___ _ _ , __
/ (_)| | | | | /|/ \o
\__ | | __| _ ,_ | | _ ,_ ,_ |___/
/ |/ / | |/ / | |/ \_|/ / | / | | | | |
\___/|__/\_/|_/|__/ |_/\_/ |__/ |_/ |_/ \_/|/| |_/
/|
\|
A secure-by-default, self-healing, small business server for the RaspberryPi.
Security is difficult, transient, time-consuming, and expensive.
ElderberryPi enables small businesses and hobbyists alike to have enterprise-level system hardening and security controls on affordable hardware. Select the roles you want to use and feel confident they are configured securely, by default.
Have assurance that the secure state of the system is kept over time. ElderberryPi uses Ansible scripts to apply its configuration with idempotence, so the system remains unchanged unless its configuration has deviated from the acceptable state. Because the configuration is continuously reapplied every 30 minutes, this makes ElderberryPi self-healing.
Presently, the following roles are supported (but more are coming soon!):
- NTP (with support for Windows client SNTP)
- DNS (with support for AD DNS dynamic updates)
- Active Directory Domain Controller (administer with Windows AD tools)
- PXE Server (work-in-progress)
- DHCP (only for BOOTP/PXE support presently)
- Certificate Authority (via Hashicorp Vault)
- With auto-deployment of AD Group Policy for CA Root trust
- Web Server (coming soon)
- Zymbit Zymkey Hardware Security Module
- Real Time Clock support with NTP sync
- Vault auto-unseal
- Root filesystem encryption coming soon
At present, ElderberryPi has only been tested on the Raspberry Pi 4 Model B Rev 1.2 with 4 GB of RAM. A minimum of 4 GB microSD card is required. The faster the better.
It's also highly recommended that you obtain the Zymbit Zymkey 4i security module if you would like these features:
- Real Time Clock (essential for NTP and AD; you could use other hardware too)
- Root filesystem encryption at-rest
- Secure storage of CA Vault auto-unseal key
- Optional physical perimeter security
You will need both Vagrant and Ansible installed locally. Ansible is needed locally to securely provision passwords from the host during the image build steps. There unfortunately is no Ansible client for Windows, so you'll need to use Linux or macOS, which you could do in a virtual machine. Vagrant is like docker but it doesn't share the host's kernel; every Vagrant "box" is a dedicated virtual machine. Vagrant will provision a dedicated VM with all the tools and prerequisites needed for building ElderberryPi.
$ ./build.sh
Answer all the questions and select the roles you wish to enable. That's it. :)
If you need to reconfigure later, just pass the option:
$ ./build.sh --reset-config
- Vagrant will provision a Ubuntu VM and will download all the build tools including QEMU and Packer.
- Packer will download the Ubuntu 18.04 Bionic 64-bit ARM image for the Raspberry Pi 4. (We don't support 20.04 Focal because Zymbit doesn't yet support it.)
- packer-builder-arm will extract
the image, mount the filesystems, and use qemu to execute shell scripts defined in
vagrant/elderberrypi.json
in Packer provisioners. It also copies all the ansible scripts, keys, and configuration files into the image. - Packer outputs the image, ready to be flashed.
$ sudo dd if=vagrant/elderberrypi.img of=/dev/disk2 bs=4096
Be sure to change /dev/disk2
to point to your SD card.
If you have the Zymbit Zymkey 4i security module, be sure to install that per the instructions along with a CR1025 battery before powering on the Rasperry Pi unit.
Afterward, install the SD card and power on the device. Within 30 seconds you should be able to SSH into it. The IP address is what you configured. Don't forget to use the appropriate SSH key. If you generated a key, the command might look similar to this:
$ ssh -i ~/.ssh/elderberrypi.key ubuntu@192.168.2.2
Note that the default user account is ubuntu
.
To monitor ansible progress:
$ sudo tail -n 50 -f /srv/elderberrypi/elderberrypi.log
The ansible scripts will run automatically on every boot and every 30 minutes. However, you can force them to run if you'd like:
$ sudo systemctl start elderberrypi &
If systemctl sees that the service is already running, it won't try to start it again. The 30 minute timer starts at the completion of the previous script run.
It's probably easiest to just build a new image with the updated configuration. However, if you can't you can modify configuration by editing the env.yml file on the host:
$ sudo vim /srv/elderberrypi/env.yml
To add or remove roles, modify the ansible playbook file. Note that roles have dependencies so if you remove a role that is depended upon by anothe role it will remain installed anyway. Also note that removing a role just stops enforcement of its configuration. Related roles may update accordingly (ie removing the active directory role will cause the ntp role to remove the mssntp configuration) but the software and its own configuration will remain.
$ sudo vim /srv/elderberrypi/playbook.yml
Vagrant will keep the VM running on your host until you shut it down.
$ vagrant halt
If you want to completely wipe out the build environment (perhaps to rebuild from scratch or just because you don't need it anymore), run:
$ vagrant destroy
Security and compliance go hand-in-hand. In the near future we intend to migrate the CentOS security policy content to Ubuntu, leveraging OpenSCAP and other related Compliance-as-Code tools to enable ElderberryPi users to comply with DISA STIG, PCI DSS, HIPAA, and other security and privacy frameworks and regulations.
Alternatively, or perhaps in addition to the above, if RedHat releases a supported arm64 image for the Raspberry Pi and Zymbit supports it, we may migrate away from Ubuntu or offer both distributions and supported options.