cloudinit-userdata: | apt: primary: - arches: [amd64] uri: http://192.168.1.12/archive.ubuntu.com/ubuntu packages: - squashfuse - libopenscap8 write_files: - owner: root:root path: /root/99-post-juju.yaml permissions: '0644' content: | network: version: 2 ethernets: ens3: link-local: [] ens4: link-local: [] ens5: link-local: [] ens6: link-local: [] ens7: link-local: [] ens8: link-local: [] ens9: link-local: [] - owner: root:root path: /tmp/cis-hardening-bionic.conf permissions: '0644' content: | # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password # is not set. # (CIS rule 1.4.2) grub_hash= # Grub user set for authentication grub_user=root # Time synchronization service selected (ntp or chrony - if empty, none will be installed) # (CIS rule 2.2.1.1-2.2.1.3) time_sync_svc= time_sync_addr= # Audit log storage size, before log is automatically rotated # (CIS rule 4.1.1.1) max_log_file=8 # Remote log host address (CIS rule 4.2.2.4) # Use the format loghost.example.com:554, to define the port remote_log_server= # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14) AllowUsers=ubuntu nova AllowGroups= DenyUsers= DenyGroups= # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1) minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 # sudo group members, aside from root (CIS rule 5.6) sudo_member= # Unowned files will be changed to this user (CIS rule 6.1.11) unowned_user=root # Ungrouped files will be changed to this user (CIS rule 6.1.12) unowned_group=root # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14) delete_user_files=true - owner: root:root path: /tmp/cis-hardening-focal.conf permissions: '0644' content: | # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password # is not set. # (CIS rule 1.4.2) grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2 # Grub user set for authentication grub_user=ubuntu # Time synchronization service selected (ntp or chrony - if empty, none will be installed) # (CIS rule 2.2.1.1-2.2.1.3) time_sync_svc= time_sync_addr= # Audit log storage size, before log is automatically rotated # (CIS rule 4.1.1.1) max_log_file=8 # Remote log host address (CIS rule 4.2.2.4) # Use the format loghost.example.com:554, to define the port remote_log_server= # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14) AllowUsers=ubuntu nova AllowGroups= DenyUsers= DenyGroups= # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1) minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 # sudo group members, aside from root (CIS rule 5.6) sudo_member= # Unowned files will be changed to this user (CIS rule 6.1.11) unowned_user=root # Ungrouped files will be changed to this user (CIS rule 6.1.12) unowned_group=root # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14) delete_user_files=true # Exclude rsync rules on Focal ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10" ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4" ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4" ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4" ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6" ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17" preruncmd: - locale-gen en_GB.UTF-8; update-locale - wget -qO - http://192.168.1.12/keys/security-benchmarks.asc | sudo apt-key add - - if hostnamectl | grep 18.04; then add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi - if hostnamectl | grep 20.04; then add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi - sudo apt update - sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark - if hostnamectl | grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi - if hostnamectl | grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi # remove auditd as added by Hardening script but is not supported on containers - "systemd-detect-virt --container && apt purge -y auditd" - "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml" - "systemd-detect-virt --container && sudo snap remove --purge lxd" - "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml" - "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true" - sudo netplan apply snap: commands: "00": systemctl restart snapd apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu lxd-snap-channel: "4.19/stable" container-image-metadata-url: http://192.168.1.12/lxd/ container-image-stream: released agent-metadata-url: http://192.168.1.12/juju/tools/ agent-stream: released