AKS CIS compliance for Ubuntu 22.04 and 24.04 (#7061)

Author: Jeremi Piotrowski

.pipelines/templates/.builder-release-template.yaml

@@ -222,7 +222,7 @@ steps:
       TargetFolder: '$(Build.ArtifactStagingDirectory)'
 
   - task: CopyFiles@2
-    condition: and(eq(variables.OS_SKU, 'Ubuntu'), in(variables.OS_VERSION, '22.04', '24.04'), eq(variables.FEATURE_FLAGS, 'None'))
+    condition: and(eq(variables.OS_SKU, 'Ubuntu'), in(variables.OS_VERSION, '22.04', '24.04'), in(variables.FEATURE_FLAGS, 'None', 'cvm'))
     displayName: Copy CIS Reports
     inputs:
       SourceFolder: '$(System.DefaultWorkingDirectory)'

parts/linux/cloud-init/artifacts/cis.sh

@@ -18,6 +18,8 @@ assignRootPW() {
         echo 'root:'$HASH | /usr/sbin/chpasswd -e || exit $ERR_CIS_ASSIGN_ROOT_PW
     fi
     set -x
+    chage --maxdays 90 root
+    chage --inactive 30 root
 }
 
 assignFilePermissions() {
@@ -209,6 +211,100 @@ function addFailLockDir() {
     fi
 }
 
+configureGrub() {
+    if ! grep -q apparmor /etc/default/grub.d/99-aks-cis.cfg; then
+        # shellcheck disable=SC2016
+        echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX apparmor=1 security=apparmor"' >>/etc/default/grub.d/99-aks-cis.cfg
+    fi
+    cat <<"EOF" >/etc/grub.d/09_unrestricted
+#!/bin/sh
+exec tail -n +3 $0
+# This file provides an easy way to add custom menu entries.  Simply type the
+# menu entries you want to add after this comment.  Be careful not to change
+# the 'exec tail' line above.
+
+menuentry_id_option="--unrestricted $menuentry_id_option"
+EOF
+    chmod +x /etc/grub.d/09_unrestricted
+    if ! grep -q superusers /etc/grub.d/40_custom; then
+        set +x
+        password=$(openssl rand -hex 64)
+        hash=$(echo -e "${password}\n${password}" | grub-mkpasswd-pbkdf2 | tail -n1 | sed -e 's/.*grub.pbkdf2/grub.pbkdf2/')
+        set -x
+        cat <<EOF >>/etc/grub.d/40_custom
+set superusers="root"
+password_pbkdf2 root ${hash}
+EOF
+    fi
+    update-grub2 || exit 1
+    chmod 0600 /boot/grub/grub.cfg
+}
+
+prepareTmp() {
+    local changed=0
+    if ! grep -q /tmp /etc/fstab; then
+        #echo 'tmpfs /tmp tmpfs nodev,nosuid,noexec,size=50%,mode=1777' >>/etc/fstab
+        #changed=1
+	:
+    fi
+    if ! grep -q /dev/shm /etc/fstab; then
+        echo 'tmpfs /dev/shm tmpfs nodev,nosuid,noexec' >>/etc/fstab
+        changed=1
+    fi
+
+    if [ "${changed}" = 1 ]; then
+        systemctl daemon-reload
+        mount -o remount /dev/shm
+        # A noexec /tmp interferes with packer operations
+    fi
+}
+
+configureSsh() {
+    mkdir -p /etc/ssh/sshd_config.d
+    cat <<EOF >/etc/ssh/sshd_config.d/99-aks-cis.conf
+ClientAliveInterval 120
+ClientAliveCountMax 3
+EOF
+    chmod 0600 -R /etc/ssh/sshd_config.d/
+    chmod 0755    /etc/ssh/sshd_config.d
+    chmod 0600    /etc/ssh/sshd_config
+    systemctl restart ssh
+}
+
+configureSudo() {
+    cat <<EOF >/etc/sudoers.d/99-cis
+Defaults logfile="/var/log/sudo.log"
+EOF
+    chmod 0440 /etc/sudoers.d/99-cis
+    cat <<EOF >/etc/logrotate.d/sudo
+/var/log/sudo.log {
+  rotate 5
+  daily
+  maxsize 50M
+  missingok
+  notifempty
+  compress
+  delaycompress
+  sharedscripts
+}
+EOF
+}
+
+configureRootPath() {
+    sed -i -e 's|:/snap/bin||' /etc/sudoers /etc/environment
+}
+
+configureLimits() {
+    mkdir -p /etc/security/limits.d/
+    cat <<EOF >/etc/security/limits.d/99-aks-cis.conf
+* hard core 0
+EOF
+}
+
+configureAzureAgent() {
+    sed -i -e 's/\(Provisioning.DeleteRootPassword\).*/\1=n/' /etc/waagent.conf
+}
+
 applyCIS() {
     setPWExpiration
     assignRootPW
@@ -217,6 +313,19 @@ applyCIS() {
     fixUmaskSettings
     maskNfsServer
     addFailLockDir
+    if isMarinerOrAzureLinux "$OS" || isAzureLinuxOSGuard "$OS" "$OS_VARIANT" || isFlatcar "$OS" ; then
+        echo "Further functions only work for Ubuntu"
+        return
+    fi
+    configureGrub
+    prepareTmp
+    configureSsh
+    configureSudo
+    configureRootPath
+    configureLimits
+    configureAzureAgent
+    # Apply system configuration to running system
+    sysctl --write --system
 }
 
 applyCIS

parts/linux/cloud-init/artifacts/faillock-CIS.conf

@@ -0,0 +1,3 @@
+deny=5
+unlock_time=900
+even_deny_root

parts/linux/cloud-init/artifacts/modprobe-CIS.conf

@@ -12,9 +12,16 @@ install cramfs /bin/true
 blacklist cramfs
 # 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
 install freevxfs /bin/true
+blacklist freevxfs
 # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
 install jffs2 /bin/true
+blacklist jffs2
 # 1.1.1.4 Ensure mounting of hfs filesystems is disabled
 install hfs /bin/true
+blacklist hfs
 # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
 install hfsplus /bin/true
+blacklist hfsplus
+# 1.1.1.9 Ensure usb-storage kernel module is not available
+install usb-storage /bin/true
+blacklist usb-storage

parts/linux/cloud-init/artifacts/pam-d-common-account

@@ -0,0 +1,28 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
+# here's the fallback if no module succeeds
+account requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
+
+# CIS
+account required                        pam_faillock.so

parts/linux/cloud-init/artifacts/pam-d-common-auth-2204

@@ -26,3 +26,4 @@ auth	required			pam_permit.so
 
 # 5.3.2 Ensure lockout for failed password attempts is configured
 auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
+auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900

parts/linux/cloud-init/artifacts/pam-d-common-password

@@ -23,6 +23,9 @@
 
 # here are the per-package modules (the "Primary" block)
 password	requisite			pam_pwquality.so retry=3
+password  	required      			pam_pwhistory.so use_authtok remember=24 enforce_for_root
+# 5.3.3 Ensure password reuse is limited
+# 5.3.4 Ensure password hashing algorithm is SHA-512
 password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
 # here's the fallback if no module succeeds
 password	requisite			pam_deny.so
@@ -32,7 +35,3 @@ password	requisite			pam_deny.so
 password	required			pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 # end of pam-auth-update config
-
-# 5.3.3 Ensure password reuse is limited
-# 5.3.4 Ensure password hashing algorithm is SHA-512
-password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512 remember=5

parts/linux/cloud-init/artifacts/pam-d-su

@@ -14,7 +14,7 @@ auth       sufficient pam_rootok.so
 # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
 
 # 5.6 Ensure access to the su command is restricted
-auth required pam_wheel.so use_uid
+auth required pam_wheel.so use_uid group=admin
 
 # Uncomment this if you want wheel members to be able to
 # su without a password.

parts/linux/cloud-init/artifacts/profile-d-cis.sh

@@ -2,3 +2,6 @@
 
 # 5.4.4 Ensure default user umask is 027 or more restrictive
 umask 027
+
+# 5.4.3.2 Ensure default user shell timeout is configured
+readonly TMOUT=900 ; export TMOUT

parts/linux/cloud-init/artifacts/pwquality-CIS.conf

@@ -1,7 +1,11 @@
 # 5.3.1 Ensure password creation requirements are configured (Scored)
 
+difok=2
 minlen=14
 dcredit=-1
 ucredit=-1
 ocredit=-1
-lcredit=-1
+lcredit=-1
+maxrepeat=3
+maxsequence=3
+enforce_for_root