Resolve LVM partitioning via Packer and on HVM

[konklone]

Just noting that this is outstanding before we're good for production use.

[NoahKunin]

From @arowla:

Resizing the available space on the attached EBS is not a straightforward task.... We need to add instructions to this effect:

1. Use fdisk to delete /dev/xvdk4 and recreate using the full space.
2. Use lvextend on the same.
3. Run resize2fs on the mountpoint.

Until this is fully scripted, we should include this in the documentation somewhere in hardening.md

[seanherron]

Suggest we attempt to descope this. I don't see a real security value given the cost and complexity.

[NoahKunin]

Concur overall on cost-complexity vs security, but we can't de-scope it from the control list until I get concurrence from InfoSec. For nosuid and nodev in virtual IaaS I would concur immediately, but I'm not sure I have sufficient documentation (yet) to argue against noexec, especially in Moderate level production systems.

When @avriette returns (or any enterprising member of the public!), I'd love to get a proposal written up to formally de-scope.

I'm removing the backlog label now, because we don't know how long it will take to de-scope the control, and having this scripted out isn't too much work, and saves people time/pain in the interim. Doesn't mean we will complete it in this sprint or if it will flip to the next one, but de-scoping will not occur in Dec or in early Jan.

cc @ozzyjohnson for visibility.

[seanherron]

🆗

[ozzyjohnson]

Finally got around to this. See #28. There's a test AMI generated with these changes available internally.