From 5519abd4aff487409fb6a6347964298b3b0c1de7 Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Tue, 16 May 2023 15:06:24 -0700 Subject: [PATCH 1/4] Allow for configurable MOTD --- amazon-eks-al2.pkr.hcl | 4 ++++ scripts/cis-benchmark.sh | 37 +++++-------------------------------- variables.pkr.hcl | 15 +++++++++++++++ 3 files changed, 24 insertions(+), 32 deletions(-) diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl index 0d9b4f8..a29868c 100644 --- a/amazon-eks-al2.pkr.hcl +++ b/amazon-eks-al2.pkr.hcl @@ -142,6 +142,10 @@ build { provisioner "shell" { execute_command = "echo 'packer' | {{ .Vars }} sudo -S -E bash -eux '{{ .Path }}'" + env = { + MOTD_CONTENT = var.motd_content + } + scripts = [ "scripts/cis-benchmark.sh", "scripts/cis-docker.sh", diff --git a/scripts/cis-benchmark.sh b/scripts/cis-benchmark.sh index 62071eb..8e62bce 100755 --- a/scripts/cis-benchmark.sh +++ b/scripts/cis-benchmark.sh @@ -200,43 +200,16 @@ sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config echo "1.7.1.1 - ensure message of the day is configured properly" rm -f /etc/cron.d/update-motd -cat > /etc/update-motd.d/30-banner <<"OUTEREOF" +cat > /etc/update-motd.d/30-banner < /etc/issue < /etc/issue <<< "$MOTD_CONTENT" echo "1.7.1.3 - ensure remote login warning banner is configured properly" -cat > /etc/issue.net < /etc/issue.net <<< "$MOTD_CONTENT" echo "1.7.1.4 - ensure permissions on /etc/motd are configured" chown root:root /etc/motd @@ -593,7 +566,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS -Subsystem sftp /usr/libexec/openssh/sftp-server +Subsystem sftp /usr/libexec/openssh/sftp-server AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f AuthorizedKeysCommandUser ec2-instance-connect diff --git a/variables.pkr.hcl b/variables.pkr.hcl index abdf1db..8f72354 100644 --- a/variables.pkr.hcl +++ b/variables.pkr.hcl @@ -172,3 +172,18 @@ variable "snapshot_users" { type = list(string) default = [] } + +variable "motd_content" { + description = "Message Of The Day (MOTD) banner content." + type = string + default = < Date: Tue, 16 May 2023 15:06:39 -0700 Subject: [PATCH 2/4] /etc/docker/daemon.json - updates --- scripts/cis-docker.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/scripts/cis-docker.sh b/scripts/cis-docker.sh index f0a2a10..0dcbcee 100755 --- a/scripts/cis-docker.sh +++ b/scripts/cis-docker.sh @@ -49,11 +49,10 @@ echo "2.1 - 2.17 - ensure the docker configuration is secure" cat > /etc/docker/daemon.json < /etc/docker/daemon.json < Date: Tue, 16 May 2023 15:07:00 -0700 Subject: [PATCH 3/4] /etc/kubernetes/kubelet/kubelet-config.json - updates --- scripts/cis-eks.sh | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/scripts/cis-eks.sh b/scripts/cis-eks.sh index 766301a..fd49fd9 100755 --- a/scripts/cis-eks.sh +++ b/scripts/cis-eks.sh @@ -58,10 +58,31 @@ cat > /etc/kubernetes/kubelet/kubelet-config.json < 1.20 +KUBERNETES_VERSION=$(/usr/bin/kubelet --version | sed -E -e 's!^Kubernetes v([0-9]\.[0-9]+).[0-9]+-.*$!\1!') + +# Inject CSIServiceAccountToken feature gate to kubelet config if kubernetes version starts with 1.20. +# This is only injected for 1.20 since CSIServiceAccountToken will be moved to beta starting 1.21. +if [[ $KUBERNETES_VERSION == "1.20" ]]; then + KUBELET_CONFIG_WITH_CSI_SERVICE_ACCOUNT_TOKEN_ENABLED=$(cat "/etc/kubernetes/kubelet/kubelet-config.json" | jq '.featureGates += {CSIServiceAccountToken: true}') + echo $KUBELET_CONFIG_WITH_CSI_SERVICE_ACCOUNT_TOKEN_ENABLED > "/etc/kubernetes/kubelet/kubelet-config.json" +fi From 988ee5f17446c8d53c62a2655df334158812bf43 Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Tue, 16 May 2023 15:07:29 -0700 Subject: [PATCH 4/4] sysctl updates --- scripts/cis-benchmark.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/cis-benchmark.sh b/scripts/cis-benchmark.sh index 8e62bce..0fdfabd 100755 --- a/scripts/cis-benchmark.sh +++ b/scripts/cis-benchmark.sh @@ -300,8 +300,10 @@ echo "2.2.4 - ensure LDAP client is not installed" yum_remove openldap-clients echo "3.1.1 - ensure IP forwarding is disabled" -sysctl_entry "net.ipv4.ip_forward = 0" -sysctl_entry "net.ipv6.conf.all.forwarding = 0" +# Required for working container networking +# sysctl_entry "net.ipv4.ip_forward = 0" +# sysctl_entry "net.ipv4.conf.all.forwarding = 0" +# sysctl_entry "net.ipv6.conf.all.forwarding = 0" echo "3.1.2 - ensure packet redirect sending is disabled" sysctl_entry "net.ipv4.conf.all.send_redirects = 0"