Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

chore(CIS): enforce CIS modprobe recommendations #1061

Merged
merged 1 commit into from Apr 16, 2019
Merged

chore(CIS): enforce CIS modprobe recommendations #1061

merged 1 commit into from Apr 16, 2019

Conversation

jackfrancis
Copy link
Member

Reason for Change:

Adds modprobe configuration enforcement, following CIS recommendations.

Issue Fixed:

Fixes #986

Requirements:

Notes:

@acs-bot acs-bot added the size/M label Apr 15, 2019
@jackfrancis
Copy link
Member Author

Verified w/ "ubuntu" distro cluster:

  should validate kernel module configuration
  /Users/jackfrancis/work/src/github.com/Azure/aks-engine/test/e2e/kubernetes/kubernetes_test.go:239

$ k config view -o json

$ k get nodes -o json

$ scp -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -o StrictHostKeyChecking=no scripts/modprobe-config-validate.sh azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com:/tmp/modprobe-config-validate.sh
2019/04/15 16:19:30 

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/modprobe-config-validate.sh k8s-agentpool1-26652949-vmss000000:/tmp/modprobe-config-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-agentpool1-26652949-vmss000000 "/tmp/modprobe-config-validate.sh"
2019/04/15 16:19:32 install /bin/true 
+ modprobe -n -v tipc
+ egrep 'install /bin/true'
++ lsmod
++ grep tipc
+ '[' -s ']'
+ modprobe -n -v dccp
install /bin/true 
install /bin/true 
install /bin/true 
+ egrep 'install /bin/true'
++ lsmod
++ grep dccp
+ '[' -s ']'
+ modprobe -n -v sctp
+ egrep 'install /bin/true'
++ lsmod
++ grep sctp
+ '[' -s ']'
+ modprobe -n -v rds
+ egrep 'install /bin/true'
++ lsmod
++ grep rds
+ '[' -s ']'


$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/modprobe-config-validate.sh k8s-agentpool1-26652949-vmss000001:/tmp/modprobe-config-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-agentpool1-26652949-vmss000001 "/tmp/modprobe-config-validate.sh"
2019/04/15 16:19:34 + modprobe -n -v tipc
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep tipc
+ '[' -s ']'
+ modprobe -n -v dccp
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep dccp
+ '[' -s ']'
+ modprobe -n -v sctp
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep sctp
+ '[' -s ']'
+ modprobe -n -v rds
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep rds
+ '[' -s ']'


$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/modprobe-config-validate.sh k8s-master-26652949-0:/tmp/modprobe-config-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-75857-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-75857.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-master-26652949-0 "/tmp/modprobe-config-validate.sh"
2019/04/15 16:19:35 install /bin/true 
+ modprobe -n -v tipc
+ egrep 'install /bin/true'
++ lsmod
++ grep tipc
+ '[' -s ']'
+ modprobe -n -v dccp
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep dccp
+ '[' -s ']'
+ modprobe -n -v sctp
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep sctp
+ '[' -s ']'
+ modprobe -n -v rds
+ egrep 'install /bin/true'
install /bin/true 
++ lsmod
++ grep rds
+ '[' -s ']'

•

@jackfrancis jackfrancis added this to In progress in CIS spike - Spring 2019 Apr 15, 2019
@codecov
Copy link

codecov bot commented Apr 15, 2019
edited

Codecov Report

Merging #1061 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1061      +/-   ##
==========================================
+ Coverage   74.33%   74.33%   +<.01%     
==========================================
  Files         131      131              
  Lines       18258    18259       +1     
==========================================
+ Hits        13572    13573       +1     
  Misses       3905     3905              
  Partials      781      781

CecileRobertMichon
CecileRobertMichon reviewed Apr 16, 2019
View reviewed changes
packer/install-dependencies.sh
@@ -18,6 +20,7 @@ cp $SYSCTL_CONFIG_SRC $SYSCTL_CONFIG_DEST
sysctl_reload 20 5 10
cp $ETC_ISSUE_CONFIG_SRC $ETC_ISSUE_CONFIG_DEST
cp $ETC_ISSUE_NET_CONFIG_SRC $ETC_ISSUE_NET_CONFIG_DEST
cp $MODPROBE_CIS_SRC $MODPROBE_CIS_DEST
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be before the reload?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as my testing uncovered, sysctl --system was not necessary to pull in updated kernel module config.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly I think there's a problem here, the sysctl_reload call doesn't really need to be called vi VHD CI (it'll be applied when it boots up), but if we are calling it we should at least error out if it fails as a kind of basic validation.

@mboersma mboersma added this to Under Review in backlog Apr 16, 2019
CecileRobertMichon
CecileRobertMichon approved these changes Apr 16, 2019
View reviewed changes
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@acs-bot acs-bot added the lgtm label Apr 16, 2019
@acs-bot acs-bot merged commit 44f0d43 into Azure:master Apr 16, 2019
backlog automation moved this from Under Review to Done Apr 16, 2019
CIS spike - Spring 2019 automation moved this from In progress to Done Apr 16, 2019
@acs-bot
Copy link

acs-bot commented Apr 16, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon, jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [CecileRobertMichon,jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@CecileRobertMichon CecileRobertMichon mentioned this pull request Apr 16, 2019
Merged
4 tasks
@mbearup
Copy link
Contributor

mbearup commented Apr 16, 2019

Additional findings from Nessus scan

1.3.2  Ensure filesystem integrity is regularly checked
Requirement is to put this into root’s crontab.
0 5 * * * /usr/bin/aide --check

1.4.1 Ensure permissions on bootloader config are configured
This should already be set, but is getting reverted to 444. Will have to determine if something is changing this during deprovision or provisioning.
chown root:root /boot/grub/grub.cfg
chmod og-rwx /boot/grub/grub.cfg

1.5.1 Ensure core dumps are restricted
This audit has 2 parts…
"* hard core 0" is already set in /etc/security/limits.d/CIS.conf. This part of the Nessus scan seems broken – it does not expect the '*' at the beginning of the line.
"fs.suid_dumpable = 0" needs to be present in /etc/sysctl.conf or /etc/sysctl.d/*; Could add to /etc/sysctl.d/60-CIS.conf to keep all changes in one place.

2.3.4 Ensure telnet client is not installed
This is installed as a 'recommends' of ubuntu-standard. Easy to remove.
apt remove -y telnet

5.1.8 Ensure at/cron is restricted to authorized users - '/etc/at.deny'
Need to delete /etc/at.deny. 

6.2.8  Ensure users' home directories permissions are 0750 or more restrictive
Must chmod the following folders to 0750.
/var/lib/chrony
/var/lib/misc
/home/jpeacock
/var/lib/lxd/
/home/mbearup
/var/run/dbus
/var/cache/pollinate
/var/spool/postfix
/var/run/sshd
/run/systemd
/run/systemd/netif
/run/systemd
/run/uuidd

@jackfrancis jackfrancis deleted the cis-modprobe branch April 16, 2019 22:01
@CecileRobertMichon CecileRobertMichon mentioned this pull request Apr 16, 2019
Merged
4 tasks
@mboersma mboersma mentioned this pull request Apr 18, 2019
Merged
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@CecileRobertMichon CecileRobertMichon CecileRobertMichon approved these changes

Assignees

@CecileRobertMichon CecileRobertMichon

Labels
approved lgtm size/M
Projects
No open projects
CIS spike - Spring 2019
  
Done
backlog
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CIS modprobe configurations
4 participants
@jackfrancis @acs-bot @mbearup @CecileRobertMichon