diff --git a/config/juju-model-default-cis-focal.yaml b/config/juju-model-default-cis-focal.yaml index 887a494..87914f4 100644 --- a/config/juju-model-default-cis-focal.yaml +++ b/config/juju-model-default-cis-focal.yaml @@ -1,4 +1,8 @@ cloudinit-userdata: | + apt: + primary: + - arches: [amd64] + uri: http://192.168.1.12/archive.ubuntu.com/ubuntu packages: - squashfuse - libopenscap8 @@ -25,7 +29,54 @@ cloudinit-userdata: | ens9: link-local: [] - owner: root:root - path: /tmp/cis-hardening.conf + path: /tmp/cis-hardening-bionic.conf + permissions: '0644' + content: | + # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password + # is not set. + # (CIS rule 1.4.2) + grub_hash= + # Grub user set for authentication + grub_user=root + + # Time synchronization service selected (ntp or chrony - if empty, none will be installed) + # (CIS rule 2.2.1.1-2.2.1.3) + time_sync_svc= + time_sync_addr= + + # Audit log storage size, before log is automatically rotated + # (CIS rule 4.1.1.1) + max_log_file=8 + + # Remote log host address (CIS rule 4.2.2.4) + # Use the format loghost.example.com:554, to define the port + remote_log_server= + + # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14) + AllowUsers=ubuntu nova + AllowGroups= + DenyUsers= + DenyGroups= + + # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1) + minlen=14 + dcredit=-1 + ucredit=-1 + ocredit=-1 + lcredit=-1 + + # sudo group members, aside from root (CIS rule 5.6) + sudo_member= + + # Unowned files will be changed to this user (CIS rule 6.1.11) + unowned_user=root + # Ungrouped files will be changed to this user (CIS rule 6.1.12) + unowned_group=root + + # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14) + delete_user_files=true + - owner: root:root + path: /tmp/cis-hardening-focal.conf permissions: '0644' content: | # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password @@ -82,10 +133,12 @@ cloudinit-userdata: | preruncmd: - locale-gen en_GB.UTF-8; update-locale - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C - - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu focal main" + - if hostnamectl | grep 18.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi + - if hostnamectl | grep 20.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi - sudo apt update - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark - - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening.conf custom + - if hostnamectl | grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi + - if hostnamectl | grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi # remove auditd as added by Hardening script but is not supported on containers - "systemd-detect-virt --container && apt purge -y auditd" - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml" @@ -97,5 +150,5 @@ cloudinit-userdata: | "00": systemctl restart snapd default-series: "focal" -apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu -lxd-snap-channel: 4.19/stable +#apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu +lxd-snap-channel: "4.19/stable"