feat: organize into ami build and deployed

Author: samrose

ansible/files/cis_baseline_check.sh

@@ -8,7 +8,7 @@
 
 set -euo pipefail
 
-BASELINES_DIR="${1:-/tmp/ansible-playbook/audit-specs/baselines}"
+BASELINES_DIR="${1:-/tmp/ansible-playbook/audit-specs/baselines/ami-build}"
 
 echo "============================================================"
 echo "Baseline Validation"

ansible/playbook.yml

@@ -223,7 +223,7 @@
     - name: Run CIS baseline validation
       become: yes
       shell: |
-        /bin/bash /tmp/ansible-playbook/ansible/files/cis_baseline_check.sh /tmp/ansible-playbook/audit-specs/baselines
+        /bin/bash /tmp/ansible-playbook/ansible/files/cis_baseline_check.sh /tmp/ansible-playbook/audit-specs/baselines/ami-build
       when: stage2_nix
 
     - name: Remove supascan after validation

audit-specs/baselines/ami-build/group.yml

@@ -0,0 +1,89 @@
+# Group baseline for AMI build
+# Checks that critical system and application groups exist
+# GIDs may vary between builds - only checking existence
+group:
+  # System groups
+  root:
+    exists: true
+  sudo:
+    exists: true
+  adm:
+    exists: true
+  admin:
+    exists: true
+  users:
+    exists: true
+  nogroup:
+    exists: true
+  ubuntu:
+    exists: true
+
+  # PostgreSQL ecosystem
+  postgres:
+    exists: true
+  pgbouncer:
+    exists: true
+  wal-g:
+    exists: true
+  ssl-cert:
+    exists: true
+
+  # Supabase services
+  gotrue:
+    exists: true
+  postgrest:
+    exists: true
+  adminapi:
+    exists: true
+  kong:
+    exists: true
+  envoy:
+    exists: true
+  nginx:
+    exists: true
+  vector:
+    exists: true
+  supabase-admin-agent:
+    exists: true
+
+  # System service groups
+  messagebus:
+    exists: true
+  systemd-network:
+    exists: true
+  systemd-resolve:
+    exists: true
+  systemd-timesync:
+    exists: true
+  systemd-journal:
+    exists: true
+  polkitd:
+    exists: true
+  tcpdump:
+    exists: true
+  _ssh:
+    exists: true
+  salt:
+    exists: true
+
+  # Nix
+  nixbld:
+    exists: true
+
+  # Other system groups
+  disk:
+    exists: true
+  tty:
+    exists: true
+  audio:
+    exists: true
+  video:
+    exists: true
+  plugdev:
+    exists: true
+  netdev:
+    exists: true
+  lxd:
+    exists: true
+  crontab:
+    exists: true

audit-specs/baselines/ami-build/mount.yml

@@ -0,0 +1,34 @@
+# Mount baseline for AMI build
+# Only checks that critical mounts exist with correct filesystem type
+# Mount options vary by kernel version and environment - not checked
+mount:
+  /:
+    exists: true
+    filesystem: ext4
+  /boot/efi:
+    exists: true
+    filesystem: vfat
+  /data:
+    exists: true
+    filesystem: ext4
+  /dev:
+    exists: true
+    filesystem: devtmpfs
+  /dev/pts:
+    exists: true
+    filesystem: devpts
+  /dev/shm:
+    exists: true
+    filesystem: tmpfs
+  /proc:
+    exists: true
+    filesystem: proc
+  /run:
+    exists: true
+    filesystem: tmpfs
+  /sys:
+    exists: true
+    filesystem: sysfs
+  /sys/fs/cgroup:
+    exists: true
+    filesystem: cgroup2

audit-specs/baselines/ami-build/package.yml

@@ -0,0 +1,111 @@
+# Package baseline for AMI build
+# Only checks that critical packages are installed - no version checks
+# Version drift is expected between builds
+package:
+  # Core system
+  bash:
+    installed: true
+  coreutils:
+    installed: true
+  systemd:
+    installed: true
+  systemd-sysv:
+    installed: true
+  apt:
+    installed: true
+  dpkg:
+    installed: true
+
+  # Security
+  apparmor:
+    installed: true
+  apparmor-utils:
+    installed: true
+  auditd:
+    installed: true
+  fail2ban:
+    installed: true
+  ufw:
+    installed: true
+  nftables:
+    installed: true
+  ca-certificates:
+    installed: true
+  openssl:
+    installed: true
+
+  # Networking
+  openssh-server:
+    installed: true
+  curl:
+    installed: true
+  wget:
+    installed: true
+  iproute2:
+    installed: true
+
+  # Cloud
+  cloud-init:
+    installed: true
+  cloud-guest-utils:
+    installed: true
+  ec2-instance-connect:
+    installed: true
+  amazon-ec2-utils:
+    installed: true
+
+  # PostgreSQL ecosystem (installed via nix, but system deps needed)
+  libpq5:
+    installed: true
+
+  # Supabase components
+  vector:
+    installed: true
+
+  # Build/runtime dependencies
+  locales:
+    installed: true
+  acl:
+    installed: true
+  sudo:
+    installed: true
+  logrotate:
+    installed: true
+  sysstat:
+    installed: true
+  acpid:
+    installed: true
+  at:
+    installed: true
+  cron:
+    installed: true
+
+  # Grub/boot
+  grub-common:
+    installed: true
+  grub-efi-arm64:
+    installed: true
+  efibootmgr:
+    installed: true
+  initramfs-tools:
+    installed: true
+
+  # Filesystem
+  e2fsprogs:
+    installed: true
+  gdisk:
+    installed: true
+
+  # Python (needed for ansible and scripts)
+  python3:
+    installed: true
+
+  # Compression
+  gzip:
+    installed: true
+  bzip2:
+    installed: true
+  xz-utils:
+    installed: true
+  zstd:
+    installed: true

audit-specs/baselines/ami-build/service.yml

@@ -0,0 +1,136 @@
+# Service baseline for AMI build
+# Only checks that critical services exist - not their enabled/running state during build
+# Services are configured but many are stopped during AMI build process
+service:
+  # Core system services (should be running during build)
+  cron:
+    enabled: true
+    running: true
+  cloud-config:
+    enabled: true
+    running: true
+  cloud-final:
+    enabled: true
+    running: true
+  cloud-init:
+    enabled: true
+    running: true
+  cloud-init-local:
+    enabled: true
+    running: true
+  systemd-resolved:
+    enabled: true
+    running: true
+  systemd-timesyncd:
+    enabled: true
+    running: true
+  ufw:
+    enabled: true
+    running: true
+  unattended-upgrades:
+    enabled: true
+    running: true
+  sysstat:
+    enabled: true
+    running: true
+  nix-daemon:
+    enabled: false
+    running: true
+  nftables:
+    enabled: false
+    running: true
+  ssh:
+    enabled: false
+    running: true
+  atd:
+    enabled: true
+    running: true
+  getty@tty1:
+    enabled: true
+    running: true
+  grub-common:
+    enabled: true
+    running: false
+  grub-initrd-fallback:
+    enabled: true
+    running: false
+  hibinit-agent:
+    enabled: true
+    running: false
+  ec2-instance-connect-harvest-hostkeys:
+    enabled: true
+    running: false
+  networkd-dispatcher:
+    enabled: true
+    running: false
+  systemd-pstore:
+    enabled: true
+    running: false
+  e2scrub_reap:
+    enabled: true
+    running: false
+
+  # Supabase services - these are STOPPED during AMI build but should exist
+  # We check enabled: false because they're disabled during build
+  postgresql:
+    enabled: false
+    running: false
+  pgbouncer:
+    enabled: false
+    running: false
+  postgrest:
+    enabled: false
+    running: false
+  gotrue:
+    enabled: false
+    running: false
+  adminapi:
+    enabled: false
+    running: false
+  envoy:
+    enabled: false
+    running: false
+  vector:
+    enabled: false
+    running: false
+  postgres_exporter:
+    enabled: false
+    running: false
+  pg_egress_collect:
+    enabled: false
+    running: false
+  fail2ban:
+    enabled: false
+    running: false
+  auditd:
+    enabled: false
+    running: false
+  apparmor:
+    enabled: false
+    running: false
+
+  # Services that should not be running
+  kong:
+    enabled: false
+    running: false
+  supabase-admin-agent_salt:
+    enabled: false
+    running: false
+  database-optimizations:
+    enabled: false
+    running: false
+  postgrest-optimizations:
+    enabled: false
+    running: false
+  NetworkManager:
+    enabled: false
+    running: false
+  firewalld:
+    enabled: false
+    running: false
+  iptables:
+    enabled: false
+    running: false
+  display-manager:
+    enabled: false
+    running: false