Merge pull request #80 from k-dimple/main

Add two how-to guides: In-place upgrade to Pro and CIS hardening

.wordlist.txt

@@ -175,4 +175,4 @@ checkpointing
 datastores
 UI
 backoff
-
+URI

google/google-how-to/cis-harden-your-ubuntu-pro.rst

@@ -0,0 +1,47 @@
+CIS harden your Ubuntu Pro
+==========================
+
+`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages and can be made CIS compliant.
+
+If you don't have an Ubuntu Pro VM, you can either create a new instance with Ubuntu Pro on it (as described in :doc:`create-different-instance-types`) or you can do an in-place upgrade of your Ubuntu LTS VM to Ubuntu Pro (as explained in :doc:`upgrade-in-place-from-lts-to-pro`).
+
+SSH into your Ubuntu Pro VM and run:
+
+.. code::
+
+    ua status
+
+You'll see that the CIS service is disabled. To enable it, run:
+
+.. code::
+
+    sudo ua enable cis
+
+Once the command is completed, if you run ``ua status`` again, you'll see that CIS service is enabled.
+
+Now with the tooling packages installed, you can harden your Ubuntu 16.04 Pro system with CIS level 1 server profile, by running:
+
+.. code::
+
+    sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh level1_server
+
+In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the system, run:
+
+.. code::
+
+    sudo cis-audit level1_server
+
+The output should be similar to:
+
+.. code::
+
+    Title   Ensure mounting of cramfs filesystems is disabled
+    Rule    xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.1.1
+    Result  pass
+    […]
+    CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-16.04-report.html report.
+
+The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions, refer to the `Ubuntu CIS Compliance documentation`_.
+
+.. _`CIS Benchmarks`: https://www.cisecurity.org/cis-benchmarks
+.. _`Ubuntu CIS Compliance documentation`: https://ubuntu.com/security/certifications/docs/usg/cis#manual-installation

google/google-how-to/create-different-instance-types.rst

@@ -3,7 +3,6 @@ Create different instance types on GCP
 
 The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below.
 
-
 Create and Ubuntu Pro 22.04 instance
 ------------------------------------
 

google/google-how-to/index.rst

@@ -1,13 +1,16 @@
 How-to guides
 =============
 
-Linked below are step-by-step guides for some key operations such as: creating instances of different types on GCP, deploying Kubernetes on Ubuntu Pro and upgrading from Ubuntu 20.04 to 22.04.
+Linked below are step-by-step guides for some key operations such as: finding Ubuntu images, creating instances of different types, upgrading in-place from LTS to Pro, CIS hardening your instance, deploying Kubernetes on Pro and upgrading from Ubuntu 20.04 to 22.04.
 
 
 .. toctree::
    :maxdepth: 1
 
    find-ubuntu-images
    create-different-instance-types
+   upgrade-in-place-from-lts-to-pro
+   cis-harden-your-ubuntu-pro
    deploy-kubernetes-with-ubuntu-pro
-   upgrade-from-focal-to-jammy
+   upgrade-from-focal-to-jammy
+

google/google-how-to/upgrade-in-place-from-lts-to-pro.rst

@@ -0,0 +1,72 @@
+Upgrade in-place from LTS to Pro
+================================
+
+If your production environment is based on Ubuntu LTS and you need the premium security, support or compliance features of Ubuntu Pro, then you don't have to migrate your applications to new Ubuntu Pro VMs. You can just perform an in-place upgrade of your existing machines in three simple steps:
+
+1. Stop your machine:
+
+.. code::
+
+    gcloud compute instances stop $INSTANCE_NAME
+
+2. Append an Ubuntu Pro license to the disk:
+
+.. code::
+
+    gcloud beta compute disks update $INSTANCE_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI”
+
+where,
+
+* INSTANCE_NAME: is the name of the boot disk to append the license to
+* ZONE: is the zone containing the boot disk 
+* LICENSE_URI: is the license URI for the Pro version that you are upgrading to. If your VM runs Ubuntu 16.04 LTS, you need to upgrade to Ubuntu Pro 16.04 LTS. Choose the appropriate URI from: 
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 50
+
+   * - **Version**
+     - **License URI**
+   * - Ubuntu Pro 16.04 LTS
+     - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1604-lts``
+   * - Ubuntu Pro 18.04 LTS
+     - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1804-lts``
+   * - Ubuntu Pro 20.04 LTS
+     - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2004-lts``
+
+
+
+3. Start the machine
+
+.. code::
+
+    gcloud compute instances start $INSTANCE_NAME
+
+You can verify your upgrade by running:
+
+.. code::
+
+    ua status
+
+The output should show the different services available and their current status. Something like:
+
+.. code::
+
+    SERVICE       ENTITLED  STATUS    DESCRIPTION
+    cis           yes       disabled  Center for Internet Security Audit Tools
+    esm-apps      yes       enabled   UA Apps: Extended Security Maintenance (ESM)
+    esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
+    fips          yes       n/a       NIST-certified core packages
+    fips-updates  yes       n/a       NIST-certified core packages with priority security updates
+    livepatch     yes       n/a       Canonical Livepatch service
+
+For comprehensive instructions, please refer to the official Google Cloud documentation for `upgrading to Pro`_.
+
+.. _`upgrading to Pro`: https://cloud.google.com/compute/docs/images/premium/ubuntu-pro/upgrade-from-ubuntu
+
+
+
+
+
+
+