From 6a99a8002dd4e7a8b7ecac2b67711ae90d5e0c85 Mon Sep 17 00:00:00 2001 From: rajeshfrontline <95583348+rajeshfrontline@users.noreply.github.com> Date: Thu, 12 Dec 2024 19:14:17 +0530 Subject: [PATCH 1/2] PE-5714 --- cis-harden/harden.sh | 52 +++++++++++++++++++++------------------- earthly.sh | 56 +++++++++++++++++++------------------------- hack/launch-qemu.sh | 4 ++-- rhel-fips/build.sh | 4 ++-- ubuntu-fips/build.sh | 4 ++-- 5 files changed, 58 insertions(+), 62 deletions(-) diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh index 52d575f..2a825c3 100755 --- a/cis-harden/harden.sh +++ b/cis-harden/harden.sh @@ -6,8 +6,8 @@ # -root_dir="$( cd "$( dirname $0 )" && pwd )" -echo Root dir $root_dir +root_dir="$( cd "$( dirname "$0" )" && pwd )" +echo Root dir "$root_dir" ########################################################################## @@ -21,7 +21,7 @@ check_error() if [[ ${status} -ne 0 ]]; then echo -e "\033[31m - ${msg} \033[0m" - exit ${exit_status} + exit "${exit_status}" fi return 0 @@ -40,10 +40,10 @@ update_config_files() { check_error 1 "File ${config_file} not found" fi - sed -i "s/^\($search_str.*\)$/#\1/" ${config_file} + sed -i "s/^\($search_str.*\)$/#\1/" "${config_file}" check_error $? "Failed commenting config value $search_str." 1 - echo "$append_str" >> ${config_file} + echo "$append_str" >> "${config_file}" check_error $? "Failed appending config value $append_str" 1 return 0 @@ -109,7 +109,7 @@ upgrade_packages() { apt-get -y upgrade check_error $? "Failed upgrading packages" 1 apt-get install -y auditd apparmor-utils libpam-pwquality - if [[ $? -ne 0 ]]; then + if $? -ne 0 ; then echo 'deb http://archive.ubuntu.com/ubuntu focal main restricted' > /etc/apt/sources.list.d/repotmp.list apt-get update apt-get install -y auditd apparmor-utils libpam-pwquality @@ -516,8 +516,8 @@ harden_system() { echo "Error out if there are users with empty password" cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}' - if [[ $? -ne 0 ]]; then - echo "Users present with empty password. Remove the user or set password for the users" + if $? -ne 0 ; then + echo "Users present with empty password. Remove the user or set pasword for the users" exit 1 fi @@ -529,18 +529,18 @@ harden_system() { fi echo "Fix permission of all cron files" - for each in `echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab` + for each in echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab do if [[ -e ${each} ]]; then - stat -L -c "%a %u %g" ${each} | egrep ".00 0 0" - if [[ $? -ne 0 ]]; then - chown root:root ${each} - chmod og-rwx ${each} + stat -L -c "%a %u %g" "${each}" | grep -E".00 0 0" + if $? -ne 0 ; then + chown root:root "${each}" + chmod og-rwx "${each}" fi fi done - echo "Remove cron and at deny files and have allow files in place" + echo "Remove cron and at deny files anf have allow files in place" rm -f /etc/cron.deny rm -f /etc/at.deny touch /etc/cron.allow @@ -821,12 +821,14 @@ harden_auth() { # Backup the original file cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak - echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" > /etc/pam.d/common-auth - echo "auth [success=1 default=ignore] pam_unix.so nullok" >> /etc/pam.d/common-auth - echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth - echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" >> /etc/pam.d/common-auth - echo "auth requisite pam_deny.so" >> /etc/pam.d/common-auth - echo "auth required pam_permit.so" >> /etc/pam.d/common-auth + { + echo "auth required pam_faillock.so preauth audit silent deny=4 fail_interval=900 unlock_time=600" + echo "auth [success=1;default=ignore] pam_unix.so nullok" + echo "auth [default=die] pam_faillock.so authfail audit deny=4 fail_interval=900 unlock_time=600" + echo "auth sufficient pam_faillock.so authsucc audit deny=4 fail_interval=900 unlock_time=600" + echo "auth requisite pam_deny.so" + echo "auth required pam_permit.so" + } > /etc/pam.d/common-auth # Backup the original file cp /etc/pam.d/common-account /etc/pam.d/common-account.bak @@ -838,10 +840,12 @@ harden_auth() { # Backup the original file cp /etc/pam.d/common-password /etc/pam.d/common-password.bak - echo "password requisite pam_pwquality.so retry=3" > /etc/pam.d/common-password - echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5" >> /etc/pam.d/common-password - echo "password requisite pam_deny.so" >> /etc/pam.d/common-password - echo "password required pam_permit.so" >> /etc/pam.d/common-password + { + echo "password requisite pam_pwquality.so retry=3" + echo "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember=5" + echo "password requisite pam_deny.so" + echo "password required pam_permit.so" + } > /etc/pam.d/common-password #####################Password expiry policy################# diff --git a/earthly.sh b/earthly.sh index abcb8b6..12cdf45 100755 --- a/earthly.sh +++ b/earthly.sh @@ -18,17 +18,17 @@ function build_with_proxy() { --rm -t \ -e GLOBAL_CONFIG="$global_config" \ -e BUILDKIT_TCP_TRANSPORT_ENABLED=true \ - -e http_proxy=$HTTP_PROXY \ - -e https_proxy=$HTTPS_PROXY \ - -e HTTPS_PROXY=$HTTPS_PROXY \ - -e HTTP_PROXY=$HTTP_PROXY \ - -e NO_PROXY=$NO_PROXY \ - -e no_proxy=$NO_PROXY \ - -e EARTHLY_GIT_CONFIG=$gitconfig \ - -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \ + -e http_proxy="$HTTP_PROXY" \ + -e https_proxy="$HTTPS_PROXY" \ + -e HTTPS_PROXY="$HTTPS_PROXY" \ + -e HTTP_PROXY="$HTTP_PROXY" \ + -e NO_PROXY="$NO_PROXY" \ + -e no_proxy="$NO_PROXY" \ + -e EARTHLY_GIT_CONFIG="$gitconfig" \ + -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" \ -v earthly-tmp:/tmp/earthly:rw \ -p 8372:8372 \ - $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION + "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION # Update the CA certificates in the container docker exec -it earthly-buildkitd update-ca-certificates @@ -40,21 +40,21 @@ function build_with_proxy() { -e GLOBAL_CONFIG="$global_config" \ -e EARTHLY_BUILDKIT_HOST=tcp://0.0.0.0:8372 \ -e BUILDKIT_TLS_ENABLED=false \ - -e http_proxy=$HTTP_PROXY \ - -e https_proxy=$HTTPS_PROXY \ - -e HTTPS_PROXY=$HTTPS_PROXY \ - -e HTTP_PROXY=$HTTP_PROXY \ - -e NO_PROXY=$NO_PROXY \ - -e no_proxy=$NO_PROXY \ + -e http_proxy="$HTTP_PROXY" \ + -e https_proxy="$HTTPS_PROXY" \ + -e HTTPS_PROXY="$HTTPS_PROXY" \ + -e HTTP_PROXY="$HTTP_PROXY" \ + -e NO_PROXY="$NO_PROXY" \ + -e no_proxy="$NO_PROXY" \ -v "$(pwd)":/workspace \ - -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \ + -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" \ --entrypoint /workspace/earthly-entrypoint.sh \ - $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function build_without_proxy() { # Run Earthly in Docker to create artifacts Variables are passed from the .arg file - docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" + docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@" } function print_os_pack() { @@ -94,14 +94,6 @@ PE_VERSION=$(git describe --abbrev=0 --tags) SPECTRO_PUB_REPO=us-docker.pkg.dev/palette-images EARTHLY_VERSION=v0.8.15 source .arg - -# Workaround to support deprecated field PROXY_CERT_PATH -if [ -n "$PROXY_CERT_PATH" ]; then - echo "PROXY_CERT_PATH is deprecated. Please place your certificates in the certs directory." - echo "Copying the certificates from $PROXY_CERT_PATH to certs/" - cp $PROXY_CERT_PATH certs/ -fi - ALPINE_IMG=$SPECTRO_PUB_REPO/edge/canvos/alpine:3.20 ### Verify Dependencies # Check if Docker is installed @@ -111,28 +103,28 @@ else echo "Docker not found. Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker." fi # Check if the current user has permission to run privileged containers -if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then +if ! docker run --rm --privileged "$ALPINE_IMG" sh -c 'echo "Privileged container test"' &>/dev/null; then echo "Privileged containers are not allowed for the current user." exit 1 fi -if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY" ] && [ -z "$(find certs -type f ! -name '.*' -print -quit)" ]; then +if [ -z "$HTTP_PROXY" ] && [ -z "$HTTPS_PROXY"]; then build_without_proxy "$@" else build_with_proxy "$@" fi # Verify the command was successful -if [ $? -ne 0 ]; then +if $? -ne 0 ; then echo "An error occurred while running the command." exit 1 fi # Cleanup builder helper images. -docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION +docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/earthly:$EARTHLY_VERSION if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "true" ]; then docker stop earthly-buildkitd fi -docker rmi $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null -docker rmi $ALPINE_IMG +docker rmi "$SPECTRO_PUB_REPO"/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null +docker rmi "$ALPINE_IMG" if [[ "$1" == "+uki-genkey" ]]; then ./keys.sh secure-boot/ diff --git a/hack/launch-qemu.sh b/hack/launch-qemu.sh index 9aaba67..186d3db 100755 --- a/hack/launch-qemu.sh +++ b/hack/launch-qemu.sh @@ -13,8 +13,8 @@ qemu-system-x86_64 \ -cpu "${CPU:=host}" \ -nographic \ -spice port=9000,addr=127.0.0.1,disable-ticketing=yes \ - -m ${MEMORY:=10096} \ - -smp ${CORES:=5} \ + -m "${MEMORY:=10096}" \ + -smp "${CORES:=5}" \ -monitor unix:/tmp/qemu-monitor.sock,server=on,wait=off \ -serial mon:stdio \ -rtc base=utc,clock=rt \ diff --git a/rhel-fips/build.sh b/rhel-fips/build.sh index f24fae4..d3f1909 100644 --- a/rhel-fips/build.sh +++ b/rhel-fips/build.sh @@ -6,12 +6,12 @@ PASSWORD=$2 BASE_IMAGE="${3:-rhel-byoi-fips}" # Build the container image -docker build --build-arg USERNAME=$USERNAME --build-arg PASSWORD=$PASSWORD -t $BASE_IMAGE . +docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" . docker run -v "$PWD"/build:/tmp/auroraboot \ -v /var/run/docker.sock:/var/run/docker.sock \ --rm quay.io/kairos/auroraboot \ - --set container_image=docker://$BASE_IMAGE \ + --set container_image=docker://"$BASE_IMAGE" \ --set "disable_http_server=true" \ --set "disable_netboot=true" \ --set "state_dir=/tmp/auroraboot" diff --git a/ubuntu-fips/build.sh b/ubuntu-fips/build.sh index a7a48c0..3e533fc 100644 --- a/ubuntu-fips/build.sh +++ b/ubuntu-fips/build.sh @@ -1,4 +1,4 @@ BASE_IMAGE="${1:-ubuntu-focal-fips}" -DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t $BASE_IMAGE -docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://$BASE_IMAGE --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" +DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t "BASE_IMAGE" +docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm quay.io/kairos/auroraboot --set container_image=docker://"BASE_IMAGE" --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" From f775f47553319442d0b2ffd4cbdacc0b83835843 Mon Sep 17 00:00:00 2001 From: rajeshfrontline <95583348+rajeshfrontline@users.noreply.github.com> Date: Wed, 18 Dec 2024 23:16:15 +0530 Subject: [PATCH 2/2] PE-5714 --- cis-harden/harden.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh index 2a825c3..f748a88 100755 --- a/cis-harden/harden.sh +++ b/cis-harden/harden.sh @@ -532,7 +532,7 @@ harden_system() { for each in echo /etc/cron.daily /etc/cron.hourly /etc/cron.d /etc/cron.monthly /etc/cron.weekly /etc/crontab do if [[ -e ${each} ]]; then - stat -L -c "%a %u %g" "${each}" | grep -E".00 0 0" + stat -L -c "%a %u %g" "${each}" | grep -E ".00 0 0" if $? -ne 0 ; then chown root:root "${each}" chmod og-rwx "${each}"