Merge pull request #111 from konstruktoid/conf

update Ubuntu release
konstruktoid · Oct 10, 2023 · 3f8f3e2 · 3f8f3e2
2 parents 2d6308a + fb0c5b6
commit 3f8f3e2
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 55 deletions.
diff --git a/README.md b/README.md
@@ -69,8 +69,6 @@ Verification of the built local files can be done using
 
 ## Using the box in a Vagrantfile
 
-### Local box
-
 ```ruby
 Vagrant.configure("2") do |config|
   config.vbguest.installer_options = { allow_kernel_upgrade: true }
@@ -94,44 +92,25 @@ Vagrant.configure("2") do |config|
 end
 ```
 
-### Remote box
-
-```ruby
-Vagrant.configure("2") do |config|
-  config.vbguest.installer_options = { allow_kernel_upgrade: true }
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = 2048
-    vb.customize ["modifyvm", :id, "--uart1", "0x3F8", "4"]
-    vb.customize ["modifyvm", :id, "--uartmode1", "file", File::NULL]
-  end
-
-  config.vm.define "focal_remote" do |focal_remote|
-    focal_remote.vm.box = "konstruktoid/focal-hardened"
-    focal_remote.vm.hostname = "focalremote"
-  end
-end
-```
-
 ## Repository structure
 
 ```sh
 .
-├── LICENSE
-├── README.md
-├── Vagrantfile
 ├── build_box.sh
 ├── config
 │   ├── ansible.cfg
 │   └── local.yml
 ├── http
 │   ├── meta-data
 │   └── user-data
+├── LICENSE
 ├── output
-│   ├── ubuntu-20.04.4-hardened-server.box
-│   ├── ubuntu-20.04.4-hardened-server.ova
-│   ├── ubuntu-22.04-hardened-server.box
-│   ├── ubuntu-22.04-hardened-server.ova
+│   ├── ubuntu-20.04.6-hardened-server.box
+│   ├── ubuntu-20.04.6-hardened-server.ova
+│   ├── ubuntu-22.04.3-hardened-server.box
+│   ├── ubuntu-22.04.3-hardened-server.ova
 │   └── ubuntu-hardened-server.sha256
+├── README.md
 ├── renovate.json
 ├── scripts
 │   ├── aws.sh
@@ -140,13 +119,15 @@ end
 │   ├── minimize.sh
 │   ├── postproc.sh
 │   └── vagrant.sh
+├── SECURITY.md
 ├── ubuntu-20.04-vars.json
 ├── ubuntu-22.04-vars.json
 ├── ubuntu-aws-vars.json
 ├── ubuntu-hardened-aws.pkr.hcl
-└── ubuntu-hardened-box.pkr.hcl
+├── ubuntu-hardened-box.pkr.hcl
+└── Vagrantfile
 
-4 directories, 25 files
+4 directories, 26 files
 ```
 
 ## Contributing

diff --git a/Vagrantfile b/Vagrantfile
@@ -9,12 +9,12 @@ Vagrant.configure("2") do |config|
   config.vm.define "focal" do |focal|
     focal.vm.hostname = "hardened-focal"
     focal.vm.box = "ubuntu-focal/20.04"
-    focal.vm.box_url = "file://output/ubuntu-20.04.4-hardened-server.box"
+    focal.vm.box_url = "file://output/ubuntu-20.04.6-hardened-server.box"
   end
 
   config.vm.define "jammy" do |jammy|
     jammy.vm.hostname = "hardened-jammy"
     jammy.vm.box = "ubuntu-jammy/22.04"
-    jammy.vm.box_url = "file://output/ubuntu-22.04-hardened-server.box"
+    jammy.vm.box_url = "file://output/ubuntu-22.04.3-hardened-server.box"
   end
 end
diff --git a/config/local.yml b/config/local.yml
@@ -26,7 +26,8 @@
       ansible.builtin.include_role:
         name: konstruktoid.hardening
       vars:
-        block_blacklisted: true
+        auditd_apply_audit_rules: false
+        block_blacklisted: false
         install_aide: false
         sshd_admin_net: "0.0.0.0/0"
         sshd_allow_groups: "ubuntu vagrant"

diff --git a/http/user-data b/http/user-data
@@ -3,9 +3,6 @@ package_upgrade: true
 autoinstall:
   version: 1
   locale: en_US
-  keyboard:
-    layout: en
-    variant: us
   network:
     network:
       version: 2

diff --git a/scripts/hardening.sh b/scripts/hardening.sh
@@ -13,11 +13,13 @@ cd /tmp || exit 1
 ansible-playbook -i '127.0.0.1,' -c local ./local.yml
 
 ufw disable;
+
 systemctl restart sshd
 
 find /etc -name '*.bak' -exec rm -f {} \;
 
 if id vagrant; then
+  sed -i 's/AllowUsers.*/AllowUsers vagrant/g' /etc/ssh/sshd_config.d/01-hardening.conf
   chage --maxdays 365 vagrant
   chage --mindays 1 vagrant
 fi
diff --git a/ubuntu-22.04-vars.json b/ubuntu-22.04-vars.json
@@ -1,4 +1,4 @@
 {
-  "release": "22.04.2",
-  "iso_checksum": "5e38b55d57d94ff029719342357325ed3bda38fa80054f9330dc789cd2d43931"
+  "release": "22.04.3",
+  "iso_checksum": "a4acfda10b18da50e2ec50ccaf860d7f20b389df8765611142305c0e911d16fd"
 }
diff --git a/ubuntu-hardened-aws.pkr.hcl b/ubuntu-hardened-aws.pkr.hcl
@@ -13,7 +13,9 @@ variable "release" {
   type        = string
 }
 
-locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
+locals {
+  timestamp = regex_replace(timestamp(), "[- TZ:]", "")
+}
 
 packer {
   required_plugins {

diff --git a/ubuntu-hardened-box.pkr.hcl b/ubuntu-hardened-box.pkr.hcl
@@ -10,6 +10,7 @@ variable "iso_checksum" {
 
 locals {
   basename = "ubuntu-${var.release}"
+  major    = substr("${var.release}", 0, 5)
 }
 
 packer {
@@ -18,6 +19,10 @@ packer {
       version = ">= 1.0.2"
       source  = "github.com/hashicorp/vagrant"
     }
+    virtualbox = {
+      version = "~> 1"
+      source  = "github.com/hashicorp/virtualbox"
+    }
   }
 }
 
@@ -38,24 +43,25 @@ source "virtualbox-iso" "ubuntu-hardened-server" {
     "--vsys", "0",
     "--description", "${local.basename} hardened server"
   ]
-  format                 = "ova"
-  guest_additions_mode   = "disable"
-  guest_os_type          = "Ubuntu_64"
-  hard_drive_interface   = "sata"
-  http_directory         = "http"
-  iso_checksum           = "sha256:${var.iso_checksum}"
-  iso_urls               = ["https://releases.ubuntu.com/${var.release}/${local.basename}-live-server-amd64.iso"]
-  memory                 = 2048
-  output_directory       = "build"
-  output_filename        = "${local.basename}-hardened-server"
-  shutdown_command       = "echo 'vagrant' | sudo -S shutdown -P now"
+  cpus                      = 2
+  format                    = "ova"
+  guest_additions_mode      = "disable"
+  guest_os_type             = "Ubuntu_64"
+  hard_drive_interface      = "sata"
+  http_directory            = "http"
+  iso_checksum              = "sha256:${var.iso_checksum}"
+  iso_urls                  = ["https://releases.ubuntu.com/${local.major}/${local.basename}-live-server-amd64.iso"]
+  memory                    = 2048
+  output_directory          = "build"
+  output_filename           = "${local.basename}-hardened-server"
+  shutdown_command          = "echo 'vagrant' | sudo -S shutdown -P now"
   ssh_clear_authorized_keys = "true"
-  ssh_handshake_attempts = "300"
-  ssh_password           = "vagrant"
-  ssh_pty                = true
-  ssh_timeout            = "1800s"
-  ssh_username           = "vagrant"
-  vboxmanage             = [["modifyvm", "{{.Name}}", "--firmware", "EFI"], ["modifyvm", "{{ .Name }}", "--uart1", "off"]]
+  ssh_handshake_attempts    = "300"
+  ssh_password              = "vagrant"
+  ssh_pty                   = true
+  ssh_timeout               = "1800s"
+  ssh_username              = "vagrant"
+  vboxmanage                = [["modifyvm", "{{.Name}}", "--firmware", "EFI"], ["modifyvm", "{{ .Name }}", "--uart1", "off"]]
 }
 
 build {