161 lines
7.0 KiB
YAML
161 lines
7.0 KiB
YAML
cloudinit-userdata: |
|
|
apt:
|
|
primary:
|
|
- arches: [amd64]
|
|
uri: http://192.168.1.12/archive.ubuntu.com/ubuntu
|
|
packages:
|
|
- squashfuse
|
|
- libopenscap8
|
|
write_files:
|
|
- owner: root:root
|
|
path: /root/99-post-juju.yaml
|
|
permissions: '0644'
|
|
content: |
|
|
network:
|
|
version: 2
|
|
ethernets:
|
|
ens3:
|
|
link-local: []
|
|
ens4:
|
|
link-local: []
|
|
ens5:
|
|
link-local: []
|
|
ens6:
|
|
link-local: []
|
|
ens7:
|
|
link-local: []
|
|
ens8:
|
|
link-local: []
|
|
ens9:
|
|
link-local: []
|
|
- owner: root:root
|
|
path: /tmp/cis-hardening-bionic.conf
|
|
permissions: '0644'
|
|
content: |
|
|
# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
|
|
# is not set.
|
|
# (CIS rule 1.4.2)
|
|
grub_hash=
|
|
# Grub user set for authentication
|
|
grub_user=root
|
|
|
|
# Time synchronization service selected (ntp or chrony - if empty, none will be installed)
|
|
# (CIS rule 2.2.1.1-2.2.1.3)
|
|
time_sync_svc=
|
|
time_sync_addr=
|
|
|
|
# Audit log storage size, before log is automatically rotated
|
|
# (CIS rule 4.1.1.1)
|
|
max_log_file=8
|
|
|
|
# Remote log host address (CIS rule 4.2.2.4)
|
|
# Use the format loghost.example.com:554, to define the port
|
|
remote_log_server=
|
|
|
|
# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
|
|
AllowUsers=ubuntu nova
|
|
AllowGroups=
|
|
DenyUsers=
|
|
DenyGroups=
|
|
|
|
# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
|
|
minlen=14
|
|
dcredit=-1
|
|
ucredit=-1
|
|
ocredit=-1
|
|
lcredit=-1
|
|
|
|
# sudo group members, aside from root (CIS rule 5.6)
|
|
sudo_member=
|
|
|
|
# Unowned files will be changed to this user (CIS rule 6.1.11)
|
|
unowned_user=root
|
|
# Ungrouped files will be changed to this user (CIS rule 6.1.12)
|
|
unowned_group=root
|
|
|
|
# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
|
|
delete_user_files=true
|
|
- owner: root:root
|
|
path: /tmp/cis-hardening-focal.conf
|
|
permissions: '0644'
|
|
content: |
|
|
# Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
|
|
# is not set.
|
|
# (CIS rule 1.4.2)
|
|
grub_hash=grub.pbkdf2.sha512.10000.548903E12706838EBE33BF0C992AAC553408E45A75FD6A56AA6E15B77164C96C29BC2A896FBDC24550B20D26B531078B73107FE97A8C75BE4A2AEB39F241A58D.1708FD2D488E043C170838CBD5FFBEB2F418023B1251BD5DCF3E724038D2E6F3F51F3EE1615A52BCADD8736B4A0C34AC820D4F7EE1E0F1FD96AC0761B6A6E6A2
|
|
# Grub user set for authentication
|
|
grub_user=ubuntu
|
|
|
|
# Time synchronization service selected (ntp or chrony - if empty, none will be installed)
|
|
# (CIS rule 2.2.1.1-2.2.1.3)
|
|
time_sync_svc=
|
|
time_sync_addr=
|
|
|
|
# Audit log storage size, before log is automatically rotated
|
|
# (CIS rule 4.1.1.1)
|
|
max_log_file=8
|
|
|
|
# Remote log host address (CIS rule 4.2.2.4)
|
|
# Use the format loghost.example.com:554, to define the port
|
|
remote_log_server=
|
|
|
|
# SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
|
|
AllowUsers=ubuntu nova
|
|
AllowGroups=
|
|
DenyUsers=
|
|
DenyGroups=
|
|
|
|
# PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
|
|
minlen=14
|
|
dcredit=-1
|
|
ucredit=-1
|
|
ocredit=-1
|
|
lcredit=-1
|
|
|
|
# sudo group members, aside from root (CIS rule 5.6)
|
|
sudo_member=
|
|
|
|
# Unowned files will be changed to this user (CIS rule 6.1.11)
|
|
unowned_user=root
|
|
# Ungrouped files will be changed to this user (CIS rule 6.1.12)
|
|
unowned_group=root
|
|
|
|
# Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
|
|
delete_user_files=true
|
|
|
|
# Exclude rsync rules on Focal
|
|
ruleset1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
|
|
ruleset2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
|
|
ruleset3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
|
|
ruleset4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
|
|
ruleset5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
|
|
ruleset6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"
|
|
preruncmd:
|
|
- locale-gen en_GB.UTF-8; update-locale
|
|
- wget -qO - http://192.168.1.12/keys/security-benchmarks.asc | sudo apt-key add -
|
|
- if hostnamectl | grep 18.04; then add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ bionic main"; fi
|
|
- if hostnamectl | grep 20.04; then add-apt-repository "deb http://192.168.1.12/private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks/ubuntu/ focal main"; fi
|
|
- sudo apt update
|
|
- sudo DEBIAN_FRONTEND=noninteractive apt install -y -q usg-cisbenchmark
|
|
- if hostnamectl | grep 18.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS-harden.sh -f /tmp/cis-hardening-bionic.conf lvl2_server; fi
|
|
- if hostnamectl | grep 20.04; then cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_20.04_CIS-harden.sh -f /tmp/cis-hardening-focal.conf custom; fi
|
|
# remove auditd as added by Hardening script but is not supported on containers
|
|
- "systemd-detect-virt --container && apt purge -y auditd"
|
|
- "systemd-detect-virt --container && rm -rf /root/99-post-juju.yaml"
|
|
- "systemd-detect-virt --container && sudo snap remove --purge lxd"
|
|
- "! systemd-detect-virt --container && mv /root/99-post-juju.yaml /etc/netplan/99-post-juju.yaml"
|
|
- "! systemd-detect-virt --container && sudo lxc profile set default security.nesting true"
|
|
- sudo netplan apply
|
|
snap:
|
|
commands:
|
|
"00": systemctl restart snapd
|
|
|
|
apt-mirror: http://192.168.1.12/archive.ubuntu.com/ubuntu
|
|
lxd-snap-channel: "4.19/stable"
|
|
|
|
container-image-metadata-url: http://192.168.1.12/lxd/
|
|
container-image-stream: released
|
|
|
|
agent-metadata-url: http://192.168.1.12/juju/tools/
|
|
agent-stream: released
|