CIS Benchmark via Juju

CIS Benchmark via Juju

Access to the CIS hardening tool is currently provided using the UA client; the repository installed with the UA client can be mirrored for fully offline deployments - in this type of deployment the keyserver and key used to validate the contents of the CIS repository mirror may need to be updated if the mirror is re-signed. This process is explained with more detail in the main CIS tool’s documentation.

Hardening is applied to all machines in a model by providing cloudinit userdata as part of the model configuration and is completed as early as possible by using the preruncmd directive - this script is executed prior to Juju agents and charms being installed. See the cis-harden.yaml model configuration file below as an example.
The “repository-key” in the cis-harden.conf file in this script comes from the respective section of /etc/apt/auth.conf.d/90ubuntu-advantage on an ESM-attached and CIS-enabled system.

cloudinit-userdata: |
  preruncmd:
    - apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9332399C20CC94E700E604DC81CF06E53F2C513A
    - add-apt-repository "deb https://esm.ubuntu.com/cis/ubuntu bionic main"
    - apt install -y usg-cisbenchmark
    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS_v1.0.0-harden.sh lvl2_server
    - "systemd-detect-virt --container && apt purge -y auditd"
  write_files:
    - owner: root:root
      path: /etc/apt/auth.conf.d/cis-harden.conf
      permissions: '0600'
      content: |
        # Credentials to allow the connection for the CIS benchmarks ESM mirror
        machine esm.ubuntu.com/cis/
        login bearer
        password <repository-key>

To apply this to the model:

juju model-config ./cis-harden.yaml
Any machines added to the model will be automatically hardened as part of the first boot process for the machine.

Using the configuration file via cloud-init
By default, 1.4.2 and 5.2.14 will have no entries, so therefore this part of hardening will not occur and would require manual intervention. Below is an updated cis-harden.yaml, which will allow us to make some modifications, and pass on the configuration to the hardening script. For reference, 2 attributes in the configuration have been changed below that are different from defaults, as an example these will now apply the rules 1.4.2 and 5.2.14 correctly.

  1. gnu_hash, this is the hash that will go into /boot/grub/grub.cfg once that has been updated via update-grub. The grub password for the config below is NBy4LiyN8iUvucs5.
  2. AllowUsers, we changed this here, as the default user for juju is ubuntu. This satisfies 5.2.14 rule as well as allowing ubuntu user to login to any of the systems deployed by the juju model.

Note: The following excerpt will need the relevant username and password that was used earlier in this article. The details of all the values are also listed in this article.

cloudinit-userdata: |                                                 
  preruncmd:             
    - apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9332399C20CC94E700E604DC81CF06E53F2C513A
    - add-apt-repository "deb https://esm.ubuntu.com/cis/ubuntu bionic main"
    - apt install -y usg-cisbenchmark
    - cd /usr/share/ubuntu-scap-security-guides/cis-hardening; ./Canonical_Ubuntu_18.04_CIS_v1.0.0-harden.sh -f /tmp/cis-hardening.conf lvl2_server
    - "systemd-detect-virt --container && apt purge -y auditd"
  write_files:
    - owner: root:root
      path: /etc/apt/auth.conf.d/cis-harden.conf
      permissions: '0600'
      content: |
        # Credentials to allow the connection for the CIS benchmarks ESM mirror
        machine esm.ubuntu.com/cis/
        login bearer
        password <repository-key>
    - owner: root:root
      path: /tmp/cis-hardening.conf
      permissions: '0644'
      content: |
        # Hash created by grub-mkpasswd-pbkdf2 to set grub password. If empty, grub password
        # is not set.
        # (CIS rule 1.4.2)
        grub_hash=grub.pbkdf2.sha512.10000.7FF04961010DEBBC74A64430D77FA4520642DC9DFCCFABA88A49F2DDF2FE5BC407EC42EE08E032E3785779D7C4728DE70CCED3057EDAEDA64AA742CAF40601A3.28B9DE2ACCFCDA7E042BA9D71839F2CF22FA645124251341171230AA1598456020190D0DD1CB4190CD10121B4756115ECE9BEE796F05AA693B5B70B14A2A2155
        # Grub user set for authentication
        grub_user=ubuntu

        # Time synchronization service selected (ntp or chrony - if empty, none will be installed)
        # (CIS rule 2.2.1.1-2.2.1.3)
        time_sync_svc=chrony
        time_sync_addr=pool.ntp.org

        # Audit log storage size, before log is automatically rotated
        # (CIS rule 4.1.1.1)
        max_log_file=8

        # Remote log host address (CIS rule 4.2.2.4)
        # Use the format loghost.example.com:554, to define the port
        remote_log_server=loghost.example.com

        # SSH access limitation parameters at /etc/ssh/sshd_config (CIS rule 5.2.14)
        AllowUsers=ubuntu
        AllowGroups=
        DenyUsers=
        DenyGroups=

        # PAM password quality parameters at /etc/security/pwquality.conf (CIS rule 5.3.1)
        minlen=14
        dcredit=-1
        ucredit=-1
        ocredit=-1
        lcredit=-1

        # sudo group members, aside from root (CIS rule 5.6)
        sudo_member=

        # Unowned files will be changed to this user (CIS rule 6.1.11)
        unowned_user=root
        # Ungrouped files will be changed to this user (CIS rule 6.1.12)
        unowned_group=root

        # Delete files in the home directory which violate CIS rules (CIS rules 6.2.11, 6.2.12, 6.2.14)
        delete_user_files=true

Again, once the file has been updated, you can update the juju model with the same command as before (also shown below).

juju model-config ./cis-harden.yaml
All the new machines that are deployed in this particular model will apply the grub password as well as the correct AllowUsers.

apt-key will be removed some day; in the meantime, it’s a pretty poor experience. Better is to wget or curl a file containing the key and then store it into /etc/apt/trusted.gpg.d/ – or best still, store the key in a package (ubuntu-keyring would be better), and copy it into place.

Thanks