AKS CIS compliance for Ubuntu 22.04 and 24.04#7061
Conversation
jepio
requested review from
AbelHu,
Devinwong,
UtheMan,
anujmaheshwari1,
bravebeaver,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
phealy,
r2k1,
timmy-wright and
zachary-bailey
as code owners
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
3268d87 to
e9693dd
Compare
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
e9693dd to
be6a8c9
Compare
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
be6a8c9 to
d941e45
Compare
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
d941e45 to
90aad75
Compare
|
|
||
| - task: CopyFiles@2 | ||
| condition: and(eq(variables.OS_SKU, 'Ubuntu'), in(variables.OS_VERSION, '22.04', '24.04'), eq(variables.FEATURE_FLAGS, 'None')) | ||
| condition: and(eq(variables.OS_SKU, 'Ubuntu'), in(variables.OS_VERSION, '22.04', '24.04'), in(variables.FEATURE_FLAGS, 'None', 'cvm')) |
There was a problem hiding this comment.
why disabling CVM?
There was a problem hiding this comment.
Previously we scanned CVMs too but didn't capture the report from them, the change to this line stores the scan result from cvms in artifacts.
it doesn't disable cvm but enables them.
There was a problem hiding this comment.
ah sorry misread, sounds good
| apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT | ||
|
|
||
| pkg_list=(bind9-dnsutils ca-certificates ceph-common cgroup-lite cifs-utils conntrack cracklib-runtime ebtables ethtool glusterfs-client htop init-system-helpers inotify-tools iotop iproute2 ipset iptables nftables jq libpam-pwquality libpwquality-tools mount nfs-common pigz socat sysfsutils sysstat util-linux xz-utils netcat-openbsd zip rng-tools kmod gcc make dkms initramfs-tools linux-headers-$(uname -r) linux-modules-extra-$(uname -r)) | ||
| pkg_list=(apparmor-utils bind9-dnsutils ca-certificates ceph-common cgroup-lite cifs-utils conntrack cracklib-runtime ebtables ethtool glusterfs-client htop init-system-helpers inotify-tools iotop iproute2 ipset iptables nftables jq libpam-pwquality libpwquality-tools mount nfs-common pigz socat sysfsutils sysstat util-linux xz-utils netcat-openbsd zip rng-tools kmod gcc make dkms initramfs-tools linux-headers-$(uname -r) linux-modules-extra-$(uname -r)) |
There was a problem hiding this comment.
have you tested that this doesn't cause any unexpected regression?
There was a problem hiding this comment.
i'll paste evidence tomorrow - but apparmor was already enabled before and no new profiles are added/enabled by this change. CIS expects this package to be installed.
AB E2E pass, do you have an idea for further testing for regressions?
There was a problem hiding this comment.
here's output from master:
$ cat /sys/kernel/security/lsm
lockdown,capability,bpf,landlock,yama,apparmor
$ cat /sys/module/apparmor/parameters/enabled
Y
$ sudo aa-status
apparmor module is loaded.
118 profiles are loaded.
23 profiles are in enforce mode.
/usr/bin/man
/usr/sbin/chronyd
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
plasmashell
plasmashell//QtWebEngineProcess
rsyslogd
tcpdump
ubuntu_pro_apt_news
ubuntu_pro_esm_cache
ubuntu_pro_esm_cache//apt_methods
ubuntu_pro_esm_cache//apt_methods_gpgv
ubuntu_pro_esm_cache//cloud_id
ubuntu_pro_esm_cache//dpkg
ubuntu_pro_esm_cache//ps
ubuntu_pro_esm_cache//ubuntu_distro_info
ubuntu_pro_esm_cache_systemctl
ubuntu_pro_esm_cache_systemd_detect_virt
unix-chkpwd
unprivileged_userns
4 profiles are in complain mode.
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
91 profiles are in unconfined mode.
1password
Discord
MongoDB Compass
QtWebEngineProcess
balena-etcher
brave
buildah
busybox
cam
ch-checkns
ch-run
chrome
crun
devhelp
element-desktop
epiphany
evolution
firefox
flatpak
foliate
geary
github-desktop
goldendict
ipa_verify
kchmviewer
keybase
lc-compliance
libcamerify
linux-sandbox
loupe
lxc-attach
lxc-create
lxc-destroy
lxc-execute
lxc-stop
lxc-unshare
lxc-usernsexec
mmdebstrap
msedge
nautilus
notepadqq
obsidian
opam
opera
pageedit
podman
polypane
privacybrowser
qcam
qmapshack
qutebrowser
rootlesskit
rpm
rssguard
runc
sbuild
sbuild-abort
sbuild-adduser
sbuild-apt
sbuild-checkpackages
sbuild-clean
sbuild-createchroot
sbuild-destroychroot
sbuild-distupgrade
sbuild-hold
sbuild-shell
sbuild-unhold
sbuild-update
sbuild-upgrade
scide
signal-desktop
slack
slirp4netns
steam
stress-ng
surfshark
systemd-coredump
thunderbird
toybox
trinity
tup
tuxedo-control-center
userbindmount
uwsgi-core
vdens
virtiofsd
vivaldi-bin
vpnns
vscode
wike
wpcom
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/chronyd (915)
/usr/sbin/chronyd (926)
/usr/sbin/rsyslogd (980) rsyslogd
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
The output after is the same. The rule only cares for the availability of the utils. I didn't try to enable additional profiles (eg. for runc), which is suggested by a different rule.
There was a problem hiding this comment.
if ABE2Es pass we're probably fine, though you could also throw this through our daily VHD build to get full E2E coverage
| apt_get_purge 20 30 120 apache2-utils || exit 1 | ||
| # CIS: Ensure telnet (/ftp) client is not installed | ||
| # CIS: Ufw is not used but interferes with log_martians rule | ||
| apt_get_purge 20 30 120 telnet ftp ufw tnftp inetutils-telnet || exit 1 |
There was a problem hiding this comment.
we should also make sure this isn't causing any regressions
There was a problem hiding this comment.
how would you suggest we test this for regressions?
ufw was unconfigured in AKS and this removes telnet/ftp clients from the host which are not used by Kubernetes in any way. Azure Linux also never shipped these utilities on the host.
There was a problem hiding this comment.
if E2Es are passing we're probably okay
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
90aad75 to
17c8429
Compare
We remove snap so /snap/bin shouldn't be in PATH.
This addresses "Ensure password failed attempts lockout includes root account".
WALAgent does it in a way that is incompatible with the CIS scanner: it forces the password to '*LOCK*' resetting all other fields. The Agent does this on provisioning and deprovisioning. We clear the password ourselves so disable the agents behavior.
This is needed for CIS compliance.
These are only present during scanning but they show up as false positives in the CIS scan results.
This log file is owned by an unprivileged user but will not be used. Clean it up for CIS compliance.
jepio
force-pushed
the
jepio/aks-cis.v4
branch
from
17c8429 to
bcaf689
Compare
|
@copilot can you review this PR |
awesomenix
requested review from
Copilot
and removed request for
anujmaheshwari1
There was a problem hiding this comment.
Pull request overview
This PR implements CIS Level 1 compliance for Ubuntu 22.04 and 24.04 images, achieving approximately 89% compliance. It introduces a baseline comparison mechanism to detect CIS compliance regressions and applies numerous security hardening measures across various system components.
Changes:
- Added CIS baseline comparison testing to detect regressions against established baselines
- Implemented comprehensive security hardening including PAM configuration, SSH hardening, GRUB password protection, and kernel security parameters
- Updated package dependencies to include apparmor-utils and removed insecure packages (telnet, ftp, ufw)
Reviewed changes
Copilot reviewed 106 out of 106 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| vhdbuilder/packer/vhd-scanning.sh | Added regression testing function to compare CIS scan results against baseline |
| vhdbuilder/packer/cis/baselines/ubuntu/*.txt | New baseline files defining expected CIS compliance for Ubuntu 22.04 and 24.04 |
| parts/linux/cloud-init/artifacts/cis.sh | Added functions for GRUB password, SSH hardening, sudo logging, and waagent configuration |
| parts/linux/cloud-init/artifacts/pam-d-* | Updated PAM configuration files for password policy and account lockout |
| parts/linux/cloud-init/artifacts/faillock-CIS.conf | New faillock configuration for account lockout policy |
| parts/linux/cloud-init/artifacts/sshd_config | Updated SSH configuration with stricter MACs, removed DSA key, added MaxStartups |
| parts/linux/cloud-init/artifacts/sysctl-d-60-CIS.conf | Added ASLR and core dump restrictions |
| parts/linux/cloud-init/artifacts/modprobe-CIS.conf | Added blacklist directives and usb-storage blocking |
| parts/linux/cloud-init/artifacts/pwquality-CIS.conf | Enhanced password quality requirements |
| parts/linux/cloud-init/artifacts/profile-d-cis.sh | Added TMOUT for shell timeout |
| parts/linux/cloud-init/artifacts/ubuntu/cse_install_ubuntu.sh | Added apparmor-utils to package list |
| vhdbuilder/packer/install-dependencies.sh | Removed telnet, ftp, ufw packages; added tar extraction with --no-same-owner |
| vhdbuilder/packer/trivy-scan.sh | Added --no-same-owner flag to tar extraction |
| vhdbuilder/packer/cleanup-vhd.sh | Removed stunnel4 log artifacts |
| vhdbuilder/packer/packer_source.sh | Added faillock and pam-d-common-account file copying |
| pkg/agent/testdata/*/CustomData | Updated binary blobs for all test scenarios |
| .pipelines/templates/.builder-release-template.yaml | Extended CIS report copying to include CVM feature flag |
| chmod 0600 -R /etc/ssh/sshd_config.d/ | ||
| chmod 0755 /etc/ssh/sshd_config.d |
There was a problem hiding this comment.
The chmod 0600 -R command on line 268 applies permissions recursively, but immediately after on line 269, the directory itself is set to 0755. This creates a race condition where between the recursive command and the directory permission fix, the directory has 0600 permissions, making it inaccessible to non-root users. Consider setting the directory permissions first, then applying recursive permissions to files only, or use find to set file permissions separately.
| chmod 0600 -R /etc/ssh/sshd_config.d/ | |
| chmod 0755 /etc/ssh/sshd_config.d | |
| chmod 0755 /etc/ssh/sshd_config.d | |
| find /etc/ssh/sshd_config.d -type f -exec chmod 0600 {} \; |
| } | ||
|
|
||
| configureRootPath() { | ||
| sed -i -e 's|:/snap/bin||' /etc/sudoers /etc/environment |
There was a problem hiding this comment.
The sed command here modifies /etc/sudoers which is risky. If the pattern doesn't match exactly or if there are multiple occurrences, it could fail silently or produce unexpected results. Additionally, directly editing /etc/sudoers with sed bypasses sudoers validation. Consider using visudo or a more robust approach that validates the syntax before applying changes.
| sed -i -e 's|:/snap/bin||' /etc/sudoers /etc/environment | |
| # Safely update /etc/sudoers by using a temporary file and validating with visudo | |
| local tmp_sudoers | |
| tmp_sudoers=$(mktemp /tmp/sudoers.XXXXXX) | |
| cp /etc/sudoers "$tmp_sudoers" | |
| sed -i -e 's|:/snap/bin||' "$tmp_sudoers" | |
| if visudo -c -f "$tmp_sudoers"; then | |
| cp "$tmp_sudoers" /etc/sudoers | |
| else | |
| echo "visudo validation failed; /etc/sudoers not updated" >&2 | |
| fi | |
| rm -f "$tmp_sudoers" | |
| # Update /etc/environment separately | |
| sed -i -e 's|:/snap/bin||' /etc/environment |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR brings AKS Ubuntu 22.04 and 24.04 images into compliance with CIS L1 as much as possible (~89% pass). Deviations will be explained in our docs. We now also have a test for regressions compared to compliance baseline.
Some of the implemented changes:
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: