chore(CIS): grub configuration changes to accommodate CIS #1111

jackfrancis · 2019-04-22T16:44:05Z

Reason for Change:

Enables auditing via grub, see https://secscan.acron.pl/centos7/4/1/3

Issue Fixed:

Fixes #1009

Requirements:

uses conventional commit messages
includes documentation
adds unit tests
tested upgrade from previous version

Notes:

acs-bot · 2019-04-22T16:45:12Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jackfrancis · 2019-04-22T17:26:52Z

Validated w/ "ubuntu" distro:

  should validate all cloud-init-paved files
  /Users/jackfrancis/work/src/github.com/Azure/aks-engine/test/e2e/kubernetes/kubernetes_test.go:237

$ k config view -o json

$ k get nodes -o json

$ scp -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -o StrictHostKeyChecking=no scripts/cloud-init-files-validate.sh azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com:/tmp/cloud-init-files-validate.sh
2019/04/22 10:06:42 Authorized uses only. All activity may be monitored and reported.


$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/cloud-init-files-validate.sh k8s-agentpool1-12763148-vmss000000:/tmp/cloud-init-files-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-agentpool1-12763148-vmss000000 "/tmp/cloud-init-files-validate.sh"

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/cloud-init-files-validate.sh k8s-agentpool1-12763148-vmss000001:/tmp/cloud-init-files-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-agentpool1-12763148-vmss000001 "/tmp/cloud-init-files-validate.sh"

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -o ConnectTimeout=30 -o StrictHostKeyChecking=no azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com -p 22 scp -o StrictHostKeyChecking=no /tmp/cloud-init-files-validate.sh k8s-master-12763148-0:/tmp/cloud-init-files-validate.sh

$ ssh -A -i /Users/jackfrancis/work/src/github.com/Azure/aks-engine/_output/kubernetes-westus2-28812-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-westus2-28812.westus2.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-master-12763148-0 "/tmp/cloud-init-files-validate.sh"
•

codecov · 2019-04-22T17:28:46Z

Codecov Report

Merging #1111 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff            @@
##           master   #1111      +/-   ##
=========================================
+ Coverage    74.4%   74.4%   +<.01%     
=========================================
  Files         131     131              
  Lines       18283   18284       +1     
=========================================
+ Hits        13603   13604       +1     
  Misses       3901    3901              
  Partials      779     779

CecileRobertMichon · 2019-04-22T17:52:51Z

parts/k8s/cloud-init/artifacts/default-grub

@@ -0,0 +1,35 @@
+# If you change this file, run 'update-grub' afterwards to update


Can we make this file "lighter" by removing a lot of the commented out lines?

mboersma

lgtm

mboersma · 2019-04-22T17:52:51Z

test/e2e/kubernetes/scripts/cloud-init-files-validate.sh

+stat /boot/grub/grub.cfg | grep 'Access: (0400' || exit 1
+# validate grub configuration
+sudo grep "^\s*linux" /boot/grub/grub.cfg | grep 'audit=1' || exit 1


Should we also grep for ipv6.disable=1 or is that not part of the CIS recommendation?

Yeah, in fact this grep is carried over specifically from here:

https://secscan.acron.pl/centos7/4/1/3

acs-bot added the size/M label Apr 22, 2019

acs-bot added the approved label Apr 22, 2019

jackfrancis added this to In progress in CIS spike - Spring 2019 Apr 22, 2019

CecileRobertMichon reviewed Apr 22, 2019

View reviewed changes

mboersma approved these changes Apr 22, 2019

View reviewed changes

jackfrancis added 3 commits April 22, 2019 12:33

chore(CIS): grub configuration changes to accommodate CIS

eb185e0

test: validation needs sudo

d8f14b1

chore: need to apply modified grub config

a18b773

jackfrancis force-pushed the cis-grub-configuration branch from 2ffe464 to a18b773 Compare April 22, 2019 19:33

jackfrancis merged commit 21561b2 into Azure:master Apr 22, 2019

CIS spike - Spring 2019 automation moved this from In progress to Done Apr 22, 2019

jackfrancis deleted the cis-grub-configuration branch April 22, 2019 23:19

jackfrancis mentioned this pull request Apr 23, 2019

fix: /etc/default/grub VHD enforcement #1131

Merged

4 tasks

jackfrancis mentioned this pull request May 6, 2019

revert: /etc/default/grub changes aren't reconcilable over time #1237

Merged

4 tasks

CecileRobertMichon moved this from Done to Won't do in CIS spike - Spring 2019 Aug 23, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(CIS): grub configuration changes to accommodate CIS #1111

chore(CIS): grub configuration changes to accommodate CIS #1111

jackfrancis commented Apr 22, 2019

acs-bot commented Apr 22, 2019

jackfrancis commented Apr 22, 2019

codecov bot commented Apr 22, 2019 •

edited

CecileRobertMichon Apr 22, 2019

mboersma left a comment

mboersma Apr 22, 2019

jackfrancis Apr 22, 2019

		@@ -0,0 +1,35 @@
		# If you change this file, run 'update-grub' afterwards to update

chore(CIS): grub configuration changes to accommodate CIS #1111

chore(CIS): grub configuration changes to accommodate CIS #1111

Conversation

jackfrancis commented Apr 22, 2019

acs-bot commented Apr 22, 2019

jackfrancis commented Apr 22, 2019

codecov bot commented Apr 22, 2019 • edited

Codecov Report

CecileRobertMichon Apr 22, 2019

Choose a reason for hiding this comment

mboersma left a comment

Choose a reason for hiding this comment

mboersma Apr 22, 2019

Choose a reason for hiding this comment

jackfrancis Apr 22, 2019

Choose a reason for hiding this comment

codecov bot commented Apr 22, 2019 •

edited