Vulnerability management CI flow:
This is an automation of the work provided © Microsoft Security-baseline-FINAL-for-Windows-10-v1809-and-Windows-Server
How is this run? See the .drone.yml job section
- A Bash shell Script: https://github.com/gjyoung1974/hardened-windows-server/blob/master/windows-packer/build.sh
- The Packer script: https://github.com/gjyoung1974/hardened-windows-server/blob/master/windows-packer/gcp_hardened_windows_server.json
- Windows Automation scripting Which applies Windows "Security Hardening" GPOS to the instance: https://github.com/gjyoung1974/hardened-windows-server/blob/master/windows-packer/builder/benchmark-gpos/Local_Script/BaselineLocalInstall.ps1
The basic flow is:
- The CI pipeline ".drone.yml" calls ./windows-packer/build.sh << in this case we are using Drone.io << (Is portable to whatever Docker based CICD tooling you require)
build.sh
(a) sets environment variables, (b) performs some utility functionsbuild.sh
then runs "$ packer build ./windows-packer/gcp_hardened_windows_server.json"- The packer "script" (json config) pushes & executes several Windows automation scripts (powershell & others)
- The windows automation scripts are located in ./builder/setup-scripts
- Sysprep: The final thing packer executes is Windows Sysprep, not one we provide, but the sysprep configuuration that is "baked" into the GCP source image.
For the sake of giving a simplified example, a QEMU packer builder script is included.
- See ./windows-packer/gcp_hardened_windows_server.json
- The qemu builder script allows you to run the packer locally on a *nix machine (Mac/Linux) with QEMU installed
- Building locally allows you to observe the workflow without the complexity of CICD and the cloud provider
- Save time and debugging effort by testing things locally
ENV ADMIN_PWD_CIPHERTEXT
ENV ARTIFACT_BUCKET
ENV GCLOUD_SERVICE_KEY
ENV GOOGLE_APPLICATION_CREDENTIALS
Provide the path the the aformentioned service account JSON file within the docker container for your build system.
ENV GOOGLE_COMPUTE_ZONE
ENV GOOGLE_PROJECT_ID
ENV GCP_NETWORK_ID
ENV GCP_SUBNET_ID
ENV SECRETS_KEYRING
ENV SECRETS_KEY