Update model-defaults

Add stuff for both bionic and focal deployments for CIS

config/juju-model-default-cis-focal.yaml

@@ -1,4 +1,8 @@
 cloudinit-userdata: |
+  apt:
+    primary:
+      - arches: [amd64]
+        uri: http://192.168.1.12/archive.ubuntu.com/ubuntu
   packages:
     - squashfuse
     - libopenscap8
@@ -25,7 +29,54 @@ cloudinit-userdata: |
           ens9:
             link-local: []
   - owner: root:root
-    path: /tmp/cis-hardening.conf
+    path: /tmp/cis-hardening-bionic.conf
+    permissions: '0644'
+    content: |
+      # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
+      # is not set.
+      # (CIS rule 1.4.2)
+      grub_hash=
+      # Grub user set for authentication
+      grub_user=root
+
+      # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
+      # (CIS rule 2.2.1.1-2.2.1.3)
+      time_sync_svc=
+      time_sync_addr=
+
+      # Audit log storage size, before log is automatically rotated
+      # (CIS rule 4.1.1.1)
+      max_log_file=8
+
+      # Remote log host address (CIS rule 4.2.2.4)
+      # Use the format loghost.example.com:554, to define the port
+      remote_log_server=
+
+      # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
+      AllowUsers=ubuntu nova
+      AllowGroups=
+      DenyUsers=
+      DenyGroups=
+
+      # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
+      minlen=14
+      dcredit=-1
+      ucredit=-1
+      ocredit=-1
+      lcredit=-1
+
+      # sudo group members, aside from root (CIS rule 5.6)
+      sudo_member=
+
+      # Unowned files will be changed to this user (CIS rule 6.1.11)
+      unowned_user=root
+      # Ungrouped files will be changed to this user (CIS rule 6.1.12)
+      unowned_group=root
+
+      # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
+      delete_user_files=true
+  - owner: root:root
+    path: /tmp/cis-hardening-focal.conf
     permissions: '0644'
     content: |
       # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
@@ -82,10 +133,12 @@ cloudinit-userdata: |
   preruncmd:
     - locale-gen en_GB.UTF-8; update-locale
     - sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
-    - sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu focal main"
+    - if hostnamectl | grep 18.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi
+    - if hostnamectl | grep 20.04; then add-apt-repository "deb https://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi
     - sudo apt update
     - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
-    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening.conf custom
+    - if hostnamectl | grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi
+    - if hostnamectl | grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi
     # remove auditd as added by Hardening script but is not supported on containers
     - "systemd-detect-virt --container && apt purge -y auditd"
     - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
@@ -97,5 +150,5 @@ cloudinit-userdata: |
       "00": systemctl restart snapd
 
 default-series: "focal"
-apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
-lxd-snap-channel: 4.19/stable
+#apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
+lxd-snap-channel: "4.19/stable"