100% completed)
    <image-name>: ✓ Passed:   ███████ 49% (80)
    <image-name>: ✕ Failed:   ██████ 37% (61)
    <image-name>: ! Errors:   ██ 14% (23)
    <image-name>: » Skipped:  0% (0)
    <image-name>:
    <image-name>: Policies:
    <image-name>: A 100  Platform End-of-Life Policy by Mondoo
    <image-name>: A 100  Platform Vulnerability Policy by Mondoo
    <image-name>:
    <image-name>: Report URL: https://console.mondoo.com/space/inventory/<space>
==> <image-name>: Deleting instance...
    <image-name>: Instance has been deleted!
==> <image-name>: Creating image...
==> <image-name>: Deleting disk...
    <image-name>: Disk has been deleted!
Build '<image-name>' finished after 5 minutes 46 seconds.

View the scan results in STDOUT

During the build process you will see scan results similar to this:

<image-name>: Summary
<image-name>: ========================
<image-name>:
<image-name>: Target:     cnspec-tested-ubuntu-2004-20220630154951
<image-name>: Score:      A    86/100     (100% completed)
<image-name>: ✓ Passed:   ███████ 49% (80)
<image-name>: ✕ Failed:   ██████ 37% (61)
<image-name>: ! Errors:   ██ 14% (23)
<image-name>: » Skipped:  0% (0)
<image-name>:
<image-name>: Policies:
<image-name>: A 100  Platform End-of-Life Policy by Mondoo
<image-name>: A 100  Platform Vulnerability Policy by Mondoo
<image-name>:
<image-name>: Report URL: https://console.mondoo.com/space/inventory/<space>

View the report in Mondoo Platform

Packer Plugin Mondoo sends the scan results to your account in Mondoo Platform. To view the scan report in the Mondoo Console, go to INVENTORY and find the report. You might need to refresh your browser.

Mondoo scan report from HashiCorp Packer build

View the control details

Select the Controls tab.

Controls tab in a Mondoo scan report from HashiCorp Packer build

Expand any of the checks in the policies that ran against your build to show additional documentation, audit, and remediation steps:

Control details in a Mondoo scan result

View the image Google Cloud Console

Mondoo secure base image in GCP Cloud Console

After running the above example, you can navigate to the Storage Images of Google Cloud Console.

Next steps

In this tutorial, you built a Google Cloud machine image and scanned it for vulnerabilities and misconfigurations with cnspec. Although we ran the one policy, you should now have a general idea of how Packer Plugin Mondoo works, and you should be ready to add any additional policies for your builds.

The GitHub repository for Packer plugin cnspec contains additional templates for other platforms and cloud environments.