Issue while building a hardened docker base os on top amazon linux:2

[kiran0432]

Hello Team,

As pert a our security governance programe, we need to build a hardened docker base os using amazon linux:2. While I could not find any tool or software for this but I found this compliancascode project but while using this, I am getting below error.

Error : ERROR [5/9] RUN cd /opt/scap-security-guide && make -j$(nproc) build-amazon-linux-2 && make -j$(nproc) amazon-linux-2/guides/ssg-amazon-linux-2-cis.xml

Note : This is for a container base os not for a standalone server( ec2 os)

Code I am using :

# Use Amazon Linux 2 as the base image
FROM amazonlinux:2 AS build-amazon-linux-2


# Update the package manager
RUN yum update -y

# Install required packages for CIS hardening
RUN yum install -y \
    audit \
    make \
    aide \
    dconf \
    selinux-policy-targeted \
    policycoreutils-python-utils \
    iptables \
    firewalld \
    openscap-scanner \
    openscap-utils \
    libselinux-utils \
    git \
    https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# Clone the SCAP Security Guide repository
RUN git clone https://github.com/ComplianceAsCode/content.git /opt/scap-security-guide

# Build the SCAP Security Guide content for Amazon Linux 2
RUN cd /opt/scap-security-guide && \
    make -j$(nproc) build-amazon-linux-2 && \
    make -j$(nproc) amazon-linux-2/guides/ssg-amazon-linux-2-cis.xml

# Apply the CIS hardening policies
RUN /usr/bin/oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --results-arf /opt/cis-results.xml /opt/scap-security-guide/build/amazon-linux-2/guides/ssg-amazon-linux-2-cis.xml

# Verify the CIS hardening policies
RUN /usr/bin/oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /opt/scap-security-guide/build/amazon-linux-2/guides/ssg-amazon-linux-2-cis.xml

# Clean up the package manager
RUN yum clean all

# Set the working directory

[kiran0432]

Can you guys help me to build a hardened container base operating system or suggest me if there is any solution for above issues.

[Mab879]

Thanks for reaching out, this repo doesn't contain any support for Amazon Linux 2. Amazon adds this content during their build process. My suggestion would be use the content from the scap-security-guide package in Amaozn Linux 2.

I will note that we do have content for Amazon Linux 2023 in this repo.

[kiran0432]

Hi,I am little bit confused.. when you say "My suggestion would be use the content from the scap-security-guide package in Amaozn Linux 2." Can you elaborate more. I am setting this up newly So not sure about that part.

[kiran0432]

also is there any possibility like though we are using AL2 as base image in Dockerfile, can we use RHEL9 content to scan CIS bench marks for AL2 since it mostly on RHEL/Centos flavour..

[Mab879]

The scap-security-guide package installed with yum places the data stream XML files in /usr/share/xml/scap/ssg/content/. There should be a data stream for Amazon Linux 2 there.

You can't use RHEL content for Amazon Linux 2 since all data streams check if they on the correct operating system. If they are not all checks will result in "Not Applicable". I will note that AL2 is more like RHEL7, than RHEL9.

[kiran0432]

Can you help me like how to check this " /usr/share/xml/scap/ssg/content/. " as I can not find it.