Mondoo Packer Provisioner

Mondoo ships an integration for Packer to ease the assessment of vulnerabilities during an image build process.

Install Mondoo Packer Provisioner

The Mondoo Packer Provisioner depends on:

The provisioner plugin may be installed via:

  • Precompiled binary

NOTE: Packer 1.7 introduced a breaking change. Therefore, our packer provisioner 1.1.0+ requires Packer 1.7+

Install packer plugin from binary

To install the precompiled binary, download the appropriate package from Mondoo and place the binary in the Packer's plugin directory ~/.packer.d/plugins (Linux, Mac) or %USERPROFILE%/packer.d/plugins (Windows). Other locations that Packer searches for are documented on their website.

The following simplifies the installation:

Linux

# ensure packer plugin directory
mkdir -p ~/.packer.d/plugins
cd ~/.packer.d/plugins

# download the latest
curl https://releases.mondoo.io/packer-provisioner-mondoo/latest.json | jq -r '.files[] | select (.platform=="linux").filename' | xargs -n 1 curl | tar -xz > packer-provisioner-mondoo

# download a specific version
curl -sSL https://releases.mondoo.io/packer-provisioner-mondoo/1.1.0/packer-provisioner-mondoo_linux_amd64.tar.gz | tar -xz > packer-provisioner-mondoo

# set the permissions
chmod +x packer-provisioner-mondoo

Mac

# ensure packer plugin directory
mkdir -p ~/.packer.d/plugins
cd ~/.packer.d/plugins

# download the latest
curl https://releases.mondoo.io/packer-provisioner-mondoo/latest.json | jq -r '.files[] | select (.platform=="darwin").filename' | xargs -n 1 curl | tar -xz > packer-provisioner-mondoo

# download a specific version
curl -sSL https://releases.mondoo.io/packer-provisioner-mondoo/1.1.0/packer-provisioner-mondoo_darwin_amd64.tar.gz | tar -xz > packer-provisioner-mondoo

# set the permissions
chmod +x packer-provisioner-mondoo

Windows

Download the binary from the Mondoo releases page and put it in the same directory as your packer executable.

# This script requires powershell
Invoke-WebRequest 'https://releases.mondoo.io/packer-provisioner-mondoo/1.1.0/packer-provisioner-mondoo_windows_amd64.zip' -O 'packer-provisioner-mondoo_windows_amd64.zip'

# extract zip and place it in the same path as packer
Expand-Archive -LiteralPath packer-provisioner-mondoo_windows_amd64.zip
Copy-Item ./packer-provisioner-mondoo_windows_amd64/packer-provisioner-mondoo.exe ((Get-Command packer).Source | Split-Path)

# clean up
Remove-Item -Recurse -Force .\packer-provisioner-mondoo_windows_amd64
Remove-Item packer-provisioner-mondoo_windows_amd64.zip

Verifying the Installation

After installing Packer, Mondoo Agent and the Mondoo Packer Provisioning Plugin run the following commands to check that everything is configured properly:

$ packer
Usage: packer [--version] [--help] <command> [<args>]

Available commands are:
    build       build image(s) from template
    console     check that a template is valid
    fix         fixes templates from old versions of packer
    inspect     see components of a template
    validate    check that a template is valid
    version     Prints the Packer version

$ mondoo status
  โ†’  mondoo cloud: https://api.mondoo.app
  โ†’  space: //captain.api.mondoo.app/spaces/focused-darwin-833545
  โ†’  agent is registered
  โœ”  agent //agents.api.mondoo.app/spaces/focused-darwin-833545/agents/1NairOj7L1Gi7BMQqPbBO4LAQ2v authenticated successfully

If you get an error, ensure the tools are properly configured for your system path.

Basic Example

The following example is fully functional and builds and scans an image on DigitalOcean.

{
  "provisioners": [
    {
      "type": "mondoo"
    }
  ],

  "builders": [
    {
      "type": "digitalocean",
      "api_token": "DIGITALOCEAN_TOKEN",
      "image": "ubuntu-18-04-x64",
      "ssh_username": "root",
      "region": "nyc1",
      "size": "s-4vcpu-8gb"
    }
  ]
}

Replace the api_token with your own and run packer

packer build do-ubuntu.json

Mondoo Packer Provisioner Configuration Reference

Required Parameters:

  • none

Optional Parameters:

  • on_failure (string) - If on_failure is set to continue the build continues even if vulnerabilities have been found

    "on_failure": "continue",
    
  • labels (map of string) - Custom labels can be passed to mondoo. This eases searching for the correct asset report later.

"labels": {
  "mondoo.app/ami-name":  "{{user `ami_name`}}",
  "name":"Packer Builder",
  "custom_key":"custom_value"
}

Debugging:

To debug the mondoo scan, set the debug variable:

{
  "type": "mondoo",
  "debug": true
}

AWS AMI Image Build and Scan Example

This example illustrates the combination of Packer & Mondoo to build an AMI image. The source for this example is available on Github. Further examples are available in our GitHub repo, eg. for DigitalOcean.

Packer Template

The following packer templates is a simple example that builds on top of the official Ubuntu image, runs a shell provisioner and a mondoo vulnerability scan.

{
  "variables": {
    "aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
    "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
    "ami_name": "mondoo-example {{timestamp}}"
  },
  "builders": [{
    "type": "amazon-ebs",
    "access_key": "{{user `aws_access_key`}}",
    "secret_key": "{{user `aws_secret_key`}}",
    "region": "us-east-1",
    "source_ami_filter": {
      "filters": {
        "virtualization-type": "hvm",
        "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
        "root-device-type": "ebs"
      },
      "owners": ["099720109477"],
      "most_recent": true
    },
    "instance_type": "t2.micro",
    "ssh_username": "ubuntu",
    "ami_name": "{{user `ami_name`}}"
  }],
  "provisioners": [
    {
      "type": "shell",
      "inline":[
          "ls -al /home/ubuntu"
      ]
    },
    {
      "type": "mondoo",
      "on_failure": "continue",
      "labels": {
        "mondoo.app/ami-name":  "{{user `ami_name`}}",
        "name":"Packer Builder",
        "custom_key":"custom_value"
      }
    }
  ]
}

The simplest configuration for mondoo would be:

{
  "type": "mondoo"
}

The additional on_failure allows Packer to continue, even if mondoo found vulnerabilities. Additional labels help you to identify the ami report on mondoo later. To verify the packer template, run packer packer validate:

$ packer validate example.json
Template validated successfully.

Packer Build

Once the packer template is verified, we are ready to build the image. In this case, we are going to build an AMI, therefore we need the AWS credentials to spin up a new instance. As shown above, the same will work with other cloud providers or Vagrant.

Now, set the AWS credentials

export AWS_ACCESS_KEY_ID=MYACCESSKEYID
export AWS_SECRET_ACCESS_KEY=MYSECRETACCESSKEY

and start the packer build:

$ packer build example.json

amazon-ebs output will be in this color.
==> amazon-ebs: Prevalidating AMI Name: mondoo-example 1562326441
    amazon-ebs: Found Image ID: ami-0cfee17793b08a293
==> amazon-ebs: Creating temporary keypair: packer_5d1f35a9-bf28-ad76-be7b-a7d1ba0b1a28
==> amazon-ebs: Creating temporary security group for this instance: packer_5d1f35ad-5e30-7a62-7142-05d3371896a9
==> amazon-ebs: Authorizing access to port 22 from [0.0.0.0/0] in the temporary security groups...
==> amazon-ebs: Launching a source AWS instance...
==> amazon-ebs: Adding tags to source instance
    amazon-ebs: Adding tag: "Name": "Packer Builder"
    amazon-ebs: Instance ID: i-077464c074ab682fe
==> amazon-ebs: Waiting for instance (i-077464c074ab682fe) to become ready...
==> amazon-ebs: Using ssh communicator to connect: 54.234.154.92
==> amazon-ebs: Waiting for SSH to become available...
==> amazon-ebs: Connected to SSH!
==> amazon-ebs: Provisioning with shell script: /var/folders/wb/1643zzzx3xn8sdnn0fph19_r0000gn/T/packer-shell496967260
    amazon-ebs: total 28
    amazon-ebs: drwxr-xr-x 4 ubuntu ubuntu 4096 Jul  5 11:34 .
    amazon-ebs: drwxr-xr-x 3 root   root   4096 Jul  5 11:34 ..
    amazon-ebs: -rw-r--r-- 1 ubuntu ubuntu  220 Aug 31  2015 .bash_logout
    amazon-ebs: -rw-r--r-- 1 ubuntu ubuntu 3771 Aug 31  2015 .bashrc
    amazon-ebs: drwx------ 2 ubuntu ubuntu 4096 Jul  5 11:34 .cache
    amazon-ebs: -rw-r--r-- 1 ubuntu ubuntu  655 May  9 20:20 .profile
    amazon-ebs: drwx------ 2 ubuntu ubuntu 4096 Jul  5 11:34 .ssh
==> amazon-ebs: Running mondoo vulnerability scan...
==> amazon-ebs: Executing Mondoo: [mondoo scan]
    amazon-ebs: Start vulnerability scan:
  โ†’  detected automated runtime environment: Unknown CI
    amazon-ebs: 1:34PM INF ssh uses scp (beta) instead of sftp for file transfer transport=ssh
  โ†’  verify platform access to ssh://chartmann@127.0.0.1:55661
  โ†’  gather platform details................................
  โ†’  detected ubuntu 16.04
  โ†’  gather platform packages for vulnerability scan
  โ†’  found 453 packages
    amazon-ebs:   โ†’  analyse packages for vulnerabilities
    amazon-ebs: Advisory Report:
    amazon-ebs:   โ–         PACKAGE                     INSTALLED               VULNERABLE (<)  ADVISORY
    amazon-ebs:   โ–    9.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  9.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  8.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  8.1  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
    amazon-ebs:   โ”œโ”€  7.8  linux-image-4.4.0-1087-aws  4.4.0-1087.98                           https://mondoo.app/advisories/
...
  โ†’  โ–  found 70 advisories: 2 critical, 14 high, 26 medium, 3 low, 25 none, 0 unknown
  โ†’  report is available at https://mondoo.app/v/serene-dhawan-599345/focused-darwin-833545/reports/1NakGz6ysD1MzEGT8hRJ6wow6ZQ
==> amazon-ebs: Stopping the source instance...
    amazon-ebs: Stopping instance
==> amazon-ebs: Waiting for the instance to stop...
==> amazon-ebs: Creating AMI mondoo-example 1562326441 from instance i-077464c074ab682fe
    amazon-ebs: AMI: ami-0cb9729eaa3f53209
==> amazon-ebs: Waiting for AMI to become ready...

As we see as the result, the mondoo scan found vulnerabilities but passed the build.

Uninstall

You can easily uninstall the provisioner by removing the binary.

# linux & mac
rm ~/.packer.d/plugins/packer-provisioner-mondoo

results matching ""

    No results matching ""