update tas jammy compliance release (#240)

tas/jammy-compliance-release/README.md

@@ -1,36 +1,28 @@
-# jammy-stig-compliance-release
+# jammy-compliance-release
  <a name="warning">:warning:  The `jammy-compliance-release` is not compatible with `auditd` job in [os-conf-release](https://github.com/cloudfoundry/os-conf-release)</a>
 
-## STIG
-The `stig` is intended to be used to change the stemcell configurations to pass Bionic STIG rules, since a Jammy STIG has not been published yet
+## CIS
+The `cis` job is intended to be used to change stemcell configutation to pass the Jammy CIS rules. Below is a list of variables that can be set in the [runtime-config](./runtime-config-cis.yml) for configurations based on your deployment compliance requirements.
+|variable| description|default|
+|--|---|--|
+|`set_password_max_days`| set `PASS_MAX_DAYS` in `/etc/login.defs`| `false`|
+|`password_max_days`|Applicable if `set_password_max_days` is set to `true`. If set, passwords will expire once they reach max days.| `30`|
+|`set_useradd_inactive`| set `INACTIVE` value for `useradd`|`false`|
+|`useradd_inactive`| Applicable if `set_useradd_inactive` is set to `true`. If set, user accounts that have been inactive for over a given period of time can be automatically disabled.| `30` |
+|`set_user_shell_timeout`| set default user shell timeout| `false`|
+|`user_shell_timeout`| Applicable if `set_useradd_inactive` is set to `true`. User shell timeout in seconds| `900`|
+|`restirct_su`| If set to `true`,  `group` key for `pam_wheel.so` statement in `/etc/pam.d/su` will be set to a group with no users. This group is intentionally empty to reinforce the use of `sudo` instead of `su` for privileged access.| `false`|
+|`make_audit_rules_immutable`| If set to `true`, this job will make audit rules immutable. Any change to auditd rules will require a reboot. Also see :warning: [warning](#warning) above. `auditd` job in `os-conf-release` also sets audit rules to be immutable. | `false`|
 
-### fixes
-| VID | Title|
-|---|---|
-| V-238309| The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. |
-| V-238216| The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. |
-| V-238217| The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. |
-| V-255912| The Ubuntu operating system SSH server must be configured to use only FIPS-validated key exchange algorithms. |
-
-### false positives
-- V-238258
-  The audit rules exits. To verify run:
-  1. `# grep setxattr /etc/audit/audit.rules | grep fsetxattr | grep lsetxattr | grep removexattr | grep fremovexattr | grep lremovexattr`
-
-      and verify the output contains
-
-      ```
-      -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-      -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-      ``` 
-  2. `# auditctl -l  | grep setxattr | grep fsetxattr |grep lsetxattr | grep removexattr | grep fremovexattr | grep lremovexattr`
+### usage
+- `bosh cr && bosh ur`
+- Edit the release version and variables in the [runtime-config-cis](runtime-config-cis.yml)
+- `bosh urc --name cis-compliance runtime-config-cis.yml`
+- `Apply Changes`
 
-      and verify the output contains
+## STIG
+The `stig` is intended to be used to change the stemcell configurations to pass Bionic STIG rules, since a Jammy STIG has not been published yet
 
-      ```
-      -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-      -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-      ``` 
 ### usage
 - `bosh cr && bosh ur`
 - Edit the release versionin the [runtime-config-stig](runtime-config-stig.yml)

tas/jammy-compliance-release/jobs/cis/spec

@@ -0,0 +1,45 @@
+---
+name: cis
+
+templates:
+  pre-start.sh.erb: bin/pre-start
+  post-start.sh: bin/post-start
+
+packages: []
+
+properties:
+  set_password_max_days:
+    default: false
+    description: set `PASS_MAX_DAYS` in `/etc/login.defs`
+  password_max_days:
+    default: 30
+    description: |
+      Applicable if `set_password_max_days` is set to `true`
+      If set, passwords to expire once they reach max days.
+  set_useradd_inactive:
+    default: false
+    description: set `INACTIVE` value for `useradd`
+  useradd_inactive:
+    default: 30
+    description: |
+      Applicable if `set_useradd_inactive` is set to `true`
+      If set, user accounts that have been inactive for over a given period of time can be automatically disabled.
+  set_user_shell_timeout:
+    default: false
+    description: set default user shell timeout
+  user_shell_timeout:
+    default: 900
+    description: |
+      Applicable if `set_useradd_inactive` is set to `true`
+      User shell timeout in seconds
+  restirct_su:
+    default: false
+    description: |
+      If set to `true`, `group` key for `pam_wheel.so` statement in `/etc/pam.d/su` will be set to a group with no users. 
+      This group is intentionally empty to reinforce the use of `sudo` instead of `su` for privileged access.
+  make_audit_rules_immutable:
+    default: false
+    description: |
+      If set to `true`, this job will make audot rules immutable. Any change to auditd rules will require a reboot. 
+
+

tas/jammy-compliance-release/jobs/cis/templates/post-start.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+mv /etc/audit/audit.rules "/etc/audit/audit.rules.backup.$(date +%s)"
+augenrules --load
+
+service sshd restart
+service auditd restart

tas/jammy-compliance-release/jobs/cis/templates/pre-start.sh.erb

@@ -0,0 +1,150 @@
+#! /bin/bash 
+set -euo pipefail
+
+[[ -z "${DEBUG:-}" ]] || set -x
+
+# CIS 1.4.2
+chmod 0400 /boot/grub/grub.cfg
+
+# CIS 3.2.2
+if grep "^net\.ipv6\.conf\.all\.forwarding" /etc/sysctl.d/60-bosh-sysctl.conf; then
+  sed -i "s/^net\.ipv6\.conf\.all\.forwarding.*/net.ipv6.conf.all.forwarding=0/" /etc/sysctl.d/60-bosh-sysctl.conf
+else
+  echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/60-bosh-sysctl.conf
+fi
+
+# CIS 3.3.1
+if grep "^net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.d/60-bosh-sysctl.conf; then
+  sed -i "s/^net\.ipv6\.conf\.all\.accept_source_route.*/net.ipv6.conf.all.accept_source_route=0/" /etc/sysctl.d/60-bosh-sysctl.conf
+else
+  echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/60-bosh-sysctl.conf
+fi
+
+# CIS 3.3.1
+if grep "^net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.d/60-bosh-sysctl.conf; then
+  sed -i "s/^net\.ipv6\.conf\.default\.accept_source_route.*/net.ipv6.conf.default.accept_source_route=0/" /etc/sysctl.d/60-bosh-sysctl.conf
+else
+  echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/60-bosh-sysctl.conf
+fi
+
+# CIS 4.2.1.3
+if grep "^#Compress=yes" /etc/systemd/journald.conf; then
+  sed -i "s/#Compress.*/Compress=yes/" /etc/systemd/journald.conf
+fi
+
+# CIS 4.2.2.3
+if grep "^#ForwardToSyslog=yes" /etc/systemd/journald.conf; then
+  sed -i "s/#ForwardToSyslog.*/ForwardToSyslog=yes/" /etc/systemd/journald.conf
+fi
+
+# CIS 5.2.5
+if grep "^#LogLevel" /etc/ssh/sshd_config; then
+  sed -i "s/#LogLevel.*/LogLevel INFO/" /etc/ssh/sshd_config
+fi
+
+# CIS 5.2.16 (FIPS Algorithms)
+grep -q -- '^KexAlgorithms' /etc/ssh/sshd_config \
+  && sed -i 's/.*KexAlgorithms.*/KexAlgorithms diffie-hellman-group-exchange-sha256/' /etc/ssh/sshd_config \
+  || echo 'KexAlgorithms diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
+
+# CIS 5.2.19
+grep -q -- '^MaxStartups' /etc/ssh/sshd_config \
+  && sed -i 's/.*MaxStartups.*/MaxStartups 10:30:60/' /etc/ssh/sshd_config \
+  || echo 'MaxStartups 10:30:60' >> /etc/ssh/sshd_config
+
+# CIS 5.2.22
+grep -q '^ClientAliveInterval' /etc/ssh/sshd_config \
+  && sed -i 's/.*ClientAliveInterval.*/ClientAliveInterval 15/' /etc/ssh/sshd_config \
+  || echo 'ClientAliveInterval 15' >> /etc/ssh/sshd_config
+
+# CIS 5.2.22
+grep -q '^ClientAliveCountMax' /etc/ssh/sshd_config \
+  && sed -i 's/.*ClientAliveCountMax.*/ClientAliveCountMax 3/' /etc/ssh/sshd_config \
+  || echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
+
+# CIS 5.4.4
+grep -v ^# /etc/pam.d/common-password  | grep -E "(yescrypt|md5|bigcrypt|sha256|sha512|blowfish)"   \
+  && sed -i 's/\(yescrypt\|md5\|bigcrypt\|sha256\|sha512\|blowfish\)//' /etc/pam.d/common-password
+
+# CIS 5.5.1.2
+<% if p("set_password_max_days") %>
+grep -q ^PASS_MAX_DAYS /etc/login.defs \
+  && sed -i 's/.*PASS_MAX_DAYS.*/PASS_MAX_DAYS <%= p("password_max_days") %> /' /etc/login.defs
+<% end %>
+
+# CIS 5.5.1.4
+<% if p("set_useradd_inactive") %>
+useradd -D -f <%= p("useradd_inactive") %>
+<% end %>
+
+# CIS 5.5.5
+<% if p("set_user_shell_timeout") %>
+  echo "readonly TMOUT=<%= p("user_shell_timeout") %> ; export TMOUT" > /etc/profile.d/cis-timeout.sh
+<% end %>
+
+# CIS 4.1.1.2
+systemctl --now enable auditd
+
+# CIS 5.3.2
+echo "Defaults use_pty" > /etc/sudoers.d/use_pty
+
+# CIS 5.3.3
+echo "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/log_file
+
+# CIS 5.3.7
+<% if p("restirct_su") %>
+if ! getent group sugroup; then
+  groupadd sugroup
+fi
+
+if ! grep -E "^auth required pam_wheel.so" /etc/pam.d/su | grep "group=sugroup"; then
+  sed -i "s/^auth required pam_wheel.so\(.*\)$/auth required pam_wheel.so\1 group=sugroup/" /etc/pam.d/su
+fi
+<% end %>
+
+# CIS 5.2.16
+grep -q '^AllowTcpForwarding' /etc/ssh/sshd_config \
+  && sed -i 's/.*AllowTcpForwarding.*/AllowTcpForwarding no/' /etc/ssh/sshd_config \
+  || echo 'AllowTcpForwarding no' >> /etc/ssh/sshd_config
+
+# audit rules
+
+rm -fr /etc/audit/rules.d/cis.rules && touch /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.4
+grep -q --  "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change" >> /etc/audit/rules.d/cis.rules
+
+grep -q --  "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change" >> /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.2
+grep -q --  "-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -k user_emulation" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -k user_emulation" >> /etc/audit/rules.d/cis.rules
+
+grep -q --  "-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -k user_emulation" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -k user_emulation" >> /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.19
+grep -q --  "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=500 -F auid!=unset -k kernel_modules" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=500 -F auid!=unset -k kernel_modules" >> /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.17
+grep -q --  "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=unset -k perm_chng" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=unset -k perm_chng" >> /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.19
+grep -q --  "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=500 -F auid!=unset -k kernel_modules" /etc/audit/rules.d/* \
+  || echo "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=500 -F auid!=unset -k kernel_modules" >> /etc/audit/rules.d/cis.rules
+
+# CIS 4.1.3.3
+grep -q --  "-w /var/log/sudo.log -p wa -k sudo_log_file" /etc/audit/rules.d/* \
+  || echo "-w /var/log/sudo.log -p wa -k sudo_log_file" >> /etc/audit/rules.d/cis.rules
+
+<% if p("make_audit_rules_immutable") %>
+rm -fr /etc/audit/rules.d/99_finalize.rules
+grep   -- "^-e 2"  /etc/audit/rules.d/* \
+  || echo "-e 2" > /etc/audit/rules.d/99_finalize.rules
+<% end %>
+
+chmod 640 /etc/audit/rules.d/*.rules

tas/jammy-compliance-release/jobs/stig/templates/pre-start.sh.erb

@@ -8,13 +8,80 @@ grep -q '^-w /var/log/sudo.log -p wa' /etc/audit/rules.d/audit.rules \
   && sed -i "s@.*\/var\/log\/sudo.log.*@-w /var/log/sudo.log -p wa -k sudo_log_file@" /etc/audit/rules.d/audit.rules \
   || echo '-w /var/log/sudo.log -p wa -k sudo_log_file' >> /etc/audit/rules.d/audit.rules
 
-# V-238216
-sed -i "s@MACs.*@MACs hmac-sha2-512,hmac-sha2-256@" /etc/ssh/sshd_config 
+# V-260532
+sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-[email protected],hmac-sha2-256,[email protected]/" /etc/ssh/sshd_config 
 
-# V-238217
-sed -i "s@Ciphers.*@Ciphers aes256-ctr,aes192-ctr,aes128-ctr@" /etc/ssh/sshd_config 
+# V-260531
+sed -i "s/Ciphers.*/Ciphers aes256-ctr,[email protected],aes192-ctr,aes128-ctr,[email protected]/" /etc/ssh/sshd_config 
 
-# V-255912
+# V-260533
 grep -q '^KexAlgorithms' /etc/ssh/sshd_config  \
-  && sed -i "s@^KexAlgorithms.*@KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256@" /etc/ssh/sshd_config \
-  || echo "KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config
+  && sed -i "s/^KexAlgorithms.*/KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256/" /etc/ssh/sshd_config \
+  || echo "KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config
+
+# V-260530
+grep -q '^X11UseLocalhost' /etc/ssh/sshd_config  \
+  && sed -i "s@^X11UseLocalhost.*@X11UseLocalhost yes@" /etc/ssh/sshd_config \
+  || echo "X11UseLocalhost yes" >> /etc/ssh/sshd_config
+
+# V-260512
+chmod 740 /usr/bin/journalctl
+
+# V-260542
+passwd -l root
+
+# V-260554
+if ! grep "TMOUT=900" /etc/profile.d/*; then
+  echo TMOUT=900 > /etc/profile.d/99-terminal_tmout.sh
+fi
+
+# V-260540
+if ! grep "^blacklist usb-storage" /etc/modprobe.d/stig.conf; then 
+  echo "blacklist usb-storage" > /etc/modprobe.d/stig.conf
+fi
+sed -i "s@install usb-storage .*@install usb-storage /bin/false@" /etc/modprobe.d/blacklist.conf
+
+# V-260476, V-260477
+cat <<EOF > /etc/apt/apt.conf.d/99_stig_hardening
+APT::Get::AllowUnauthenticated "false";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+EOF
+
+# V-260549
+sed -i "s@[# ]*deny .*@deny = 3@;s@[# ]*unlock_time .*@unlock_time = 0@;s@[# ]*audit@audit@;s@[# ]*silent@silent@;s@[# ]*fail_interval .*@fail_interval = 900@" \
+/etc/security/faillock.conf
+
+# V-260552
+grep -qe "[# ]*\*[ ]*hard[ ]*maxlogins" /etc/security/limits.conf \
+  && sed -i "s@[# ]*\*[ ]*hard[ ]*maxlogins .*@               hard    maxlogins            10@" /etc/security/limits.conf \
+  || echo "*               hard    maxlogins            10" >> /etc/security/limits.conf
+
+# V-260547
+sed -i "s@[# ]*INACTIVE[ ]*=.*@INACTIVE=35@;" /etc/default/useradd
+
+# V-260611
+if ! auditctl -l | grep fdisk | grep -- "-w /usr/sbin/fdisk -p x -k"; then
+  echo "-w /usr/sbin/fdisk -p x -k fdisk" >> /etc/audit/rules.d/stig.rules
+fi
+
+# V-260636
+if ! auditctl -l | grep _module | grep -- "-a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F key="; then
+  echo "-a always,exit -F arch=b32 -S init_module,delete_module,finit_module -F key=modules" >> /etc/audit/rules.d/stig.rules
+fi
+# V-260640
+if ! auditctl -l | grep journal | grep -- "-w /var/log/journal -p wa -k"; then
+  echo "-w /var/log/journal -p wa -k systemd_journal" >> /etc/audit/rules.d/stig.rules
+fi
+
+if [ -f /etc/audit/rules.d/stig.rules ]; then
+  chmod 640 /etc/audit/rules.d/stig.rules
+fi
+
+# V-260490
+find /run/log/journal /var/log/journal -type d ! -perm 2640 -exec chmod 2640 {} \;   2>/dev/null || true
+sed -i "s@z /var/log/journal 2755 root systemd-journal - -@z /var/log/journal 2640 root systemd-journal - -@" /usr/lib/tmpfiles.d/systemd.conf
+sed -i "s@z /var/log/journal/%m 2755 root systemd-journal - -@z /var/log/journal/%m 27640 root systemd-journal - -@" /usr/lib/tmpfiles.d/systemd.conf
+sed -i "s@z /run/log/journal 2755 root systemd-journal - -@z /run/log/journal 2640 root systemd-journal - -@" /usr/lib/tmpfiles.d/systemd.conf
+sed -i "s@Z /run/log/journal/%m ~2750 root systemd-journal - -@Z /run/log/journal/%m ~2640 root systemd-journal - -@" /usr/lib/tmpfiles.d/systemd.conf
+#sed -i "s@z /var/log/journal/%m/system.journal 0640 root systemd-journal - -@z /var/log/journal/%m/system.journal 0640 root systemd-journal - -@" /usr/lib/tmpfiles.d/systemd.conf

tas/jammy-compliance-release/runtime-config-cis.yml

@@ -0,0 +1,17 @@
+addons:
+- name: cis
+  include:
+    stemcell:
+    - os: ubuntu-jammy
+  jobs:
+  - name: cis
+    release: jammy-compliance
+    properties:
+      set_useradd_inactive: true
+      set_password_max_days: true
+      set_user_shell_timeout: true
+      restirct_su: true
+      make_audit_rules_immutable: true
+releases:
+- name: jammy-compliance
+  version: 0+dev.32

tas/jammy-compliance-release/runtime-config-stig.yml

@@ -1,5 +1,5 @@
 addons:
-- name: jammy-stig
+- name: stig
   include:
     stemcell:
     - os: ubuntu-jammy
@@ -8,4 +8,4 @@ addons:
     release: jammy-compliance
 releases:
 - name: jammy-compliance
-  version: 0+dev.17
+  version: 0+dev.28