From a816a323992f270b3ea49ec1c6b33858075b3321 Mon Sep 17 00:00:00 2001 From: Dimple Kuriakose Date: Thu, 28 Sep 2023 16:55:59 +0530 Subject: [PATCH] Add Google how-to: Enable Pro features (includes CIS hardening) --- .wordlist.txt | 2 + .../cis-harden-your-ubuntu-pro.rst | 47 ------- .../create-different-instance-types.rst | 25 +++- google/google-how-to/enable-pro-features.rst | 118 ++++++++++++++++++ google/google-how-to/index.rst | 2 +- .../upgrade-in-place-from-lts-to-pro.rst | 4 +- 6 files changed, 146 insertions(+), 52 deletions(-) delete mode 100644 google/google-how-to/cis-harden-your-ubuntu-pro.rst create mode 100644 google/google-how-to/enable-pro-features.rst diff --git a/.wordlist.txt b/.wordlist.txt index 2d780c3b..d939e052 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -176,3 +176,5 @@ datastores UI backoff URI +NIST +CVEs \ No newline at end of file diff --git a/google/google-how-to/cis-harden-your-ubuntu-pro.rst b/google/google-how-to/cis-harden-your-ubuntu-pro.rst deleted file mode 100644 index 08717192..00000000 --- a/google/google-how-to/cis-harden-your-ubuntu-pro.rst +++ /dev/null @@ -1,47 +0,0 @@ -CIS harden your Ubuntu Pro -========================== - -`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages and can be made CIS compliant. - -If you don't have an Ubuntu Pro VM, you can either create a new instance with Ubuntu Pro on it (as described in :doc:`create-different-instance-types`) or you can do an in-place upgrade of your Ubuntu LTS VM to Ubuntu Pro (as explained in :doc:`upgrade-in-place-from-lts-to-pro`). - -SSH into your Ubuntu Pro VM and run: - -.. code:: - - ua status - -You'll see that the CIS service is disabled. To enable it, run: - -.. code:: - - sudo ua enable cis - -Once the command is completed, if you run ``ua status`` again, you'll see that CIS service is enabled. - -Now with the tooling packages installed, you can harden your Ubuntu 16.04 Pro system with CIS level 1 server profile, by running: - -.. code:: - - sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh level1_server - -In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the system, run: - -.. code:: - - sudo cis-audit level1_server - -The output should be similar to: - -.. code:: - - Title Ensure mounting of cramfs filesystems is disabled - Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.1.1 - Result pass - […] - CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-16.04-report.html report. - -The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions, refer to the `Ubuntu CIS Compliance documentation`_. - -.. _`CIS Benchmarks`: https://www.cisecurity.org/cis-benchmarks -.. _`Ubuntu CIS Compliance documentation`: https://ubuntu.com/security/certifications/docs/usg/cis#manual-installation diff --git a/google/google-how-to/create-different-instance-types.rst b/google/google-how-to/create-different-instance-types.rst index 4da61bee..3f07c9b4 100644 --- a/google/google-how-to/create-different-instance-types.rst +++ b/google/google-how-to/create-different-instance-types.rst @@ -3,8 +3,8 @@ Create different instance types on GCP The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below. -Create and Ubuntu Pro 22.04 instance ------------------------------------- +Create an Ubuntu Pro instance +----------------------------- On your Google Cloud console, while creating a new instance from :guilabel:`Compute Engine` > :guilabel:`VM instances`> :guilabel:`CREATE INSTANCE`: @@ -19,6 +19,27 @@ Once the instance is up, ssh into it and run to check that ``livepatch``, ``esm-apps`` and ``esm-infra`` are enabled. +Create an Ubuntu Pro FIPS instance +---------------------------------- + +On your Google Cloud console, while creating a new instance from :guilabel:`Compute Engine` > :guilabel:`VM instances`> :guilabel:`CREATE INSTANCE`: + +* select ``Ubuntu Pro`` and ``Ubuntu 20.04 Pro FIPS Server`` in :guilabel:`Boot disk` > :guilabel:`CHANGE` > :guilabel:`Operating system` and :guilabel:`Version` + +Once the instance is up, ssh into it and run + +.. code:: + + uname -r + +The kernel version will include ``fips`` in the name. To check the FIPS packages, run: + +.. code:: + + dpkg-query -l | grep fips + +It should show you a long list of packages with ``fips`` in the name or version. + Create an ARM-based instance ---------------------------- diff --git a/google/google-how-to/enable-pro-features.rst b/google/google-how-to/enable-pro-features.rst new file mode 100644 index 00000000..6722c270 --- /dev/null +++ b/google/google-how-to/enable-pro-features.rst @@ -0,0 +1,118 @@ +Enable Ubuntu Pro features +========================== + +Not all Pro features are automatically enabled when you create your Ubuntu Pro VM. They can be enabled individually as per your requirements. + +.. Note:: + + If you don't have an Ubuntu Pro VM already, you can either create a new instance (refer: :doc:`create-different-instance-types`) or do an in-place upgrade of your LTS VM to Pro (refer: :doc:`upgrade-in-place-from-lts-to-pro`). + + +To check the current status of different Pro services on your VM, SSH into it and run: + +.. code:: + + ua status + +Use the appropriate section below to enable the service that you need. + + +ESM +--- + +Extended Security Maintenance (ESM) guarantees a security coverage of 10 years for your Pro VM. So e.g. Ubuntu 22.04 will get security updates till 2032. This feature is automatically enabled with Pro and on running ``ua status``, you should see something like: + +.. code:: + + SERVICE ENTITLED STATUS DESCRIPTION + [...] + esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) + esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) + +``esm-infra`` guarantees 10-year security coverage for packages in the "main" repository, which includes Canonical-supported free and open-source software. + +``esm-apps`` further extends this coverage to the "universe" repository, which includes community-maintained free and open-source software. + + + +CIS hardening +------------- + +`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages and your Pro VM can be made CIS compliant by enabling the CIS service and then hardening the instance. Enable CIS using: + +.. code:: + + sudo ua enable cis + +With the tooling packages now installed, you can for instance, harden your Ubuntu 16.04 Pro system with CIS level 1 server profile, by running: + +.. code:: + + sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh level1_server + +In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the system, run: + +.. code:: + + sudo cis-audit level1_server + +The output should be similar to: + +.. code:: + + Title Ensure mounting of cramfs filesystems is disabled + Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.1.1 + Result pass + […] + CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-16.04-report.html report. + +The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions, refer to the `Ubuntu CIS Compliance documentation`_. + + +FIPS compliance +--------------- + +`Federal Information Processing Standards (FIPS)`_ are standards and guidelines for federal computer systems developed by National Institute of Standards and Technology (NIST). + +.. note:: + + If your Pro VM was created using the basic Pro version of the OS instead of the FIPS one (i.e say using ``Ubuntu 22.04 Pro Server`` rather than ``Ubuntu 22.04 Pro FIPS Server``), then it will not include the FIPS related packages. You can check this by running ``ua status`` which will show the status of ``fips`` and ``fips-update`` services as ``n/a`` instead of ``disabled`` + +To enable FIPS on your Pro FIPS VM, run: + +.. code:: + + sudo ua enable fips + +The output will be similar to: + +.. code:: + + One moment, checking your subscription first + This will install the FIPS core packages. + Are you sure? (y/N) y + Updating package lists + Installing FIPS packages + FIPS enabled + A reboot is required to complete install. + +Reboot the instance by running ``sudo reboot`` or through the Google Cloud console. Once the machine restarts, you can SSH into it again and run ``ua status`` to verify that the ``fips`` service is enabled. + + +Livepatch +--------- + +With livepatch enabled, high and critical CVEs are patched in place on a running kernel, without the need for a reboot. This means that you don't have to worry about kernel related security vulnerabilities. You can avoid unexpected downtime and delay your reboot until the next scheduled maintenance window. + +To enable livepatch, run: + +.. code:: + + sudo ua enable livepatch + +Run ``ua status`` to verify that the ``livepatch`` service is enabled. + + +.. _`CIS Benchmarks`: https://www.cisecurity.org/cis-benchmarks +.. _`Ubuntu CIS Compliance documentation`: https://ubuntu.com/security/certifications/docs/usg/cis#manual-installation +.. _`Federal Information Processing Standards (FIPS)`: https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips \ No newline at end of file diff --git a/google/google-how-to/index.rst b/google/google-how-to/index.rst index 4c114496..bdb87676 100644 --- a/google/google-how-to/index.rst +++ b/google/google-how-to/index.rst @@ -10,7 +10,7 @@ Linked below are step-by-step guides for some key operations such as: finding Ub find-ubuntu-images create-different-instance-types upgrade-in-place-from-lts-to-pro - cis-harden-your-ubuntu-pro + enable-pro-features deploy-kubernetes-with-ubuntu-pro upgrade-from-focal-to-jammy \ No newline at end of file diff --git a/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst b/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst index dc1aaf01..61419dde 100644 --- a/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst +++ b/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst @@ -13,11 +13,11 @@ If your production environment is based on Ubuntu LTS and you need the premium s .. code:: - gcloud beta compute disks update $INSTANCE_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI” + gcloud beta compute disks update $BOOT_DISK_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI” where, -* INSTANCE_NAME: is the name of the boot disk to append the license to +* BOOT_DISK_NAME: is the name of the boot disk to append the license to * ZONE: is the zone containing the boot disk * LICENSE_URI: is the license URI for the Pro version that you are upgrading to. If your VM runs Ubuntu 16.04 LTS, you need to upgrade to Ubuntu Pro 16.04 LTS. Choose the appropriate URI from: