Merge pull request #82 from k-dimple/main

Add Google how-to: Enable Pro features (includes CIS hardening)

.wordlist.txt

@@ -176,3 +176,5 @@ datastores
 UI
 backoff
 URI
+NIST
+CVEs

google/google-how-to/create-different-instance-types.rst

@@ -3,8 +3,8 @@ Create different instance types on GCP
 
 The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below.
 
-Create and Ubuntu Pro 22.04 instance
-------------------------------------
+Create an Ubuntu Pro instance
+-----------------------------
 
 On your Google Cloud console, while creating a new instance from :guilabel:`Compute Engine` > :guilabel:`VM instances`> :guilabel:`CREATE INSTANCE`:
 
@@ -19,6 +19,27 @@ Once the instance is up, ssh into it and run
 to check that ``livepatch``, ``esm-apps`` and ``esm-infra`` are enabled.
 
 
+Create an Ubuntu Pro FIPS instance
+----------------------------------
+
+On your Google Cloud console, while creating a new instance from :guilabel:`Compute Engine` > :guilabel:`VM instances`> :guilabel:`CREATE INSTANCE`:
+
+* select ``Ubuntu Pro`` and ``Ubuntu 20.04 Pro FIPS Server`` in :guilabel:`Boot disk` > :guilabel:`CHANGE` > :guilabel:`Operating system` and :guilabel:`Version`
+
+Once the instance is up, ssh into it and run
+
+.. code::
+
+   uname -r
+
+The kernel version will include ``fips`` in the name. To check the FIPS packages, run:
+
+.. code::
+
+   dpkg-query -l | grep fips
+
+It should show you a long list of packages with ``fips`` in the name or version.
+
 
 Create an ARM-based instance
 ----------------------------

google/google-how-to/enable-pro-features.rst

@@ -0,0 +1,118 @@
+Enable Ubuntu Pro features
+==========================
+
+Not all Pro features are automatically enabled when you create your Ubuntu Pro VM. They can be enabled individually as per your requirements.
+
+.. Note::
+
+    If you don't have an Ubuntu Pro VM already, you can either create a new instance (refer: :doc:`create-different-instance-types`) or do an in-place upgrade of your LTS VM to Pro (refer: :doc:`upgrade-in-place-from-lts-to-pro`).
+
+
+To check the current status of different Pro services on your VM, SSH into it and run:
+
+.. code::
+
+    ua status
+
+Use the appropriate section below to enable the service that you need.
+
+
+ESM
+---
+
+Extended Security Maintenance (ESM) guarantees a security coverage of 10 years for your Pro VM. So e.g. Ubuntu 22.04 will get security updates till 2032. This feature is automatically enabled with Pro and on running ``ua status``, you should see something like:
+
+.. code::
+
+    SERVICE	    ENTITLED	STATUS	    DESCRIPTION
+    [...]
+    esm-apps	yes	        enabled	    UA Apps: Extended Security Maintenance (ESM)
+    esm-infra	yes	        enabled	    UA Infra: Extended Security Maintenance (ESM)
+
+``esm-infra`` guarantees 10-year security coverage for packages in the "main" repository, which includes Canonical-supported free and open-source software.
+
+``esm-apps`` further extends this coverage to the "universe" repository, which includes community-maintained free and open-source software.
+
+
+
+CIS hardening
+-------------
+
+`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages and your Pro VM can be made CIS compliant by enabling the CIS service and then hardening the instance. Enable CIS using:
+
+.. code::
+
+    sudo ua enable cis
+
+With the tooling packages now installed, you can for instance, harden your Ubuntu 16.04 Pro system with CIS level 1 server profile, by running:
+
+.. code::
+
+    sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh level1_server
+
+In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the system, run:
+
+.. code::
+
+    sudo cis-audit level1_server
+
+The output should be similar to:
+
+.. code::
+
+    Title   Ensure mounting of cramfs filesystems is disabled
+    Rule    xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.1.1
+    Result  pass
+    […]
+    CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-16.04-report.html report.
+
+The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions, refer to the `Ubuntu CIS Compliance documentation`_.
+
+
+FIPS compliance
+---------------
+
+`Federal Information Processing Standards (FIPS)`_ are standards and guidelines for federal computer systems developed by National Institute of Standards and Technology (NIST).
+
+.. note::
+
+    If your Pro VM was created using the basic Pro version of the OS instead of the FIPS one (i.e say using ``Ubuntu 22.04 Pro Server`` rather than ``Ubuntu 22.04 Pro FIPS Server``), then it will not include the FIPS related packages. You can check this by running ``ua status`` which will show the status of ``fips`` and ``fips-update`` services as ``n/a`` instead of ``disabled`` 
+
+To enable FIPS on your Pro FIPS VM, run:
+
+.. code::
+
+    sudo ua enable fips
+
+The output will be similar to:
+
+.. code::
+
+    One moment, checking your subscription first
+    This will install the FIPS core packages.
+    Are you sure? (y/N) y
+    Updating package lists
+    Installing FIPS packages
+    FIPS enabled
+    A reboot is required to complete install.
+
+Reboot the instance by running ``sudo reboot`` or through the Google Cloud console. Once the machine restarts, you can SSH into it again and run ``ua status`` to verify that the ``fips`` service is enabled.
+
+
+Livepatch
+---------
+
+With livepatch enabled, high and critical CVEs are patched in place on a running kernel, without the need for a reboot. This means that you don't have to worry about kernel related security vulnerabilities. You can avoid unexpected downtime and delay your reboot until the next scheduled maintenance window.
+
+To enable livepatch, run:
+
+.. code::
+
+    sudo ua enable livepatch
+
+Run ``ua status`` to verify that the ``livepatch`` service is enabled.
+
+
+.. _`CIS Benchmarks`: https://www.cisecurity.org/cis-benchmarks
+.. _`Ubuntu CIS Compliance documentation`: https://ubuntu.com/security/certifications/docs/usg/cis#manual-installation
+.. _`Federal Information Processing Standards (FIPS)`: https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips

google/google-how-to/index.rst

@@ -10,7 +10,7 @@ Linked below are step-by-step guides for some key operations such as: finding Ub
    find-ubuntu-images
    create-different-instance-types
    upgrade-in-place-from-lts-to-pro
-   cis-harden-your-ubuntu-pro
+   enable-pro-features
    deploy-kubernetes-with-ubuntu-pro
    upgrade-from-focal-to-jammy
 

google/google-how-to/upgrade-in-place-from-lts-to-pro.rst

@@ -13,11 +13,11 @@ If your production environment is based on Ubuntu LTS and you need the premium s
 
 .. code::
 
-    gcloud beta compute disks update $INSTANCE_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI”
+    gcloud beta compute disks update $BOOT_DISK_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI”
 
 where,
 
-* INSTANCE_NAME: is the name of the boot disk to append the license to
+* BOOT_DISK_NAME: is the name of the boot disk to append the license to
 * ZONE: is the zone containing the boot disk 
 * LICENSE_URI: is the license URI for the Pro version that you are upgrading to. If your VM runs Ubuntu 16.04 LTS, you need to upgrade to Ubuntu Pro 16.04 LTS. Choose the appropriate URI from: