canonical/cpe-deployments
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
cpe-deployments/config/juju-model-default-cis.yaml
Arif Ali 75736a43cb Initial commit
2021-10-29 09:57:19 +01:00

73 lines
2.6 KiB
YAML
Raw Blame History

cloudinit-userdata: |
packages:
- squashfuse
- libopenscap8
write_files:
- owner: root:root
path: /etc/apt/auth.conf.d/cis-harden.conf
permissions: '0600'
content: |
# Credentials to allow the connecion for the CIS benchmarks private PPA
machine private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu
login arif-ali
password kNnpLf27XvGsdwt6VxfT
- owner: root:root
path: /tmp/cis-hardening.conf
permissions: '0644'
content: |
# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
# is not set.
# (CIS rule 1.4.2)
grub_hash=
# Grub user set for authentication
grub_user=root
# Time synchronization service selected (ntp or chrony - if empty, none will be installed)
# (CIS rule 2.2.1.1-2.2.1.3)
time_sync_svc=
time_sync_addr=
# Audit log storage size, before log is automatically rotated
# (CIS rule 4.1.1.1)
max_log_file=8
# Remote log host address (CIS rule 4.2.2.4)
# Use the format loghost.example.com:554, to define the port
remote_log_server=
# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
AllowUsers=ubuntu
AllowGroups=
DenyUsers=
DenyGroups=
# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1
# sudo group members, aside from root (CIS rule 5.6)
sudo_member=
# Unowned files will be changed to this user (CIS rule 6.1.11)
unowned_user=root
# Ungrouped files will be changed to this user (CIS rule 6.1.12)
unowned_group=root
# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
delete_user_files=true
preruncmd:
- locale-gen en_GB.UTF-8; update-locale
- sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C
- sudo add-apt-repository "deb https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu bionic main"
- sudo apt update
- sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
- cd /usr/share/ubuntu-scap-security-guides/cis-hardening; sudo ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening.conf lvl2_server
# remove auditd as added by Hardening script but is not supported on containers
- "systemd-detect-virt --container && apt purge -y auditd"
default-series: "bionic"
apt-mirror: http://192.168.1.12/ubuntu
Reference in New Issue View Git Blame Copy Permalink