cpe-deployments/config/juju-model-default-cis-focal.yaml

cloudinit-userdata: |
  apt:
    primary:
      - arches: [amd64]
        uri: http://192.168.1.12/archive.ubuntu.com/ubuntu
  packages:
    - squashfuse
    - libopenscap8
  write_files:
  - owner: root:root
    path: /root/99-post-juju.yaml
    permissions: '0644'
    content: |
      network:
        version: 2
        ethernets:
          ens3:
            link-local: []
          ens4:
            link-local: []
          ens5:
            link-local: []
          ens6:
            link-local: []
          ens7:
            link-local: []
          ens8:
            link-local: []
          ens9:
            link-local: []
  - owner: root:root
    path: /tmp/cis-hardening-bionic.conf
    permissions: '0644'
    content: |
      # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
      # is not set.
      # (CIS rule 1.4.2)
      grub_hash=
      # Grub user set for authentication
      grub_user=root

      # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
      # (CIS rule 2.2.1.1-2.2.1.3)
      time_sync_svc=
      time_sync_addr=

      # Audit log storage size, before log is automatically rotated
      # (CIS rule 4.1.1.1)
      max_log_file=8

      # Remote log host address (CIS rule 4.2.2.4)
      # Use the format loghost.example.com:554, to define the port
      remote_log_server=

      # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
      AllowUsers=ubuntu nova
      AllowGroups=
      DenyUsers=
      DenyGroups=

      # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
      minlen=14
      dcredit=-1
      ucredit=-1
      ocredit=-1
      lcredit=-1

      # sudo group members, aside from root (CIS rule 5.6)
      sudo_member=

      # Unowned files will be changed to this user (CIS rule 6.1.11)
      unowned_user=root
      # Ungrouped files will be changed to this user (CIS rule 6.1.12)
      unowned_group=root

      # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
      delete_user_files=true
  - owner: root:root
    path: /tmp/cis-hardening-focal.conf
    permissions: '0644'
    content: |
      # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
      # is not set.
      # (CIS rule 1.4.2)
      grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2
      # Grub user set for authentication
      grub_user=ubuntu

      # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
      # (CIS rule 2.2.1.1-2.2.1.3)
      time_sync_svc=
      time_sync_addr=

      # Audit log storage size, before log is automatically rotated
      # (CIS rule 4.1.1.1)
      max_log_file=8

      # Remote log host address (CIS rule 4.2.2.4)
      # Use the format loghost.example.com:554, to define the port
      remote_log_server=

      # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
      AllowUsers=ubuntu nova
      AllowGroups=
      DenyUsers=
      DenyGroups=

      # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
      minlen=14
      dcredit=-1
      ucredit=-1
      ocredit=-1
      lcredit=-1

      # sudo group members, aside from root (CIS rule 5.6)
      sudo_member=

      # Unowned files will be changed to this user (CIS rule 6.1.11)
      unowned_user=root
      # Ungrouped files will be changed to this user (CIS rule 6.1.12)
      unowned_group=root

      # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
      delete_user_files=true

      # Exclude rsync rules on Focal
      ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
      ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
      ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
      ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
      ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
      ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"
  preruncmd:
    - locale-gen en_GB.UTF-8; update-locale
    - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
    - if hostnamectl | grep 18.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi
    - if hostnamectl | grep 20.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi
    - sudo apt update
    - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
    - if hostnamectl | grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi
    - if hostnamectl | grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi
    # remove auditd as added by Hardening script but is not supported on containers
    - "systemd-detect-virt --container && apt purge -y auditd"
    - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
    - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
    - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
    - sudo netplan apply
  snap:
    commands:
      "00": systemctl restart snapd

default-series: "focal"
#apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
lxd-snap-channel: "4.19/stable"
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`cloudinit-userdata: \|`
Update model-defaults Add stuff for both bionic and focal deployments for CIS 2021-12-02 13:38:47 +00:00			`apt:`
			`primary:`
			`- arches: [amd64]`
			`uri: http://192.168.1.12/archive.ubuntu.com/ubuntu`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`packages:`
			`- squashfuse`
			`- libopenscap8`
			`write_files:`
			`- owner: root:root`
			`path: /root/99-post-juju.yaml`
			`permissions: '0644'`
			`content: \|`
			`network:`
			`version: 2`
			`ethernets:`
			`ens3:`
			`link-local: []`
			`ens4:`
			`link-local: []`
			`ens5:`
			`link-local: []`
			`ens6:`
			`link-local: []`
			`ens7:`
			`link-local: []`
			`ens8:`
			`link-local: []`
			`ens9:`
			`link-local: []`
			`- owner: root:root`
Update model-defaults Add stuff for both bionic and focal deployments for CIS 2021-12-02 13:38:47 +00:00			`path: /tmp/cis-hardening-bionic.conf`
			`permissions: '0644'`
			`content: \|`
			`# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password`
			`# is not set.`
			`# (CIS rule 1.4.2)`
			`grub_hash=`
			`# Grub user set for authentication`
			`grub_user=root`

			`# Time synchronization service selected (ntp or chrony - if empty, none will be installed)`
			`# (CIS rule 2.2.1.1-2.2.1.3)`
			`time_sync_svc=`
			`time_sync_addr=`

			`# Audit log storage size, before log is automatically rotated`
			`# (CIS rule 4.1.1.1)`
			`max_log_file=8`

			`# Remote log host address (CIS rule 4.2.2.4)`
			`# Use the format loghost.example.com:554, to define the port`
			`remote_log_server=`

			`# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)`
			`AllowUsers=ubuntu nova`
			`AllowGroups=`
			`DenyUsers=`
			`DenyGroups=`

			`# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)`
			`minlen=14`
			`dcredit=-1`
			`ucredit=-1`
			`ocredit=-1`
			`lcredit=-1`

			`# sudo group members, aside from root (CIS rule 5.6)`
			`sudo_member=`

			`# Unowned files will be changed to this user (CIS rule 6.1.11)`
			`unowned_user=root`
			`# Ungrouped files will be changed to this user (CIS rule 6.1.12)`
			`unowned_group=root`

			`# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)`
			`delete_user_files=true`
			`- owner: root:root`
			`path: /tmp/cis-hardening-focal.conf`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`permissions: '0644'`
			`content: \|`
			`# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password`
			`# is not set.`
			`# (CIS rule 1.4.2)`
			`grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2`
			`# Grub user set for authentication`
			`grub_user=ubuntu`

			`# Time synchronization service selected (ntp or chrony - if empty, none will be installed)`
			`# (CIS rule 2.2.1.1-2.2.1.3)`
			`time_sync_svc=`
			`time_sync_addr=`

			`# Audit log storage size, before log is automatically rotated`
			`# (CIS rule 4.1.1.1)`
			`max_log_file=8`

			`# Remote log host address (CIS rule 4.2.2.4)`
			`# Use the format loghost.example.com:554, to define the port`
			`remote_log_server=`

			`# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)`
Update bundles/overlays and model default * Update constraints to make sure that units go to the right machine * Fix source for mysql-router apps * http for install_source for telegraf * Update some snap lxd stuff to ensure that works * Some bionic changes 2021-12-02 10:16:35 +00:00			`AllowUsers=ubuntu nova`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`AllowGroups=`
			`DenyUsers=`
			`DenyGroups=`

			`# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)`
			`minlen=14`
			`dcredit=-1`
			`ucredit=-1`
			`ocredit=-1`
			`lcredit=-1`

			`# sudo group members, aside from root (CIS rule 5.6)`
			`sudo_member=`

			`# Unowned files will be changed to this user (CIS rule 6.1.11)`
			`unowned_user=root`
			`# Ungrouped files will be changed to this user (CIS rule 6.1.12)`
			`unowned_group=root`

			`# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)`
			`delete_user_files=true`

			`# Exclude rsync rules on Focal`
			`ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"`
			`ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"`
			`ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"`
			`ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"`
			`ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"`
			`ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"`
			`preruncmd:`
			`- locale-gen en_GB.UTF-8; update-locale`
			`- sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C`
Update model-defaults Add stuff for both bionic and focal deployments for CIS 2021-12-02 13:38:47 +00:00			`- if hostnamectl \| grep 18.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi`
			`- if hostnamectl \| grep 20.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`- sudo apt update`
			`- sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark`
Update model-defaults Add stuff for both bionic and focal deployments for CIS 2021-12-02 13:38:47 +00:00			`- if hostnamectl \| grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi`
			`- if hostnamectl \| grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00			`# remove auditd as added by Hardening script but is not supported on containers`
			`- "systemd-detect-virt --container && apt purge -y auditd"`
			`- "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"`
			`- "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"`
			`- "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"`
			`- sudo netplan apply`
Update bundles/overlays and model default * Update constraints to make sure that units go to the right machine * Fix source for mysql-router apps * http for install_source for telegraf * Update some snap lxd stuff to ensure that works * Some bionic changes 2021-12-02 10:16:35 +00:00			`snap:`
			`commands:`
			`"00": systemctl restart snapd`
Update configs * Added local repos for everything * Add focal related stuff to start migrating * Add/fix CIS related stuff * Update/fix juju model defaults * Add model defaults just before the juju deploy * Add new script to initialise vault * Update vault keys to current mode 2021-12-01 16:23:28 +00:00
			`default-series: "focal"`
Update model-defaults Add stuff for both bionic and focal deployments for CIS 2021-12-02 13:38:47 +00:00			`#apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu`
			`lxd-snap-channel: "4.19/stable"`