Merge pull request vmware-tanzu#40 from ridaz/topic/ridaz/stig

STIG support for photon 1.25 and onwards
DimpleRajaVamsi · Jun 14, 2023 · bb06cbd · bb06cbd
2 parents 9bf40ac + a3dd4cc
commit bb06cbd
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -25,6 +25,9 @@ RUN mv /tmp/packer /usr/local/bin/
 # Install Ansible
 RUN pip3 install ansible-core==$ANSIBLE_VERSION
 
+# Install Semver
+RUN pip3 install semver
+
 # Install ovftool
 # TODO: this URL might change or expire so need to look at better way to install it on the container.
 RUN wget https://vdc-download.vmware.com/vmwb-repository/dcr-public/2ee5a010-babf-450b-ab53-fb2fa4de79af/2a136212-2f83-4f5d-a419-232f34dc08cf/VMware-ovftool-4.4.3-18663434-lin.x86_64.zip

diff --git a/ansible/tasks/photon.yml b/ansible/tasks/photon.yml
@@ -13,6 +13,7 @@
     state: absent
 
 - import_tasks: va_hardening.yml
+  when: photon3_stig_compliance != "true"
 
 - name: Enable Apparmor service
   systemd:

diff --git a/build-ova.sh b/build-ova.sh
@@ -13,6 +13,7 @@ tkr_metadata_folder=${image_builder_root}/tkr-metadata/
 custom_ovf_properties_file=${image_builder_root}/custom_ovf_properties.json
 artifacts_output_folder=${image_builder_root}/artifacts
 ova_destination_folder=${artifacts_output_folder}/ovas
+photon3_stig_compliance="false"
 
 function checkout_image_builder_branch() {
     # Check out image builder with specific commit for the
@@ -65,6 +66,32 @@ function generate_custom_ovf_properties() {
     --outfile ${custom_ovf_properties_file}
 }
 
+function check_photon3_stig_compliance() {
+    readarray -d + -t kubernetes_series_arr <<< "$KUBERNETES_VERSION"
+    kubernetes_series=$(echo "${kubernetes_series_arr[0]//v}")
+    printf -v versions '%s\n%s' "1.25.0" "$kubernetes_series"
+    if [[ $versions = "$(sort -V <<< "$versions")" ]]
+    then
+      photon3_stig_compliance="true"
+    fi
+}
+
+function download_photon3_stig_files() {
+    check_photon3_stig_compliance
+    if [ ${OS_TARGET} == "photon-3" ] && [ ${photon3_stig_compliance} == "true" ]
+    then
+      tanzu_compliance_dir="${image_builder_root}/image/ansible/tanzu-compliance"
+      if [ -d "$tanzu_compliance_dir" ]
+      then
+        rm -rf ${tanzu_compliance_dir}
+      fi
+      wget -q http://${ARTIFACTS_CONTAINER_IP}:${ARTIFACTS_CONTAINER_PORT}/artifacts/photon-3-stig-hardening.tar.gz
+      tar -xvf photon-3-stig-hardening.tar.gz -C ${image_builder_root}/image/ansible/
+      mv ${image_builder_root}/image/ansible/photon-3-stig-hardening-* ${tanzu_compliance_dir}
+      rm -rf photon-3-stig-hardening.tar.gz
+    fi
+}
+
 # Enable packer debug logging to the log file
 function packer_logging() {
     mkdir /image-builder/packer_cache
@@ -99,6 +126,7 @@ function main() {
     download_configuration_files
     generate_packager_configuration
     generate_custom_ovf_properties
+    download_photon3_stig_files
     packer_logging
     trigger_image_builder
     copy_ova

diff --git a/goss/goss-vars.yaml b/goss/goss-vars.yaml
@@ -182,9 +182,6 @@ tkg:
       wget:
     command:
     service:
-      sshd.service:
-        enabled: true
-        running: true
       sshd-keygen.service:
         enabled: true
         running: false

diff --git a/hack/make-helpers/build-node-image.sh b/hack/make-helpers/build-node-image.sh
@@ -33,7 +33,7 @@ function build_node_image() {
 	-v $IMAGE_ARTIFACTS_PATH:/image-builder/images/capi/artifacts \
 	-w /image-builder/images/capi/ \
 	-e ARTIFACTS_CONTAINER_IP=$ARTIFACTS_CONTAINER_IP -e ARTIFACTS_CONTAINER_PORT=$ARTIFACTS_CONTAINER_PORT -e OS_TARGET=$OS_TARGET \
-	-e TKR_SUFFIX=$TKR_SUFFIX -e IMAGE_BUILDER_COMMIT_ID=$IMAGE_BUILDER_COMMIT_ID \
+	-e TKR_SUFFIX=$TKR_SUFFIX -e IMAGE_BUILDER_COMMIT_ID=$IMAGE_BUILDER_COMMIT_ID -e KUBERNETES_VERSION=$KUBERNETES_VERSION \
 	$BYOI_IMAGE_NAME
 }
 

diff --git a/packer-variables/default-args.j2 b/packer-variables/default-args.j2
@@ -7,9 +7,12 @@
     "additional_url_images": "true",
     {# docker registry image for local registry to host container images  #}
     "additional_url_images_list": "http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/bin/linux/amd64/docker_distribution_container_image.tar",
+    {# additional variables passed to the ansible role, if stig is enabled #}
+    {% set photon3_stig_compliance_data = "run_sysctl_net_ipv6_conf_all_mc_forwarding=false run_sysctl_net_ipv6_conf_default_mc_forwarding=false run_sysctl_net_ipv6_conf_eth0_mc_forwarding=false run_sshd_banner=false" %}
+    {% set photon3_stig_custom_role = "/image-builder/images/capi/image/ansible/tanzu-compliance/roles/photon3" %}
     {# variables passed to the ansible role, if required a new custom
     role requires new variable append to this list at the end #}
-    "ansible_user_vars": "artifacts_container_url=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }} dockerVersion={{ docker_distribution }} imageVersion={{ image_version|replace('-', '.') }} ansible_python_interpreter=/usr/bin/python3 addon_image_list=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/calico.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/metrics-server.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/capabilities.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/guest-cluster-auth-service.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/pinniped.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/antrea.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/vsphere-cpi.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/vsphere-pv-csi.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/secretgen-controller.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/kapp-controller.tar localhost_addon_image_list={{ calico_package_localhost_path }},{{ metrics_server_package_localhost_path }},{{ capabilities_package_localhost_path }},{{ guest_cluster_auth_service_package_localhost_path }},{{ pinniped_package_localhost_path }},{{ antrea_package_localhost_path }},{{ vsphere_cpi_package_localhost_path }},{{ vsphere_pv_csi_package_localhost_path }},{{ secretgen_controller_package_localhost_path }},{{ kapp_controller_localhost_path }} networkd_dispatcher_download_url=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/networkd-dispatcher-2.1.tar.bz2 ",
+    "ansible_user_vars": "artifacts_container_url=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }} dockerVersion={{ docker_distribution }} imageVersion={{ image_version|replace('-', '.') }} ansible_python_interpreter=/usr/bin/python3 addon_image_list=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/calico.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/metrics-server.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/capabilities.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/guest-cluster-auth-service.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/pinniped.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/antrea.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/vsphere-cpi.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/vsphere-pv-csi.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/secretgen-controller.tar,http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/{{ kubernetes_version }}/packages/kapp-controller.tar localhost_addon_image_list={{ calico_package_localhost_path }},{{ metrics_server_package_localhost_path }},{{ capabilities_package_localhost_path }},{{ guest_cluster_auth_service_package_localhost_path }},{{ pinniped_package_localhost_path }},{{ antrea_package_localhost_path }},{{ vsphere_cpi_package_localhost_path }},{{ vsphere_pv_csi_package_localhost_path }},{{ secretgen_controller_package_localhost_path }},{{ kapp_controller_localhost_path }} networkd_dispatcher_download_url=http://{{ artifacts_container_ip }}:{{ artifacts_container_port }}/artifacts/networkd-dispatcher-2.1.tar.bz2 {% if photon3_stig_compliance == "true" %}{{ photon3_stig_compliance_data }}{% endif %} photon3_stig_compliance={{ photon3_stig_compliance }}",
     "kubernetes_typed_version": "{{ image_version }}",
     "vmx_version": "17",
     "cpu": "16",
@@ -40,7 +43,7 @@
     "custom_role": "true",
     {# If a custom role is create in a different location append that
     location after mounting that Path using docker #}
-    "custom_role_names": "/image-builder/images/capi/image/ansible",
+    "custom_role_names": "/image-builder/images/capi/image/ansible {% if photon3_stig_compliance == "true" %}{{ photon3_stig_custom_role }}{% endif %}",
     {# Update the required packer based on the OS consumption #}
     {% if os_type == "photon-3" %}
     "distro_version": "3.0",
@@ -49,4 +52,5 @@
     "extra_debs": "unzip iptables-persistent nfs-common",
     "boot_disable_ipv6": "1"
     {% endif %}
+
 }
diff --git a/scripts/tkg_byoi.py b/scripts/tkg_byoi.py
@@ -5,6 +5,7 @@
 import json
 import os
 import shutil
+import semver
 
 import yaml
 from jinja2 import Environment, BaseLoader
@@ -101,6 +102,11 @@ def populate_jinja_args(args):
     jinja_args_map["kubernetes_version"] = jinja_args_map["kubernetes"]
     jinja_args_map["kubernetes_series"] = jinja_args_map["kubernetes"].split('+')[0]
 
+    # Set STIG compliant value
+    jinja_args_map["photon3_stig_compliance"] = "false"
+    if args.os_type == "photon-3":
+        check_photon3_stig_compliance()
+
     images_local_host_paths = get_images_local_host_path(args)
     jinja_args_map.update(images_local_host_paths)
     print("Jinja Args:", jinja_args_map)
@@ -346,6 +352,10 @@ def render_folder_and_append(folder):
 def render_default_config(args):
     packer_vars.update(render_folder_and_append(args.default_config_folder))
 
+def check_photon3_stig_compliance():
+    current_kubernetes_version = jinja_args_map["kubernetes_series"].replace('v', "")
+    if semver.compare(current_kubernetes_version, "1.25.0") >= 0:
+        jinja_args_map["photon3_stig_compliance"] = "true"
 
 if __name__ == "__main__":
     main()