From 2b86fc2ebb2f0e1269432ef12e6a78ecbfcd75d9 Mon Sep 17 00:00:00 2001 From: Dimple Kuriakose Date: Tue, 26 Sep 2023 00:27:11 +0530 Subject: [PATCH 1/2] Add Google how-to: CIS harden your Ubuntu Pro --- .../cis-harden-your-ubuntu-pro.rst | 47 +++++++++++++++++++ .../create-different-instance-types.rst | 2 +- google/google-how-to/index.rst | 4 +- 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 google/google-how-to/cis-harden-your-ubuntu-pro.rst diff --git a/google/google-how-to/cis-harden-your-ubuntu-pro.rst b/google/google-how-to/cis-harden-your-ubuntu-pro.rst new file mode 100644 index 00000000..49d06115 --- /dev/null +++ b/google/google-how-to/cis-harden-your-ubuntu-pro.rst @@ -0,0 +1,47 @@ +CIS harden your Ubuntu Pro +========================== + +`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro is packaged with CIS toolings and can be made CIS compliant. + +If you don't have an Ubuntu Pro VM, you can either create a new instance with Ubuntu Pro on it (as described in :doc:`create-different-instance-types`) or you can do an in-place upgrade of your Ubuntu LTS VM to Ubuntu Pro (as explained in :doc:`upgrade in-place-from-lts-to-pro`). + +SSH into your Ubuntu Pro VM and run: + +.. code:: + + ua status + +You'll see that the CIS service is disabled. To enable it, run: + +.. code:: + + sudo ua enable cis + +Once the command is completed, if you run ``ua status`` again, you'll see that CIS service is enabled. + +Now with the tooling packages installed, you can harden your Ubuntu 16.04 Pro system with CIS level 1 server profile, by running: + +.. code:: + + sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_16.04_CIS_v1.1.0-harden.sh level1_server + +In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the system, run: + +.. code:: + + sudo cis-audit level1_server + +The output should be similar to: + +.. code:: + + Title Ensure mounting of cramfs filesystems is disabled + Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.1.1 + Result pass + […] + CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-16.04-report.html report. + +The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions, refer to the `Ubuntu CIS Compliance documentation`_. + +.. _`CIS Benchmarks`: https://www.cisecurity.org/cis-benchmarks +.. _`Ubuntu CIS Compliance documentation`: https://ubuntu.com/security/certifications/docs/usg/cis#manual-installation diff --git a/google/google-how-to/create-different-instance-types.rst b/google/google-how-to/create-different-instance-types.rst index 3d9806d0..7e23028a 100644 --- a/google/google-how-to/create-different-instance-types.rst +++ b/google/google-how-to/create-different-instance-types.rst @@ -3,7 +3,7 @@ Create different instance types on GCP The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below. - +.. _create_Ubuntu_Pro: Create and Ubuntu Pro 22.04 instance ------------------------------------ diff --git a/google/google-how-to/index.rst b/google/google-how-to/index.rst index eaeff519..9b973d5d 100644 --- a/google/google-how-to/index.rst +++ b/google/google-how-to/index.rst @@ -10,4 +10,6 @@ Linked below are step-by-step guides for some key operations such as: creating i find-ubuntu-images create-different-instance-types deploy-kubernetes-with-ubuntu-pro - upgrade-from-focal-to-jammy \ No newline at end of file + cis-harden-your-ubuntu-pro + upgrade-from-focal-to-jammy + \ No newline at end of file From 39e7c1cc59ca702e82a4e0afb01d3eb1da4cfaf1 Mon Sep 17 00:00:00 2001 From: Dimple Kuriakose Date: Tue, 26 Sep 2023 15:08:51 +0530 Subject: [PATCH 2/2] Add Google how-to: Upgrade in-place from LTS to Pro --- .wordlist.txt | 2 +- .../cis-harden-your-ubuntu-pro.rst | 4 +- .../create-different-instance-types.rst | 1 - google/google-how-to/index.rst | 5 +- .../upgrade-in-place-from-lts-to-pro.rst | 72 +++++++++++++++++++ 5 files changed, 78 insertions(+), 6 deletions(-) create mode 100644 google/google-how-to/upgrade-in-place-from-lts-to-pro.rst diff --git a/.wordlist.txt b/.wordlist.txt index f015badd..2d780c3b 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -175,4 +175,4 @@ checkpointing datastores UI backoff - +URI diff --git a/google/google-how-to/cis-harden-your-ubuntu-pro.rst b/google/google-how-to/cis-harden-your-ubuntu-pro.rst index 49d06115..08717192 100644 --- a/google/google-how-to/cis-harden-your-ubuntu-pro.rst +++ b/google/google-how-to/cis-harden-your-ubuntu-pro.rst @@ -1,9 +1,9 @@ CIS harden your Ubuntu Pro ========================== -`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro is packaged with CIS toolings and can be made CIS compliant. +`CIS Benchmarks`_ are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages and can be made CIS compliant. -If you don't have an Ubuntu Pro VM, you can either create a new instance with Ubuntu Pro on it (as described in :doc:`create-different-instance-types`) or you can do an in-place upgrade of your Ubuntu LTS VM to Ubuntu Pro (as explained in :doc:`upgrade in-place-from-lts-to-pro`). +If you don't have an Ubuntu Pro VM, you can either create a new instance with Ubuntu Pro on it (as described in :doc:`create-different-instance-types`) or you can do an in-place upgrade of your Ubuntu LTS VM to Ubuntu Pro (as explained in :doc:`upgrade-in-place-from-lts-to-pro`). SSH into your Ubuntu Pro VM and run: diff --git a/google/google-how-to/create-different-instance-types.rst b/google/google-how-to/create-different-instance-types.rst index 7e23028a..4da61bee 100644 --- a/google/google-how-to/create-different-instance-types.rst +++ b/google/google-how-to/create-different-instance-types.rst @@ -3,7 +3,6 @@ Create different instance types on GCP The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below. -.. _create_Ubuntu_Pro: Create and Ubuntu Pro 22.04 instance ------------------------------------ diff --git a/google/google-how-to/index.rst b/google/google-how-to/index.rst index 9b973d5d..4c114496 100644 --- a/google/google-how-to/index.rst +++ b/google/google-how-to/index.rst @@ -1,7 +1,7 @@ How-to guides ============= -Linked below are step-by-step guides for some key operations such as: creating instances of different types on GCP, deploying Kubernetes on Ubuntu Pro and upgrading from Ubuntu 20.04 to 22.04. +Linked below are step-by-step guides for some key operations such as: finding Ubuntu images, creating instances of different types, upgrading in-place from LTS to Pro, CIS hardening your instance, deploying Kubernetes on Pro and upgrading from Ubuntu 20.04 to 22.04. .. toctree:: @@ -9,7 +9,8 @@ Linked below are step-by-step guides for some key operations such as: creating i find-ubuntu-images create-different-instance-types - deploy-kubernetes-with-ubuntu-pro + upgrade-in-place-from-lts-to-pro cis-harden-your-ubuntu-pro + deploy-kubernetes-with-ubuntu-pro upgrade-from-focal-to-jammy \ No newline at end of file diff --git a/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst b/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst new file mode 100644 index 00000000..dc1aaf01 --- /dev/null +++ b/google/google-how-to/upgrade-in-place-from-lts-to-pro.rst @@ -0,0 +1,72 @@ +Upgrade in-place from LTS to Pro +================================ + +If your production environment is based on Ubuntu LTS and you need the premium security, support or compliance features of Ubuntu Pro, then you don't have to migrate your applications to new Ubuntu Pro VMs. You can just perform an in-place upgrade of your existing machines in three simple steps: + +1. Stop your machine: + +.. code:: + + gcloud compute instances stop $INSTANCE_NAME + +2. Append an Ubuntu Pro license to the disk: + +.. code:: + + gcloud beta compute disks update $INSTANCE_NAME --zone=$ZONE --update-user-licenses=”LICENSE_URI” + +where, + +* INSTANCE_NAME: is the name of the boot disk to append the license to +* ZONE: is the zone containing the boot disk +* LICENSE_URI: is the license URI for the Pro version that you are upgrading to. If your VM runs Ubuntu 16.04 LTS, you need to upgrade to Ubuntu Pro 16.04 LTS. Choose the appropriate URI from: + +.. list-table:: + :header-rows: 1 + :widths: 20 50 + + * - **Version** + - **License URI** + * - Ubuntu Pro 16.04 LTS + - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1604-lts`` + * - Ubuntu Pro 18.04 LTS + - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1804-lts`` + * - Ubuntu Pro 20.04 LTS + - ``https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2004-lts`` + + + +3. Start the machine + +.. code:: + + gcloud compute instances start $INSTANCE_NAME + +You can verify your upgrade by running: + +.. code:: + + ua status + +The output should show the different services available and their current status. Something like: + +.. code:: + + SERVICE ENTITLED STATUS DESCRIPTION + cis yes disabled Center for Internet Security Audit Tools + esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) + esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) + fips yes n/a NIST-certified core packages + fips-updates yes n/a NIST-certified core packages with priority security updates + livepatch yes n/a Canonical Livepatch service + +For comprehensive instructions, please refer to the official Google Cloud documentation for `upgrading to Pro`_. + +.. _`upgrading to Pro`: https://cloud.google.com/compute/docs/images/premium/ubuntu-pro/upgrade-from-ubuntu + + + + + + +