Azure
/
aks-engine-azurestack
зеркало из https://github.com/Azure/aks-engine-azurestack.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

feat: DISA Ubuntu 20.04 STIG compliance (#83)

This commit is contained in:
Javier Darsie 2023-02-21 14:24:43 -08:00 коммит произвёл GitHub
Родитель 923f174142
Коммит 83f4d9b27a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
31 изменённых файлов: 871 добавлений и 130 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

58
docs/topics/ubuntu-stig.md Normal file
Просмотреть файл

@ -0,0 +1,58 @@
# DISA Ubuntu 20.04 LTS STIG
AKS Engine is able to create cluster nodes that comply with the [DISA Ubuntu 20.04 LTS Security Technical Implementation Guide](https://public.cyber.mil/announcement/stig-update-disa-has-released-the-canonical-ubuntu-20-04-lts-stig/). A STIG describes how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system, either physically at the machine or over a network.
By default, AKS Engine-based clusters address most, but not all, the items required by the STIG. The remaining configuration items required by the STIG will be applied if the API Model sets the `enforceUbuntu2004DisaStig` feature flag:
```json
{
"properties": {
"masterProfile": {
"auditDEnabled": true
},
"agentPoolProfiles": [
{
"osType": "Linux",
"auditDEnabled": true
}
],
"featureFlags": {
"enforceUbuntu2004DisaStig": true
}
}
}
```
The list of items required by the STIG can be found [here](https://www.stigviewer.com/stig/canonical_ubuntu_20.04_lts/).
The following script shows how to validate if a cluster node remain compliant:
```bash
# the zip file name can be different
STIG_URL="https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R7_STIG_Ansible.zip"
OUT_FILE="U_CAN_Ubuntu_20-04_LTS_STIG_Ansible.zip"
curl -fsSL $STIG_URL -o $OUT_FILE
# ensure zip is installed
unzip $OUT_FILE || exit 99
unzip ubuntu2004STIG-ansible.zip || exit 99
# adjust ansible files to naming insistencies
echo 'ubuntu2004STIG_stigrule_238213_ClientAliveInterval_Line: ClientAliveInterval 120' > vars.yml
echo 'ubuntu2004STIG_stigrule_238214__etc_issue_net_Dest: /etc/issue-stig.net' >> vars.yml
echo " vars_files:" >> site.yml
echo " - vars.yml" >> site.yml
sed -i 's|/01-vendor-Ubuntu$|/01-vendor-ubuntu|g' roles/ubuntu2004STIG/tasks/main.yml
sed -i 's|/stig.rules$|/aks-engine.rules|g' roles/ubuntu2004STIG/tasks/main.yml
sed -i 's|auid!=-1|auid!=4294967295|g' roles/ubuntu2004STIG/defaults/main.yml
sed -i 's|/etc/sysctl.conf|/etc/sysctl.d/11-aks-engine.conf|g' roles/ubuntu2004STIG/tasks/main.yml
# dry-run
export XML_PATH
XML_PATH=$(pwd)/results.xml
# ensure ansible is installed
ansible-playbook -v -b -i /dev/null --check site.yml
# check for findings
grep -B 1 fail $XML_PATH | grep -o -E 'V-[[:digit:]]{6}'
```

33
examples/disa-stig/kubernetes-ubuntu20-stig.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"apiVersion": "vlabs",
"properties": {
"masterProfile": {
"count": 3,
"dnsPrefix": "",
"auditDEnabled": true,
"vmSize": "Standard_D2_v3"
},
"agentPoolProfiles": [
{
"name": "poollinux",
"count": 1,
"vmSize": "Standard_D2_v3",
"auditDEnabled": true,
"availabilityProfile": "AvailabilitySet"
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": ""
}
]
}
},
"featureFlags": {
"enforceUbuntu2004DisaStig": true
}
}
}

91
parts/k8s/cloud-init/artifacts/auditd-rules
Просмотреть файл

@ -9,11 +9,11 @@
-w /etc/localtime -p wa -k time-change
# 4.1.5 Ensure events that modify user/group information are collected
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/group -p wa -k usergroup_modification
-w /etc/passwd -p wa -k usergroup_modification
-w /etc/gshadow -p wa -k usergroup_modification
-w /etc/shadow -p wa -k usergroup_modification
-w /etc/security/opasswd -p wa -k usergroup_modification
# 4.1.6 Ensure events that modify the system's network environment are collected
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
@ -33,64 +33,78 @@
-w /var/log/tallylog -p wa -k logins
# 4.1.9 Ensure session initiation information is collected
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/run/utmp -p wa -k logins
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/run/wtmp -p wa -k logins
# 4.1.10 Ensure discretionary access control permission modification events are collected
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
# 4.1.12 Ensure use of privileged commands is collected
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/mlocate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
# 4.1.13 Ensure successful file system mounts are collected
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
# 4.1.14 Ensure file deletion events by users are collected
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
# 4.1.15 Ensure changes to system administration scope (sudoers) is collected
-w /etc/sudoers -p wa -k scope
@ -100,10 +114,25 @@
-w /var/log/sudo.log -p wa -k actions
# 4.1.17 Ensure kernel module loading and unloading is collected
-w /bin/kmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng
# Prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
# Generate audit records when successful/unsuccessful attempts to use the fdisk command.
-w /sbin/fdisk -p x -k fdisk
# 4.1.18 Ensure the audit configuration is immutable
-e 2

0
scripts/cse_customcloud_cni.sh → parts/k8s/cloud-init/artifacts/cse_customcloud_cni.sh
Просмотреть файл

2
parts/k8s/cloud-init/artifacts/cse_install.sh
Просмотреть файл

@ -48,6 +48,8 @@ installDeps() {
packages+=" cgroup-lite ceph-common glusterfs-client"
disableTimeSyncd
packages+=" ntp ntpstat chrony"
{{/* STIG SV-238200r653775_rule, SV-238231r653868_rule, SV-238230r653865_rule */}}
packages+=" vlock opensc-pkcs11 libpam-pkcs11"
elif [[ $OS == $DEBIAN_OS_NAME ]]; then
packages+=" gpg cgroup-bin"
fi

4
parts/k8s/cloud-init/artifacts/cse_main.sh
Просмотреть файл

@ -287,6 +287,10 @@ apt_get_update && unattended_upgrade
{{- end}}
{{- end}}
{{- if ShouldEnforceUbuntu2004DisaStig}}
{{GetUbuntu2004DisaStigScriptFilepath}}
{{- end}}
if [ -f /var/run/reboot-required ]; then
trace_info "RebootRequired" "reboot=true"
/bin/bash -c "shutdown -r 1 &"

85
parts/k8s/cloud-init/artifacts/cse_stig_ubuntu2004.sh Normal file
Просмотреть файл

@ -0,0 +1,85 @@
#!/bin/bash
setLoginDefs() {
local f=/etc/login.defs
sed -i '/^PASS_MAX_DAYS/d' ${f} || exit 115
sed -i '$aPASS_MAX_DAYS 60' ${f} || exit 115
sed -i '/^PASS_MIN_DAYS/d' ${f} || exit 115
sed -i '$aPASS_MIN_DAYS 1' ${f} || exit 115
sed -i '/^UMASK/d' ${f} || exit 115
sed -i '$aUMASK 077' ${f} || exit 115
}
setPwqualityConf() {
local f=/etc/security/pwquality.conf
sed -i '/^difok/d' ${f} || exit 115
sed -i '$adifok=8' ${f} || exit 115
sed -i '/^dictcheck/d' ${f} || exit 115
sed -i '$adictcheck=1' ${f} || exit 115
sed -i '/^minlen/d' ${f} || exit 115
sed -i '$aminlen=15' ${f} || exit 115
sed -i '/^lcredit/d' ${f} || exit 115
sed -i '$alcredit=-1' ${f} || exit 115
}
setTerminalTimeout() {
local f=/etc/profile.d/99-terminal_tmout.sh
{{/* STIG SV-238207r653796_rule */}}
if [[ -f ${f} ]]; then
sed -i '/^TMOUT/d' ${f} || exit 115
sed -i '$aTMOUT=600' ${f} || exit 115
else
echo "TMOUT=600" > ${f}
truncate -s -1 ${f}
fi
}
setSSHDConfig() {
local f=/etc/ssh/sshd_config
{{/* STIG SV-238212r653811_rule */}}
sed -i '/^ClientAliveCountMax/d' ${f} || exit 115
sed -i '$aClientAliveCountMax 1' ${f} || exit 115
{{/* STIG SV-238216r654316_rule */}}
sed -i '/^MACs/d' ${f} || exit 115
sed -i '$aMACs hmac-sha2-512,hmac-sha2-256' ${f} || exit 115
{{/* STIG SV-238217r653826_rule */}}
sed -i '/^Ciphers/d' ${f} || exit 115
sed -i '$aCiphers aes256-ctr,aes192-ctr,aes128-ctr' ${f} || exit 115
{{/* STIG SV-238220r653835_rule */}}
sed -i '/^X11UseLocalhost/d' ${f} || exit 115
sed -i '$aX11UseLocalhost yes' ${f} || exit 115
{{/* STIG SV-238214r653817_rule */}}
if [[ -f /etc/issue-stig.net ]]; then
sed -i '/^Banner/d' ${f} || exit 115
sed -i '$aBanner /etc/issue-stig.net' ${f} || exit 115
fi
}
setAuditd() {
local f=/etc/audit/auditd.conf
{{/* STIG SV-238244r653907_rule */}}
sed -i '/^disk_full_action/d' ${f} || exit 115
sed -i '$adisk_full_action = HALT' ${f} || exit 115
}
setLimitsConf() {
local f=/etc/security/limits.conf
{{/* STIG SV-238323r654144_rule */}}
sed -i '1s|^|* hard maxlogins 10\n|' ${f}
}
setAPTConfig() {
local f=/etc/apt/apt.conf.d/01-vendor-ubuntu
{{/* STIG SV-219155r610963_rule */}}
sed -i '/^APT::Get::AllowUnauthenticated/d' ${f} || exit 115
sed -i '$aAPT::Get::AllowUnauthenticated "false";' ${f} || exit 115
local g=/etc/apt/apt.conf.d/50unattended-upgrades
{{/* STIG SV-219156r610963_rule */}}
sed -i '/^Unattended-Upgrade::Remove-Unused-Dependencies/d' ${g} || exit 115
sed -i '$aUnattended-Upgrade::Remove-Unused-Dependencies "true";' ${g} || exit 115
{{/* STIG SV-219156r610963_rule */}}
sed -i '/^Unattended-Upgrade::Remove-Unused-Kernel-Packages/d' ${g} || exit 115
sed -i '$aUnattended-Upgrade::Remove-Unused-Kernel-Packages "true";' ${g} || exit 115
}
setLoginDefs
setPwqualityConf
setTerminalTimeout
setSSHDConfig
setAuditd
setLimitsConf
setAPTConfig
#EOF

13
parts/k8s/cloud-init/artifacts/etc-issue-stig.net Normal file
Просмотреть файл

@ -0,0 +1,13 @@
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

8
parts/k8s/cloud-init/masternodecustomdata.yml
Просмотреть файл

@ -38,14 +38,6 @@ write_files:
{{CloudInitData "provisionCIS"}}
{{end}}
{{- if .MasterProfile.IsAuditDEnabled}}
- path: /etc/audit/rules.d/CIS.rules
permissions: "0744"
encoding: gzip
owner: root
content: !!binary |
{{CloudInitData "auditdRules"}}
{{end}}
{{- if not .MasterProfile.IsUbuntu1604}}
{{- if not .MasterProfile.IsVHDDistro}}

9
parts/k8s/cloud-init/nodecustomdata.yml
Просмотреть файл

@ -46,15 +46,6 @@ write_files:
{{CloudInitData "provisionCIS"}}
{{end}}
{{- if .IsAuditDEnabled}}
- path: /etc/audit/rules.d/CIS.rules
permissions: "0744"
encoding: gzip
owner: root
content: !!binary |
{{CloudInitData "auditdRules"}}
{{end}}
{{- if not .IsUbuntu1604}}
{{- if not .IsVHDDistro}}
- path: /var/run/reboot-required

1
pkg/api/converterfromapi.go
Просмотреть файл

@ -664,6 +664,7 @@ func convertFeatureFlagsToVLabs(api *FeatureFlags, vlabs *vlabs.FeatureFlags) {
vlabs.EnableTelemetry = api.EnableTelemetry
vlabs.EnableIPv6Only = api.EnableIPv6Only
vlabs.EnableWinDSR = api.EnableWinDSR
vlabs.EnforceUbuntu2004DisaStig = api.EnforceUbuntu2004DisaStig
}
func convertCloudProfileToVLabs(api *CustomCloudProfile, vlabsccp *vlabs.CustomCloudProfile) {

7
pkg/api/converterfromapi_test.go
Просмотреть файл

@ -414,9 +414,10 @@ func getDefaultContainerService() *ContainerService {
EtcdServerPrivateKey: "SampleEtcdServerPrivateKey",
},
FeatureFlags: &FeatureFlags{
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: false,
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: false,
EnforceUbuntu2004DisaStig: false,
},
AADProfile: &AADProfile{
ClientAppID: "SampleClientAppID",

1
pkg/api/convertertoapi.go
Просмотреть файл

@ -120,6 +120,7 @@ func convertVLabsFeatureFlags(vlabs *vlabs.FeatureFlags, api *FeatureFlags) {
api.EnableTelemetry = vlabs.EnableTelemetry
api.EnableIPv6Only = vlabs.EnableIPv6Only
api.EnableWinDSR = vlabs.EnableWinDSR
api.EnforceUbuntu2004DisaStig = vlabs.EnforceUbuntu2004DisaStig
}
func convertVLabsExtensionProfile(vlabs *vlabs.ExtensionProfile, api *ExtensionProfile) {

16
pkg/api/convertertoapi_test.go
Просмотреть файл

@ -499,10 +499,11 @@ func TestConvertVLabsContainerService(t *testing.T) {
EtcdServerPrivateKey: "SampleEtcdServerPrivateKey",
},
FeatureFlags: &vlabs.FeatureFlags{
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: false,
EnableWinDSR: true,
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: false,
EnableWinDSR: true,
EnforceUbuntu2004DisaStig: false,
},
AADProfile: &vlabs.AADProfile{
ClientAppID: "SampleClientAppID",
@ -707,9 +708,10 @@ func TestTelemetryEnabled(t *testing.T) {
EtcdServerPrivateKey: "SampleEtcdServerPrivateKey",
},
FeatureFlags: &vlabs.FeatureFlags{
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: true,
EnableCSERunInBackground: true,
BlockOutboundInternet: false,
EnableTelemetry: true,
EnforceUbuntu2004DisaStig: false,
},
AADProfile: &vlabs.AADProfile{
ClientAppID: "SampleClientAppID",

4
pkg/api/defaults-sysctld.go
Просмотреть файл

@ -21,6 +21,10 @@ func (cs *ContainerService) setSysctlDConfig() {
defaultSysctlDConfig["net.ipv4.ip_forward"] = "1"
}
if cs.Properties.FeatureFlags != nil && cs.Properties.FeatureFlags.EnforceUbuntu2004DisaStig {
defaultSysctlDConfig["net.ipv4.tcp_syncookies"] = "1"
}
// Master-specific kubelet config changes go here
if cs.Properties.MasterProfile != nil {
if cs.Properties.MasterProfile.SysctlDConfig == nil {

55
pkg/api/defaults-sysctld_test.go
Просмотреть файл

@ -111,6 +111,61 @@ func TestSetSysctlDConfig(t *testing.T) {
},
},
},
{
name: "defaults w/ stig",
cs: &ContainerService{
Properties: &Properties{
MasterProfile: &MasterProfile{},
AgentPoolProfiles: []*AgentPoolProfile{
{
Name: "foo",
OSType: Linux,
},
},
OrchestratorProfile: &OrchestratorProfile{
OrchestratorType: Kubernetes,
OrchestratorVersion: "1.15.0",
KubernetesConfig: &KubernetesConfig{
ContainerRuntime: Containerd,
},
},
FeatureFlags: &FeatureFlags{
EnforceUbuntu2004DisaStig: true,
},
},
},
expectedMaster: &MasterProfile{
SysctlDConfig: map[string]string{
"net.ipv4.tcp_retries2": "8",
"net.core.somaxconn": "16384",
"net.ipv4.tcp_max_syn_backlog": "16384",
"net.core.message_cost": "40",
"net.core.message_burst": "80",
"net.ipv4.neigh.default.gc_thresh1": "4096",
"net.ipv4.neigh.default.gc_thresh2": "8192",
"net.ipv4.neigh.default.gc_thresh3": "16384",
"net.ipv4.ip_forward": "1",
"net.ipv4.tcp_syncookies": "1",
},
},
expectedPools: []*AgentPoolProfile{
{
Name: "foo",
SysctlDConfig: map[string]string{
"net.ipv4.tcp_retries2": "8",
"net.core.somaxconn": "16384",
"net.ipv4.tcp_max_syn_backlog": "16384",
"net.core.message_cost": "40",
"net.core.message_burst": "80",
"net.ipv4.neigh.default.gc_thresh1": "4096",
"net.ipv4.neigh.default.gc_thresh2": "8192",
"net.ipv4.neigh.default.gc_thresh3": "16384",
"net.ipv4.ip_forward": "1",
"net.ipv4.tcp_syncookies": "1",
},
},
},
},
{
name: "user-configured",
cs: &ContainerService{

15
pkg/api/types.go
Просмотреть файл

@ -71,12 +71,13 @@ type Properties struct {
// FeatureFlags defines feature-flag restricted functionality
type FeatureFlags struct {
EnableCSERunInBackground bool `json:"enableCSERunInBackground,omitempty"`
BlockOutboundInternet bool `json:"blockOutboundInternet,omitempty"`
EnableIPv6DualStack bool `json:"enableIPv6DualStack,omitempty"`
EnableTelemetry bool `json:"enableTelemetry,omitempty"`
EnableIPv6Only bool `json:"enableIPv6Only,omitempty"`
EnableWinDSR bool `json:"enableWinDSR,omitempty"`
EnableCSERunInBackground bool `json:"enableCSERunInBackground,omitempty"`
BlockOutboundInternet bool `json:"blockOutboundInternet,omitempty"`
EnableIPv6DualStack bool `json:"enableIPv6DualStack,omitempty"`
EnableTelemetry bool `json:"enableTelemetry,omitempty"`
EnableIPv6Only bool `json:"enableIPv6Only,omitempty"`
EnableWinDSR bool `json:"enableWinDSR,omitempty"`
EnforceUbuntu2004DisaStig bool `json:"enforceUbuntu2004DisaStig,omitempty"`
}
// ServicePrincipalProfile contains the client and secret used by the cluster for Azure Resource CRUD
@ -2199,6 +2200,8 @@ func (f *FeatureFlags) IsFeatureEnabled(feature string) bool {
return f.EnableIPv6Only
case "EnableWinDSR":
return f.EnableWinDSR
case "EnforceUbuntu2004DisaStig":
return f.EnforceUbuntu2004DisaStig
default:
return false
}

18
pkg/api/vlabs/types.go
Просмотреть файл

@ -54,12 +54,13 @@ type Properties struct {
// FeatureFlags defines feature-flag restricted functionality
type FeatureFlags struct {
EnableCSERunInBackground bool `json:"enableCSERunInBackground,omitempty"`
BlockOutboundInternet bool `json:"blockOutboundInternet,omitempty"`
EnableIPv6DualStack bool `json:"enableIPv6DualStack,omitempty"`
EnableTelemetry bool `json:"enableTelemetry,omitempty"`
EnableIPv6Only bool `json:"enableIPv6Only,omitempty"`
EnableWinDSR bool `json:"enableWinDSR,omitempty"`
EnableCSERunInBackground bool `json:"enableCSERunInBackground,omitempty"`
BlockOutboundInternet bool `json:"blockOutboundInternet,omitempty"`
EnableIPv6DualStack bool `json:"enableIPv6DualStack,omitempty"`
EnableTelemetry bool `json:"enableTelemetry,omitempty"`
EnableIPv6Only bool `json:"enableIPv6Only,omitempty"`
EnableWinDSR bool `json:"enableWinDSR,omitempty"`
EnforceUbuntu2004DisaStig bool `json:"enforceUbuntu2004DisaStig,omitempty"`
}
// ServicePrincipalProfile contains the client and secret used by the cluster for Azure Resource CRUD
@ -1027,3 +1028,8 @@ func (f *FeatureFlags) IsIPv6OnlyEnabled() bool {
func (f *FeatureFlags) IsWinDSREnabled() bool {
return f != nil && f.EnableWinDSR
}
// IsEnforceUbuntu2004DisaStigEnabled checks if EnforceUbuntu2004DisaStig feature is enabled
func (f *FeatureFlags) IsEnforceUbuntu2004DisaStigEnabled() bool {
return f != nil && f.EnforceUbuntu2004DisaStig
}

8
pkg/api/vlabs/validate.go
Просмотреть файл

@ -418,6 +418,10 @@ func (a *Properties) validateMasterProfile(isUpdate bool) error {
if m.Distro != "" && !m.IsUbuntu() {
return errors.Errorf("auditd was enabled for master vms, but an Ubuntu-based distro was not selected")
}
} else {
if a.FeatureFlags.IsEnforceUbuntu2004DisaStigEnabled() && m.Distro != "" && m.IsUbuntu() {
return errors.New("AuditD should be enabled in all Ubuntu-based pools if feature flag 'EnforceUbuntu2004DisaStig' is set")
}
}
var validOSDiskCachingType bool
@ -484,6 +488,10 @@ func (a *Properties) validateAgentPoolProfiles(isUpdate bool) error {
if agentPoolProfile.Distro != "" && !agentPoolProfile.IsUbuntu() {
return errors.Errorf("You have enabled auditd in agent pool %s, but you did not specify an Ubuntu-based distro", agentPoolProfile.Name)
}
} else {
if a.FeatureFlags.IsEnforceUbuntu2004DisaStigEnabled() && agentPoolProfile.IsUbuntu() {
return errors.New("AuditD should be enabled in all Ubuntu-based pools if feature flag 'EnforceUbuntu2004DisaStig' is set")
}
}
if to.Bool(agentPoolProfile.EnableVMSSNodePublicIP) {

36
pkg/api/vlabs/validate_test.go
Просмотреть файл

@ -4451,6 +4451,24 @@ func TestAgentPoolProfile_ValidateAuditDEnabled(t *testing.T) {
}
}
})
t.Run("Should enabled auditd for Ubuntu distro if DISA STIG enforced", func(t *testing.T) {
t.Parallel()
for _, distro := range DistroValues {
cs := getK8sDefaultContainerService(false)
agentPoolProfiles := cs.Properties.AgentPoolProfiles
agentPoolProfiles[0].Distro = distro
agentPoolProfiles[0].AuditDEnabled = to.BoolPtr(false)
cs.Properties.FeatureFlags = &FeatureFlags{EnforceUbuntu2004DisaStig: true}
switch distro {
case Ubuntu, Ubuntu1804, Ubuntu1804Gen2, AKSUbuntu1604, AKSUbuntu1804, ACC1604:
expectedMsg := "AuditD should be enabled in all Ubuntu-based pools if feature flag 'EnforceUbuntu2004DisaStig' is set"
if err := cs.Properties.validateAgentPoolProfiles(false); err == nil || err.Error() != expectedMsg {
t.Errorf("expected error with message : %s, but got %s", expectedMsg, err.Error())
}
}
}
})
}
func TestMasterProfile_ValidateAuditDEnabled(t *testing.T) {
@ -4474,6 +4492,24 @@ func TestMasterProfile_ValidateAuditDEnabled(t *testing.T) {
}
}
})
t.Run("Should enabled auditd for Ubuntu distro if DISA STIG enforced", func(t *testing.T) {
t.Parallel()
for _, distro := range DistroValues {
cs := getK8sDefaultContainerService(false)
masterProfile := cs.Properties.MasterProfile
masterProfile.Distro = distro
masterProfile.AuditDEnabled = to.BoolPtr(false)
cs.Properties.FeatureFlags = &FeatureFlags{EnforceUbuntu2004DisaStig: true}
switch distro {
case Ubuntu, Ubuntu1804, Ubuntu1804Gen2, AKSUbuntu1604, AKSUbuntu1804, ACC1604:
expectedMsg := "AuditD should be enabled in all Ubuntu-based pools if feature flag 'EnforceUbuntu2004DisaStig' is set"
if err := cs.Properties.validateMasterProfile(false); err == nil || err.Error() != expectedMsg {
t.Errorf("expected error with message : %s, but got %s", expectedMsg, err.Error())
}
}
}
})
}
func TestValidateCustomCloudProfile(t *testing.T) {

1
pkg/engine/const.go
Просмотреть файл

@ -121,6 +121,7 @@ const (
cseHelpersScriptFilepath = "/opt/azure/containers/provision_source.sh"
cseInstallScriptFilepath = "/opt/azure/containers/provision_installs.sh"
cseConfigScriptFilepath = "/opt/azure/containers/provision_configs.sh"
cseUbuntu2004StigScriptFilepath = "/opt/azure/containers/provision_stig_ubuntu2004.sh"
customSearchDomainsCSEScriptFilepath = "/opt/azure/containers/setup-custom-search-domains.sh"
dhcpV6ServiceCSEScriptFilepath = "/etc/systemd/system/dhcpv6.service"
dhcpV6ConfigCSEScriptFilepath = "/opt/azure/containers/enable-dhcpv6.sh"

6
pkg/engine/template_generator.go
Просмотреть файл

@ -724,6 +724,9 @@ version = 2
"GetCSEConfigScriptFilepath": func() string {
return cseConfigScriptFilepath
},
"GetUbuntu2004DisaStigScriptFilepath": func() string {
return cseUbuntu2004StigScriptFilepath
},
"GetCustomSearchDomainsCSEScriptFilepath": func() string {
return customSearchDomainsCSEScriptFilepath
},
@ -748,6 +751,9 @@ version = 2
"HasTelemetryEnabled": func() bool {
return cs.Properties.FeatureFlags != nil && cs.Properties.FeatureFlags.EnableTelemetry
},
"ShouldEnforceUbuntu2004DisaStig": func() bool {
return cs.Properties.FeatureFlags.IsFeatureEnabled("EnforceUbuntu2004DisaStig")
},
"HasBlockOutboundInternet": func() bool {
return cs.Properties.FeatureFlags != nil && cs.Properties.FeatureFlags.BlockOutboundInternet
},

25
pkg/engine/template_generator_test.go
Просмотреть файл

@ -1283,6 +1283,11 @@ func TestGetContainerServiceFuncMap(t *testing.T) {
if ret[0].Interface() != cseConfigScriptFilepath {
t.Errorf("expected funcMap invocation of GetCSEConfigScriptFilepath to return %s, instead got %s", cseConfigScriptFilepath, ret[0].Interface())
}
v = reflect.ValueOf(funcMap["GetUbuntu2004DisaStigScriptFilepath"])
ret = v.Call(make([]reflect.Value, 0))
if ret[0].Interface() != cseUbuntu2004StigScriptFilepath {
t.Errorf("expected funcMap invocation of GetUbuntu2004DisaStigScriptFilepath to return %s, instead got %s", cseUbuntu2004StigScriptFilepath, ret[0].Interface())
}
v = reflect.ValueOf(funcMap["GetCustomSearchDomainsCSEScriptFilepath"])
ret = v.Call(make([]reflect.Value, 0))
if ret[0].Interface() != customSearchDomainsCSEScriptFilepath {
@ -1532,6 +1537,26 @@ func TestTemplateGenerator_FunctionMap(t *testing.T) {
},
ExpectedResult: true,
},
{
Name: "ShouldEnforceUbuntu2004DisaStigDisabled",
FuncName: "ShouldEnforceUbuntu2004DisaStig",
MutateFunc: func(cs api.ContainerService) api.ContainerService {
cs.Properties.FeatureFlags = &api.FeatureFlags{}
return cs
},
ExpectedResult: false,
},
{
Name: "ShouldEnforceUbuntu2004DisaStigEnabled",
FuncName: "ShouldEnforceUbuntu2004DisaStig",
MutateFunc: func(cs api.ContainerService) api.ContainerService {
cs.Properties.FeatureFlags = &api.FeatureFlags{
EnforceUbuntu2004DisaStig: true,
}
return cs
},
ExpectedResult: true,
},
{
Name: "GetKubeProxyFeatureGatesPsh - Windows DSR",
FuncName: "GetKubeProxyFeatureGatesPsh",

350
pkg/engine/templates_generated.go
Просмотреть файл

@ -40,15 +40,18 @@
// ../../parts/k8s/cloud-init/artifacts/cis.sh
// ../../parts/k8s/cloud-init/artifacts/cse_config.sh
// ../../parts/k8s/cloud-init/artifacts/cse_customcloud.sh
// ../../parts/k8s/cloud-init/artifacts/cse_customcloud_cni.sh
// ../../parts/k8s/cloud-init/artifacts/cse_helpers.sh
// ../../parts/k8s/cloud-init/artifacts/cse_install.sh
// ../../parts/k8s/cloud-init/artifacts/cse_main.sh
// ../../parts/k8s/cloud-init/artifacts/cse_stig_ubuntu2004.sh
// ../../parts/k8s/cloud-init/artifacts/default-grub
// ../../parts/k8s/cloud-init/artifacts/dhcpv6.service
// ../../parts/k8s/cloud-init/artifacts/docker-monitor.service
// ../../parts/k8s/cloud-init/artifacts/docker_clear_mount_propagation_flags.conf
// ../../parts/k8s/cloud-init/artifacts/enable-dhcpv6.sh
// ../../parts/k8s/cloud-init/artifacts/etc-issue
// ../../parts/k8s/cloud-init/artifacts/etc-issue-stig.net
// ../../parts/k8s/cloud-init/artifacts/etc-issue.net
// ../../parts/k8s/cloud-init/artifacts/etcd-monitor.service
// ../../parts/k8s/cloud-init/artifacts/etcd.service
@ -15968,11 +15971,11 @@ var _k8sCloudInitArtifactsAuditdRules = []byte(`# increase kernel audit buffers
-w /etc/localtime -p wa -k time-change
# 4.1.5 Ensure events that modify user/group information are collected
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/group -p wa -k usergroup_modification
-w /etc/passwd -p wa -k usergroup_modification
-w /etc/gshadow -p wa -k usergroup_modification
-w /etc/shadow -p wa -k usergroup_modification
-w /etc/security/opasswd -p wa -k usergroup_modification
# 4.1.6 Ensure events that modify the system's network environment are collected
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
@ -15992,64 +15995,78 @@ var _k8sCloudInitArtifactsAuditdRules = []byte(`# increase kernel audit buffers
-w /var/log/tallylog -p wa -k logins
# 4.1.9 Ensure session initiation information is collected
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/run/utmp -p wa -k logins
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/run/wtmp -p wa -k logins
# 4.1.10 Ensure discretionary access control permission modification events are collected
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access
# 4.1.12 Ensure use of privileged commands is collected
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F path=/usr/bin/mlocate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
# 4.1.13 Ensure successful file system mounts are collected
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
# 4.1.14 Ensure file deletion events by users are collected
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete
# 4.1.15 Ensure changes to system administration scope (sudoers) is collected
-w /etc/sudoers -p wa -k scope
@ -16059,11 +16076,26 @@ var _k8sCloudInitArtifactsAuditdRules = []byte(`# increase kernel audit buffers
-w /var/log/sudo.log -p wa -k actions
# 4.1.17 Ensure kernel module loading and unloading is collected
-w /bin/kmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng
-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k module_chng
# Prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
# Generate audit records when successful/unsuccessful attempts to use the fdisk command.
-w /sbin/fdisk -p x -k fdisk
# 4.1.18 Ensure the audit configuration is immutable
-e 2
`)
@ -17057,6 +17089,101 @@ func k8sCloudInitArtifactsCse_customcloudSh() (*asset, error) {
return a, nil
}
var _k8sCloudInitArtifactsCse_customcloud_cniSh = []byte(`#!/bin/bash
configureAzureStackInterfaces() {
NETWORK_INTERFACES_FILE="/etc/kubernetes/network_interfaces.json"
AZURE_CNI_CONFIG_FILE="/etc/kubernetes/interfaces.json"
AZURESTACK_ENVIRONMENT_JSON_PATH="/etc/kubernetes/azurestackcloud.json"
SERVICE_MANAGEMENT_ENDPOINT=$(jq -r '.serviceManagementEndpoint' ${AZURESTACK_ENVIRONMENT_JSON_PATH})
ACTIVE_DIRECTORY_ENDPOINT=$(jq -r '.activeDirectoryEndpoint' ${AZURESTACK_ENVIRONMENT_JSON_PATH})
RESOURCE_MANAGER_ENDPOINT=$(jq -r '.resourceManagerEndpoint' ${AZURESTACK_ENVIRONMENT_JSON_PATH})
TOKEN_URL="${ACTIVE_DIRECTORY_ENDPOINT}${TENANT_ID}/oauth2/token"
if [[ ${IDENTITY_SYSTEM,,} == "adfs" ]]; then
TOKEN_URL="${ACTIVE_DIRECTORY_ENDPOINT}adfs/oauth2/token"
fi
set +x
TOKEN=$(curl -s --retry 5 --retry-delay 10 --max-time 60 -f -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$SERVICE_PRINCIPAL_CLIENT_ID" \
--data-urlencode "client_secret=$SERVICE_PRINCIPAL_CLIENT_SECRET" \
--data-urlencode "resource=$SERVICE_MANAGEMENT_ENDPOINT" \
${TOKEN_URL} | jq '.access_token' | xargs)
if [[ -z $TOKEN ]]; then
echo "Error generating token for Azure Resource Manager"
exit 120
fi
curl -s --retry 5 --retry-delay 10 --max-time 60 -f -X GET \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"${RESOURCE_MANAGER_ENDPOINT}subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Network/networkInterfaces?api-version=$NETWORK_API_VERSION" >${NETWORK_INTERFACES_FILE}
if [[ ! -s ${NETWORK_INTERFACES_FILE} ]]; then
echo "Error fetching network interface configuration for node"
exit 121
fi
echo "Generating Azure CNI interface file"
mapfile -t local_interfaces < <(cat /sys/class/net/*/address | tr -d : | sed 's/.*/\U&/g')
SDN_INTERFACES=$(jq ".value | map(select(.properties != null) | select(.properties.macAddress != null) | select(.properties.macAddress | inside(\"${local_interfaces[*]}\"))) | map(select((.properties.ipConfigurations | length) > 0))" ${NETWORK_INTERFACES_FILE})
if [[ -z $SDN_INTERFACES ]]; then
echo "Error extracting the SDN interfaces from the network interfaces file"
exit 123
fi
AZURE_CNI_CONFIG=$(echo ${SDN_INTERFACES} | jq "{Interfaces: [.[] | {MacAddress: .properties.macAddress, IsPrimary: .properties.primary, IPSubnets: [{Prefix: .properties.ipConfigurations[0].properties.subnet.id, IPAddresses: .properties.ipConfigurations | [.[] | {Address: .properties.privateIPAddress, IsPrimary: .properties.primary}]}]}]}")
mapfile -t SUBNET_IDS < <(echo ${SDN_INTERFACES} | jq '[.[].properties.ipConfigurations[0].properties.subnet.id] | unique | .[]' -r)
for SUBNET_ID in "${SUBNET_IDS[@]}"; do
SUBNET_PREFIX=$(curl -s --retry 5 --retry-delay 10 --max-time 60 -f -X GET \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"${RESOURCE_MANAGER_ENDPOINT}${SUBNET_ID:1}?api-version=$NETWORK_API_VERSION" |
jq '.properties.addressPrefix' -r)
if [[ -z $SUBNET_PREFIX ]]; then
echo "Error fetching the subnet address prefix for a subnet ID"
exit 122
fi
# shellcheck disable=SC2001
AZURE_CNI_CONFIG=$(echo ${AZURE_CNI_CONFIG} | sed "s|$SUBNET_ID|$SUBNET_PREFIX|g")
done
echo ${AZURE_CNI_CONFIG} >${AZURE_CNI_CONFIG_FILE}
chmod 0444 ${AZURE_CNI_CONFIG_FILE}
set -x
}
#EOF
`)
func k8sCloudInitArtifactsCse_customcloud_cniShBytes() ([]byte, error) {
return _k8sCloudInitArtifactsCse_customcloud_cniSh, nil
}
func k8sCloudInitArtifactsCse_customcloud_cniSh() (*asset, error) {
bytes, err := k8sCloudInitArtifactsCse_customcloud_cniShBytes()
if err != nil {
return nil, err
}
info := bindataFileInfo{name: "k8s/cloud-init/artifacts/cse_customcloud_cni.sh", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _k8sCloudInitArtifactsCse_helpersSh = []byte(`#!/bin/bash
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
@ -17401,6 +17528,8 @@ installDeps() {
packages+=" cgroup-lite ceph-common glusterfs-client"
disableTimeSyncd
packages+=" ntp ntpstat chrony"
{{/* STIG SV-238200r653775_rule, SV-238231r653868_rule, SV-238230r653865_rule */}}
packages+=" vlock opensc-pkcs11 libpam-pkcs11"
elif [[ $OS == $DEBIAN_OS_NAME ]]; then
packages+=" gpg cgroup-bin"
fi
@ -17911,6 +18040,10 @@ apt_get_update && unattended_upgrade
{{- end}}
{{- end}}
{{- if ShouldEnforceUbuntu2004DisaStig}}
{{GetUbuntu2004DisaStigScriptFilepath}}
{{- end}}
if [ -f /var/run/reboot-required ]; then
trace_info "RebootRequired" "reboot=true"
/bin/bash -c "shutdown -r 1 &"
@ -17955,6 +18088,108 @@ func k8sCloudInitArtifactsCse_mainSh() (*asset, error) {
return a, nil
}
var _k8sCloudInitArtifactsCse_stig_ubuntu2004Sh = []byte(`#!/bin/bash
setLoginDefs() {
local f=/etc/login.defs
sed -i '/^PASS_MAX_DAYS/d' ${f} || exit 115
sed -i '$aPASS_MAX_DAYS 60' ${f} || exit 115
sed -i '/^PASS_MIN_DAYS/d' ${f} || exit 115
sed -i '$aPASS_MIN_DAYS 1' ${f} || exit 115
sed -i '/^UMASK/d' ${f} || exit 115
sed -i '$aUMASK 077' ${f} || exit 115
}
setPwqualityConf() {
local f=/etc/security/pwquality.conf
sed -i '/^difok/d' ${f} || exit 115
sed -i '$adifok=8' ${f} || exit 115
sed -i '/^dictcheck/d' ${f} || exit 115
sed -i '$adictcheck=1' ${f} || exit 115
sed -i '/^minlen/d' ${f} || exit 115
sed -i '$aminlen=15' ${f} || exit 115
sed -i '/^lcredit/d' ${f} || exit 115
sed -i '$alcredit=-1' ${f} || exit 115
}
setTerminalTimeout() {
local f=/etc/profile.d/99-terminal_tmout.sh
{{/* STIG SV-238207r653796_rule */}}
if [[ -f ${f} ]]; then
sed -i '/^TMOUT/d' ${f} || exit 115
sed -i '$aTMOUT=600' ${f} || exit 115
else
echo "TMOUT=600" > ${f}
truncate -s -1 ${f}
fi
}
setSSHDConfig() {
local f=/etc/ssh/sshd_config
{{/* STIG SV-238212r653811_rule */}}
sed -i '/^ClientAliveCountMax/d' ${f} || exit 115
sed -i '$aClientAliveCountMax 1' ${f} || exit 115
{{/* STIG SV-238216r654316_rule */}}
sed -i '/^MACs/d' ${f} || exit 115
sed -i '$aMACs hmac-sha2-512,hmac-sha2-256' ${f} || exit 115
{{/* STIG SV-238217r653826_rule */}}
sed -i '/^Ciphers/d' ${f} || exit 115
sed -i '$aCiphers aes256-ctr,aes192-ctr,aes128-ctr' ${f} || exit 115
{{/* STIG SV-238220r653835_rule */}}
sed -i '/^X11UseLocalhost/d' ${f} || exit 115
sed -i '$aX11UseLocalhost yes' ${f} || exit 115
{{/* STIG SV-238214r653817_rule */}}
if [[ -f /etc/issue-stig.net ]]; then
sed -i '/^Banner/d' ${f} || exit 115
sed -i '$aBanner /etc/issue-stig.net' ${f} || exit 115
fi
}
setAuditd() {
local f=/etc/audit/auditd.conf
{{/* STIG SV-238244r653907_rule */}}
sed -i '/^disk_full_action/d' ${f} || exit 115
sed -i '$adisk_full_action = HALT' ${f} || exit 115
}
setLimitsConf() {
local f=/etc/security/limits.conf
{{/* STIG SV-238323r654144_rule */}}
sed -i '1s|^|* hard maxlogins 10\n|' ${f}
}
setAPTConfig() {
local f=/etc/apt/apt.conf.d/01-vendor-ubuntu
{{/* STIG SV-219155r610963_rule */}}
sed -i '/^APT::Get::AllowUnauthenticated/d' ${f} || exit 115
sed -i '$aAPT::Get::AllowUnauthenticated "false";' ${f} || exit 115
local g=/etc/apt/apt.conf.d/50unattended-upgrades
{{/* STIG SV-219156r610963_rule */}}
sed -i '/^Unattended-Upgrade::Remove-Unused-Dependencies/d' ${g} || exit 115
sed -i '$aUnattended-Upgrade::Remove-Unused-Dependencies "true";' ${g} || exit 115
{{/* STIG SV-219156r610963_rule */}}
sed -i '/^Unattended-Upgrade::Remove-Unused-Kernel-Packages/d' ${g} || exit 115
sed -i '$aUnattended-Upgrade::Remove-Unused-Kernel-Packages "true";' ${g} || exit 115
}
setLoginDefs
setPwqualityConf
setTerminalTimeout
setSSHDConfig
setAuditd
setLimitsConf
setAPTConfig
#EOF
`)
func k8sCloudInitArtifactsCse_stig_ubuntu2004ShBytes() ([]byte, error) {
return _k8sCloudInitArtifactsCse_stig_ubuntu2004Sh, nil
}
func k8sCloudInitArtifactsCse_stig_ubuntu2004Sh() (*asset, error) {
bytes, err := k8sCloudInitArtifactsCse_stig_ubuntu2004ShBytes()
if err != nil {
return nil, err
}
info := bindataFileInfo{name: "k8s/cloud-init/artifacts/cse_stig_ubuntu2004.sh", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _k8sCloudInitArtifactsDefaultGrub = []byte(`# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
@ -18121,6 +18356,36 @@ func k8sCloudInitArtifactsEtcIssue() (*asset, error) {
return a, nil
}
var _k8sCloudInitArtifactsEtcIssueStigNet = []byte(`You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
`)
func k8sCloudInitArtifactsEtcIssueStigNetBytes() ([]byte, error) {
return _k8sCloudInitArtifactsEtcIssueStigNet, nil
}
func k8sCloudInitArtifactsEtcIssueStigNet() (*asset, error) {
bytes, err := k8sCloudInitArtifactsEtcIssueStigNetBytes()
if err != nil {
return nil, err
}
info := bindataFileInfo{name: "k8s/cloud-init/artifacts/etc-issue-stig.net", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _k8sCloudInitArtifactsEtcIssueNet = []byte(`
Authorized uses only. All activity may be monitored and reported.
`)
@ -19507,14 +19772,6 @@ write_files:
{{CloudInitData "provisionCIS"}}
{{end}}
{{- if .MasterProfile.IsAuditDEnabled}}
- path: /etc/audit/rules.d/CIS.rules
permissions: "0744"
encoding: gzip
owner: root
content: !!binary |
{{CloudInitData "auditdRules"}}
{{end}}
{{- if not .MasterProfile.IsUbuntu1604}}
{{- if not .MasterProfile.IsVHDDistro}}
@ -20126,15 +20383,6 @@ write_files:
{{CloudInitData "provisionCIS"}}
{{end}}
{{- if .IsAuditDEnabled}}
- path: /etc/audit/rules.d/CIS.rules
permissions: "0744"
encoding: gzip
owner: root
content: !!binary |
{{CloudInitData "auditdRules"}}
{{end}}
{{- if not .IsUbuntu1604}}
{{- if not .IsVHDDistro}}
- path: /var/run/reboot-required
@ -24649,15 +24897,18 @@ var _bindata = map[string]func() (*asset, error){
"k8s/cloud-init/artifacts/cis.sh": k8sCloudInitArtifactsCisSh,
"k8s/cloud-init/artifacts/cse_config.sh": k8sCloudInitArtifactsCse_configSh,
"k8s/cloud-init/artifacts/cse_customcloud.sh": k8sCloudInitArtifactsCse_customcloudSh,
"k8s/cloud-init/artifacts/cse_customcloud_cni.sh": k8sCloudInitArtifactsCse_customcloud_cniSh,
"k8s/cloud-init/artifacts/cse_helpers.sh": k8sCloudInitArtifactsCse_helpersSh,
"k8s/cloud-init/artifacts/cse_install.sh": k8sCloudInitArtifactsCse_installSh,
"k8s/cloud-init/artifacts/cse_main.sh": k8sCloudInitArtifactsCse_mainSh,
"k8s/cloud-init/artifacts/cse_stig_ubuntu2004.sh": k8sCloudInitArtifactsCse_stig_ubuntu2004Sh,
"k8s/cloud-init/artifacts/default-grub": k8sCloudInitArtifactsDefaultGrub,
"k8s/cloud-init/artifacts/dhcpv6.service": k8sCloudInitArtifactsDhcpv6Service,
"k8s/cloud-init/artifacts/docker-monitor.service": k8sCloudInitArtifactsDockerMonitorService,
"k8s/cloud-init/artifacts/docker_clear_mount_propagation_flags.conf": k8sCloudInitArtifactsDocker_clear_mount_propagation_flagsConf,
"k8s/cloud-init/artifacts/enable-dhcpv6.sh": k8sCloudInitArtifactsEnableDhcpv6Sh,
"k8s/cloud-init/artifacts/etc-issue": k8sCloudInitArtifactsEtcIssue,
"k8s/cloud-init/artifacts/etc-issue-stig.net": k8sCloudInitArtifactsEtcIssueStigNet,
"k8s/cloud-init/artifacts/etc-issue.net": k8sCloudInitArtifactsEtcIssueNet,
"k8s/cloud-init/artifacts/etcd-monitor.service": k8sCloudInitArtifactsEtcdMonitorService,
"k8s/cloud-init/artifacts/etcd.service": k8sCloudInitArtifactsEtcdService,
@ -24800,15 +25051,18 @@ var _bintree = &bintree{nil, map[string]*bintree{
"cis.sh": {k8sCloudInitArtifactsCisSh, map[string]*bintree{}},
"cse_config.sh": {k8sCloudInitArtifactsCse_configSh, map[string]*bintree{}},
"cse_customcloud.sh": {k8sCloudInitArtifactsCse_customcloudSh, map[string]*bintree{}},
"cse_customcloud_cni.sh": {k8sCloudInitArtifactsCse_customcloud_cniSh, map[string]*bintree{}},
"cse_helpers.sh": {k8sCloudInitArtifactsCse_helpersSh, map[string]*bintree{}},
"cse_install.sh": {k8sCloudInitArtifactsCse_installSh, map[string]*bintree{}},
"cse_main.sh": {k8sCloudInitArtifactsCse_mainSh, map[string]*bintree{}},
"cse_stig_ubuntu2004.sh": {k8sCloudInitArtifactsCse_stig_ubuntu2004Sh, map[string]*bintree{}},
"default-grub": {k8sCloudInitArtifactsDefaultGrub, map[string]*bintree{}},
"dhcpv6.service": {k8sCloudInitArtifactsDhcpv6Service, map[string]*bintree{}},
"docker-monitor.service": {k8sCloudInitArtifactsDockerMonitorService, map[string]*bintree{}},
"docker_clear_mount_propagation_flags.conf": {k8sCloudInitArtifactsDocker_clear_mount_propagation_flagsConf, map[string]*bintree{}},
"enable-dhcpv6.sh": {k8sCloudInitArtifactsEnableDhcpv6Sh, map[string]*bintree{}},
"etc-issue": {k8sCloudInitArtifactsEtcIssue, map[string]*bintree{}},
"etc-issue-stig.net": {k8sCloudInitArtifactsEtcIssueStigNet, map[string]*bintree{}},
"etc-issue.net": {k8sCloudInitArtifactsEtcIssueNet, map[string]*bintree{}},
"etcd-monitor.service": {k8sCloudInitArtifactsEtcdMonitorService, map[string]*bintree{}},
"etcd.service": {k8sCloudInitArtifactsEtcdService, map[string]*bintree{}},

31
test/e2e/kubernetes/kubernetes_test.go
Просмотреть файл

@ -548,6 +548,32 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
}
})
It("should validate DISA Ubuntu 20.04 STIG", func() {
if cfg.BlockSSHPort {
Skip("SSH port is blocked")
} else if eng.ExpandedDefinition.Properties.FeatureFlags.EnforceUbuntu2004DisaStig {
nodes, err := node.GetReadyWithRetry(1*time.Second, cfg.Timeout)
Expect(err).NotTo(HaveOccurred())
STIGFilesValidateScript := "stig-validate.sh"
err = sshConn.CopyTo(STIGFilesValidateScript)
Expect(err).NotTo(HaveOccurred())
STIGValidationCommand := fmt.Sprintf("/tmp/%s", STIGFilesValidateScript)
err = sshConn.Execute(STIGValidationCommand, false)
Expect(err).NotTo(HaveOccurred())
for _, n := range nodes {
if n.IsUbuntu() {
err := sshConn.CopyToRemoteWithRetry(n.Metadata.Name, "/tmp/"+STIGFilesValidateScript, sleepBetweenRetriesRemoteSSHCommand, cfg.Timeout)
Expect(err).NotTo(HaveOccurred())
err = sshConn.ExecuteRemoteWithRetry(n.Metadata.Name, STIGValidationCommand, false, sleepBetweenRetriesRemoteSSHCommand, cfg.Timeout)
Expect(err).NotTo(HaveOccurred())
fmt.Println(err)
}
}
} else {
Skip("Skip as feature flag EnforceUbuntu2004DisaStig is not set")
}
})
It("should validate kernel module configuration", func() {
if cfg.BlockSSHPort {
Skip("SSH port is blocked")
@ -605,6 +631,8 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
It("should validate that every linux node has the right sshd config", func() {
if cfg.BlockSSHPort {
Skip("SSH port is blocked")
} else if eng.ExpandedDefinition.Properties.FeatureFlags.EnforceUbuntu2004DisaStig {
Skip("Skip as feature flag EnforceUbuntu2004DisaStig is set")
} else if !eng.ExpandedDefinition.Properties.HasNonRegularPriorityScaleset() {
if eng.ExpandedDefinition.Properties.IsVHDDistroForAllNodes() {
nodes, err := node.GetReadyWithRetry(1*time.Second, cfg.Timeout)
@ -632,6 +660,7 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
})
It("should validate password enforcement configuration", func() {
args := fmt.Sprintf("STIG=%t", eng.ExpandedDefinition.Properties.FeatureFlags.EnforceUbuntu2004DisaStig)
if cfg.BlockSSHPort {
Skip("SSH port is blocked")
} else if !eng.ExpandedDefinition.Properties.HasNonRegularPriorityScaleset() {
@ -641,7 +670,7 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
pwQualityValidateScript := "pwquality-validate.sh"
err = sshConn.CopyTo(pwQualityValidateScript)
Expect(err).NotTo(HaveOccurred())
pwQualityValidationCommand := fmt.Sprintf("\"/tmp/%s\"", pwQualityValidateScript)
pwQualityValidationCommand := fmt.Sprintf("%s /tmp/%s", args, pwQualityValidateScript)
err = sshConn.Execute(pwQualityValidationCommand, false)
Expect(err).NotTo(HaveOccurred())
for _, n := range nodes {

16
test/e2e/kubernetes/scripts/pwquality-validate.sh
Просмотреть файл

@ -3,7 +3,11 @@
set -x
# an invalid password should fail
echo "tooshort1@" | sudo pwscore && exit 1
if [[ ${STIG} == true ]]; then
echo "tooshort12@" | sudo pwscore && exit 1
else
echo "tooshort1@" | sudo pwscore && exit 1
fi
echo "password123456@J" | sudo pwscore && exit 1
echo "passSDWword@@@@J" | sudo pwscore && exit 1
echo "passSDWword1111J" | sudo pwscore && exit 1
@ -14,6 +18,12 @@ echo "UPPERRR12CASE@" | sudo pwscore && exit 1
echo "passSDWword1232rdw#@" | sudo pwscore || exit 1
# validate password age settings
grep 'PASS_MAX_DAYS 90' /etc/login.defs || exit 1
grep 'PASS_MIN_DAYS 7' /etc/login.defs || exit 1
if [[ ${STIG} == true ]]; then
grep -E '^PASS_MAX_DAYS 60$' /etc/login.defs || exit 1
grep -E '^PASS_MIN_DAYS 1$' /etc/login.defs || exit 1
grep -E '^UMASK 077$' /etc/login.defs || exit 1
else
grep 'PASS_MAX_DAYS 90' /etc/login.defs || exit 1
grep 'PASS_MIN_DAYS 7' /etc/login.defs || exit 1
fi
grep 'INACTIVE=30' /etc/default/useradd || exit 1

51
test/e2e/kubernetes/scripts/stig-validate.sh Executable file
Просмотреть файл

@ -0,0 +1,51 @@
#!/bin/bash
sudo grep "* hard maxlogins 10" /etc/security/limits.conf || exit 1
sudo grep "disk_full_action = HALT" /etc/audit/auditd.conf || exit 1
sudo grep "TMOUT=600" /etc/profile.d/99-terminal_tmout.sh || exit 1
sudo grep "difok=8" /etc/security/pwquality.conf || exit 1
sudo grep "dictcheck=1" /etc/security/pwquality.conf || exit 1
sudo grep "minlen=15" /etc/security/pwquality.conf || exit 1
sudo grep "lcredit=-1" /etc/security/pwquality.conf || exit 1
sudo grep 'APT::Get::AllowUnauthenticated "false"' /etc/apt/apt.conf.d/01-vendor-ubuntu || exit 1
sudo grep 'Unattended-Upgrade::Remove-Unused-Dependencies "true"' /etc/apt/apt.conf.d/50unattended-upgrades || exit 1
sudo grep 'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"' /etc/apt/apt.conf.d/50unattended-upgrades || exit 1
set -x
CONFIGS=("ClientAliveInterval 120"
"ClientAliveCountMax 1"
"MACs hmac-sha2-512,hmac-sha2-256"
"KexAlgorithms curve25519-sha256@libssh.org"
"Ciphers aes256-ctr,aes192-ctr,aes128-ctr"
"HostKey /etc/ssh/ssh_host_rsa_key"
"HostKey /etc/ssh/ssh_host_dsa_key"
"HostKey /etc/ssh/ssh_host_ecdsa_key"
"HostKey /etc/ssh/ssh_host_ed25519_key"
"SyslogFacility AUTH"
"LogLevel INFO"
"LoginGraceTime 60"
"PermitRootLogin no"
"PermitUserEnvironment no"
"StrictModes yes"
"PubkeyAuthentication yes"
"IgnoreRhosts yes"
"HostbasedAuthentication no"
"X11Forwarding no"
"X11UseLocalhost yes"
"MaxAuthTries 4"
"AcceptEnv LANG LC_*"
"Subsystem sftp /usr/lib/openssh/sftp-server"
"UsePAM yes"
"UseDNS no"
"Banner /etc/issue-stig.net"
"GSSAPIAuthentication no")
for ((i = 0; i < ${#CONFIGS[@]}; i++))
do
grep -i "${CONFIGS[$i]}" /etc/ssh/sshd_config || exit 1
done

22
test/e2e/kubernetes/scripts/ubuntu-installed-packages-validate.sh
Просмотреть файл

@ -28,32 +28,46 @@ fi
ENSURE_INSTALLED="
apt-transport-https
auditd
blobfuse
ca-certificates
chrony
cifs-utils
conntrack
cracklib-runtime
dkms
dbus
ebtables
ethtool
fuse
gcc
git
htop
iftop
init-system-helpers
iotop
iproute2
ipset
iptables
jq
libpam-pkcs11
libpam-pwquality
libpwquality-tools
make
mount
net-tools
nfs-common
ntp
ntpstat
opensc-pkcs11
pigz
socat
sysstat
traceroute
util-linux
vlock
xz-utils
zip
htop
iotop
iftop
sysstat
"
for PACKAGE in ${ENSURE_INSTALLED}; do
apt list --installed | grep -E "^${PACKAGE}" || exit 1

9
vhd/packer/install-dependencies.sh
Просмотреть файл

@ -23,6 +23,7 @@ apt packages:
- ca-certificates
- ceph-common
- cgroup-lite
- chrony
- cifs-utils
- conntrack
- cracklib-runtime
@ -42,22 +43,24 @@ apt packages:
- ipset
- iptables
- jq
- libpam-pkcs11
- libpam-pwquality
- libpwquality-tools
- make
- mount
- net-tools
- nfs-common
- ntp
- ntpstat
- opensc-pkcs11
- pigz
- socat
- sysstat
- traceroute
- util-linux
- vlock
- xz-utils
- zip
- ntp
- ntpstat
- chrony
EOF
chmod a-x /etc/update-motd.d/??-{motd-news,release-upgrade}

9
vhd/packer/packer_source.sh
Просмотреть файл

@ -9,6 +9,8 @@ copyPackerFiles() {
ETC_ISSUE_CONFIG_DEST=/etc/issue
ETC_ISSUE_NET_CONFIG_SRC=/home/packer/etc-issue.net
ETC_ISSUE_NET_CONFIG_DEST=/etc/issue.net
ETC_ISSUE_STIG_NET_CONFIG_SRC=/home/packer/etc-issue-stig.net
ETC_ISSUE_STIG_NET_CONFIG_DEST=/etc/issue-stig.net
SSHD_CONFIG_SRC=/home/packer/sshd_config
SSHD_CONFIG_DEST=/etc/ssh/sshd_config
MODPROBE_CIS_SRC=/home/packer/modprobe-CIS.conf
@ -39,6 +41,10 @@ copyPackerFiles() {
NOTICE_DEST=/NOTICE.txt
PROVISION_AZURESTACK_CNI_SRC=/home/packer/provision_azurestack_cni.sh
PROVISION_AZURESTACK_CNI_DEST=/opt/azure/containers/provision_azurestack_cni.sh
UBUNTU_STIG_SRC=/home/packer/provision_stig_ubuntu2004.sh
UBUNTU_STIG_DEST=/opt/azure/containers/provision_stig_ubuntu2004.sh
AUDITD_RULES_SRC=/home/packer/auditd-rules
AUDITD_RULES_DEST=/etc/audit/rules.d/aks-engine.rules
if [[ ${UBUNTU_RELEASE} == "16.04" ]]; then
SSHD_CONFIG_SRC=/home/packer/sshd_config_1604
fi
@ -46,6 +52,7 @@ copyPackerFiles() {
cpAndMode $RSYSLOG_CONFIG_SRC $RSYSLOG_CONFIG_DEST 644
cpAndMode $ETC_ISSUE_CONFIG_SRC $ETC_ISSUE_CONFIG_DEST 644
cpAndMode $ETC_ISSUE_NET_CONFIG_SRC $ETC_ISSUE_NET_CONFIG_DEST 644
cpAndMode $ETC_ISSUE_STIG_NET_CONFIG_SRC $ETC_ISSUE_STIG_NET_CONFIG_DEST 644
cpAndMode $SSHD_CONFIG_SRC $SSHD_CONFIG_DEST 644
cpAndMode $MODPROBE_CIS_SRC $MODPROBE_CIS_DEST 644
cpAndMode $PWQUALITY_CONF_SRC $PWQUALITY_CONF_DEST 600
@ -61,6 +68,8 @@ copyPackerFiles() {
cpAndMode $COLLECT_LOGS_SRC $COLLECT_LOGS_DEST 744
cpAndMode $NOTICE_SRC $NOTICE_DEST 444
cpAndMode $PROVISION_AZURESTACK_CNI_SRC $PROVISION_AZURESTACK_CNI_DEST 744
cpAndMode $UBUNTU_STIG_SRC $UBUNTU_STIG_DEST 744
cpAndMode $AUDITD_RULES_SRC $AUDITD_RULES_DEST 744
}
cpAndMode() {

17
vhd/packer/vhd-image-builder.json
Просмотреть файл

@ -65,6 +65,11 @@
"source": "parts/k8s/cloud-init/artifacts/cse_helpers.sh",
"destination": "/home/packer/provision_source.sh"
},
{
"type": "file",
"source": "parts/k8s/cloud-init/artifacts/cse_stig_ubuntu2004.sh",
"destination": "/home/packer/provision_stig_ubuntu2004.sh"
},
{
"type": "file",
"source": "parts/k8s/cloud-init/artifacts/cis.sh",
@ -105,6 +110,11 @@
"source": "parts/k8s/cloud-init/artifacts/etc-issue.net",
"destination": "/home/packer/etc-issue.net"
},
{
"type": "file",
"source": "parts/k8s/cloud-init/artifacts/etc-issue-stig.net",
"destination": "/home/packer/etc-issue-stig.net"
},
{
"type": "file",
"source": "parts/k8s/cloud-init/artifacts/modprobe-CIS.conf",
@ -177,9 +187,14 @@
},
{
"type": "file",
"source": "scripts/cse_customcloud_cni.sh",
"source": "parts/k8s/cloud-init/artifacts/cse_customcloud_cni.sh",
"destination": "/home/packer/provision_azurestack_cni.sh"
},
{
"type": "file",
"source": "parts/k8s/cloud-init/artifacts/auditd-rules",
"destination": "/home/packer/auditd-rules"
},
{
"type": "shell",
"inline": [