canonical/cpe-deployments
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
cpe-deployments/config/juju-model-default-cis-bionic.yaml
Arif Ali d7dc81cd18 Update configs 
* Added local repos for everything
* Add focal related stuff to start migrating
* Add/fix CIS related stuff
* Update/fix juju model defaults
* Add model defaults just before the juju deploy
* Add new script to initialise vault
* Update vault keys to current mode
2021-12-01 16:24:41 +00:00

90 lines
3.0 KiB
YAML
Raw Blame History

cloudinit-userdata: |
packages:
- squashfuse
- libopenscap8
write_files:
- owner: root:root
path: /root/99-post-juju.yaml
permissions: '0644'
content: |
network:
version: 2
ethernets:
ens3:
link-local: []
ens4:
link-local: []
ens5:
link-local: []
ens6:
link-local: []
ens7:
link-local: []
ens8:
link-local: []
ens9:
link-local: []
- owner: root:root
path: /tmp/cis-hardening.conf
permissions: '0644'
content: |
# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
# is not set.
# (CIS rule 1.4.2)
grub_hash=
# Grub user set for authentication
grub_user=root
# Time synchronization service selected (ntp or chrony - if empty, none will be installed)
# (CIS rule 2.2.1.1-2.2.1.3)
time_sync_svc=
time_sync_addr=
# Audit log storage size, before log is automatically rotated
# (CIS rule 4.1.1.1)
max_log_file=8
# Remote log host address (CIS rule 4.2.2.4)
# Use the format loghost.example.com:554, to define the port
remote_log_server=
# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
AllowUsers=ubuntu
AllowGroups=
DenyUsers=
DenyGroups=
# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
# sudo group members, aside from root (CIS rule 5.6)
sudo_member=
# Unowned files will be changed to this user (CIS rule 6.1.11)
unowned_user=root
# Ungrouped files will be changed to this user (CIS rule 6.1.12)
unowned_group=root
# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
delete_user_files=true
preruncmd:
- locale-gen en_GB.UTF-8; update-locale
- sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
- sudo add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main"
- sudo apt update
- sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
- cd /usr/share/ubuntu-scap-security-guides/cis-hardening; sudo ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening.conf lvl2_server
# remove auditd as added by Hardening script but is not supported on containers
- "systemd-detect-virt --container && apt purge -y auditd"
- "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
- "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
- "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
- sudo netplan apply
default-series: "bionic"
apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
Reference in New Issue View Git Blame Copy Permalink