diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index d903a37ff92..2d7a9d3f2f7 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -98,6 +98,14 @@ parameters: displayName: Build 2004 FIPS Gen2 containerd type: boolean default: true +- name: build2204fipscontainerd + displayName: Build 2204 FIPS containerd + type: boolean + default: false +- name: build2204fipsgen2containerd + displayName: Build 2204 FIPS Gen2 containerd + type: boolean + default: false - name: build2204arm64gen2containerd displayName: Build 2204 ARM64 Gen2 containerd type: boolean @@ -779,6 +787,60 @@ stages: - template: ./templates/.builder-release-template.yaml parameters: artifactName: 2004-fips-gen2-containerd + - stage: build_vhd_2204_fips_containerd + dependsOn: [] + condition: eq('${{ parameters.build2204fipscontainerd }}', true) + jobs: + - job: build + timeoutInMinutes: 180 + steps: + - bash: | + echo '##vso[task.setvariable variable=DRY_RUN]${{parameters.dryrun}}' + echo '##vso[task.setvariable variable=OS_SKU]Ubuntu' + echo '##vso[task.setvariable variable=OS_VERSION]22.04' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]Canonical' + echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-jammy' + echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V1' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' + echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]False' + echo '##vso[task.setvariable variable=SGX_INSTALL]False' + echo '##vso[task.setvariable variable=IMG_VERSION]latest' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + artifactName: 2204-fips-containerd + - stage: build_vhd_2204_fips_gen2_containerd + dependsOn: [] + condition: eq('${{ parameters.build2204fipsgen2containerd }}', true) + jobs: + - job: build + timeoutInMinutes: 180 + steps: + - bash: | + echo '##vso[task.setvariable variable=DRY_RUN]${{parameters.dryrun}}' + echo '##vso[task.setvariable variable=OS_SKU]Ubuntu' + echo '##vso[task.setvariable variable=OS_VERSION]22.04' + echo '##vso[task.setvariable variable=IMG_PUBLISHER]Canonical' + echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-jammy' + echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts-gen2' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2' + echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' + echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' + echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' + echo '##vso[task.setvariable variable=ENABLE_FIPS]True' + echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]False' + echo '##vso[task.setvariable variable=SGX_INSTALL]False' + echo '##vso[task.setvariable variable=IMG_VERSION]latest' + displayName: Setup Build Variables + - template: ./templates/.builder-release-template.yaml + parameters: + artifactName: 2204-fips-gen2-containerd - stage: build_vhd_2204_arm64_gen2_containerd dependsOn: [] condition: eq('${{ parameters.build2204arm64gen2containerd }}', true) diff --git a/.pipelines/templates/.builder-release-template.yaml b/.pipelines/templates/.builder-release-template.yaml index dbbc9d785f1..4019a99ecc3 100644 --- a/.pipelines/templates/.builder-release-template.yaml +++ b/.pipelines/templates/.builder-release-template.yaml @@ -56,8 +56,7 @@ steps: if [[ ${OS_VERSION} == "V2" && ${ARCHITECTURE,,} == "arm64" ]]; then SKU_NAME="${SKU_NAME}arm64"; fi && \ if [[ ${OS_VERSION} == "18.04" && ${ARCHITECTURE,,} == "arm64" ]]; then SKU_NAME="${SKU_NAME}arm64"; fi && \ if [[ ${OS_VERSION} == "22.04" && ${ARCHITECTURE,,} == "arm64" ]]; then SKU_NAME="${SKU_NAME}arm64"; fi && \ - if [[ ${OS_VERSION} == "18.04" && ${ENABLE_FIPS,,} == "true" ]]; then SKU_NAME="${SKU_NAME}fips"; fi && \ - if [[ ${OS_VERSION} == "20.04" && ${ENABLE_FIPS,,} == "true" ]]; then SKU_NAME="${SKU_NAME}fips"; fi && \ + if [[ (${OS_VERSION} == "18.04" || ${OS_VERSION} == "20.04" || ${OS_VERSION} == "22.04") && ${ENABLE_FIPS,,} == "true" ]]; then SKU_NAME="${SKU_NAME}fips"; fi && \ if [[ ${OS_VERSION} == "V2" && ${ENABLE_FIPS,,} == "true" ]]; then SKU_NAME="${SKU_NAME}fips"; fi && \ if [[ "$(FEATURE_FLAGS)" == *"fullgpu"* ]]; then SKU_NAME="${SKU_NAME}gpu"; fi && \ if [[ "${IMG_SKU}" == "20_04-lts-cvm" ]]; then SKU_NAME="${SKU_NAME}CVM"; fi && \ diff --git a/parts/linux/cloud-init/artifacts/sshd_config_2204_fips b/parts/linux/cloud-init/artifacts/sshd_config_2204_fips new file mode 100644 index 00000000000..1b92a7d430f --- /dev/null +++ b/parts/linux/cloud-init/artifacts/sshd_config_2204_fips @@ -0,0 +1,92 @@ +# This file is a copy of the default sshd_config file, but relaxes used encryption +# for sshd to work with 5.15.0-1059-azure-fips + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 + +# 5.2.11 Ensure only approved MAC algorithms are used +# Disabled for FIPS +# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +# KexAlgorithms curve25519-sha256@libssh.org +# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# 5.2.12 Ensure SSH Idle Timeout Interval is configured +ClientAliveInterval 120 +ClientAliveCountMax 3 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 60 + +# 5.2.8 Ensure SSH root login is disabled +PermitRootLogin no +# 5.2.10 Ensure SSH PermitUserEnvironment is disabled +PermitUserEnvironment no + +StrictModes yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# similar for protocol version 2 +HostbasedAuthentication no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# 5.2.4 Ensure SSH X11 forwarding is disabled +X11Forwarding no + +# 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less +MaxAuthTries 4 + +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +UseDNS no +GSSAPIAuthentication no + +# Mariner AKS CIS Benchmark: Ensure SSH access is limited +DenyUsers root omsagent nxautomation diff --git a/pkg/templates/templates_generated.go b/pkg/templates/templates_generated.go index 7e8274a903c..5dc58e9dd51 100644 --- a/pkg/templates/templates_generated.go +++ b/pkg/templates/templates_generated.go @@ -86,6 +86,7 @@ // linux/cloud-init/artifacts/sshd_config // linux/cloud-init/artifacts/sshd_config_1604 // linux/cloud-init/artifacts/sshd_config_1804_fips +// linux/cloud-init/artifacts/sshd_config_2204_fips // linux/cloud-init/artifacts/sync-container-logs.service // linux/cloud-init/artifacts/sync-container-logs.sh // linux/cloud-init/artifacts/sysctl-d-60-CIS.conf @@ -6860,6 +6861,115 @@ func linuxCloudInitArtifactsSshd_config_1804_fips() (*asset, error) { return a, nil } +var _linuxCloudInitArtifactsSshd_config_2204_fips = []byte(`# This file is a copy of the default sshd_config file, but relaxes used encryption +# for sshd to work with 5.15.0-1059-azure-fips + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 + +# 5.2.11 Ensure only approved MAC algorithms are used +# Disabled for FIPS +# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +# KexAlgorithms curve25519-sha256@libssh.org +# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# 5.2.12 Ensure SSH Idle Timeout Interval is configured +ClientAliveInterval 120 +ClientAliveCountMax 3 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 60 + +# 5.2.8 Ensure SSH root login is disabled +PermitRootLogin no +# 5.2.10 Ensure SSH PermitUserEnvironment is disabled +PermitUserEnvironment no + +StrictModes yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# similar for protocol version 2 +HostbasedAuthentication no + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# 5.2.4 Ensure SSH X11 forwarding is disabled +X11Forwarding no + +# 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less +MaxAuthTries 4 + +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +UseDNS no +GSSAPIAuthentication no + +# Mariner AKS CIS Benchmark: Ensure SSH access is limited +DenyUsers root omsagent nxautomation +`) + +func linuxCloudInitArtifactsSshd_config_2204_fipsBytes() ([]byte, error) { + return _linuxCloudInitArtifactsSshd_config_2204_fips, nil +} + +func linuxCloudInitArtifactsSshd_config_2204_fips() (*asset, error) { + bytes, err := linuxCloudInitArtifactsSshd_config_2204_fipsBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "linux/cloud-init/artifacts/sshd_config_2204_fips", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _linuxCloudInitArtifactsSyncContainerLogsService = []byte(`[Unit] Description=Syncs AKS pod log symlinks so that WALinuxAgent can include kube-system pod logs in the hourly upload. After=containerd.service @@ -9414,6 +9524,7 @@ var _bindata = map[string]func() (*asset, error){ "linux/cloud-init/artifacts/sshd_config": linuxCloudInitArtifactsSshd_config, "linux/cloud-init/artifacts/sshd_config_1604": linuxCloudInitArtifactsSshd_config_1604, "linux/cloud-init/artifacts/sshd_config_1804_fips": linuxCloudInitArtifactsSshd_config_1804_fips, + "linux/cloud-init/artifacts/sshd_config_2204_fips": linuxCloudInitArtifactsSshd_config_2204_fips, "linux/cloud-init/artifacts/sync-container-logs.service": linuxCloudInitArtifactsSyncContainerLogsService, "linux/cloud-init/artifacts/sync-container-logs.sh": linuxCloudInitArtifactsSyncContainerLogsSh, "linux/cloud-init/artifacts/sysctl-d-60-CIS.conf": linuxCloudInitArtifactsSysctlD60CisConf, @@ -9565,6 +9676,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "sshd_config": &bintree{linuxCloudInitArtifactsSshd_config, map[string]*bintree{}}, "sshd_config_1604": &bintree{linuxCloudInitArtifactsSshd_config_1604, map[string]*bintree{}}, "sshd_config_1804_fips": &bintree{linuxCloudInitArtifactsSshd_config_1804_fips, map[string]*bintree{}}, + "sshd_config_2204_fips": &bintree{linuxCloudInitArtifactsSshd_config_2204_fips, map[string]*bintree{}}, "sync-container-logs.service": &bintree{linuxCloudInitArtifactsSyncContainerLogsService, map[string]*bintree{}}, "sync-container-logs.sh": &bintree{linuxCloudInitArtifactsSyncContainerLogsSh, map[string]*bintree{}}, "sysctl-d-60-CIS.conf": &bintree{linuxCloudInitArtifactsSysctlD60CisConf, map[string]*bintree{}}, diff --git a/vhdbuilder/packer/packer_source.sh b/vhdbuilder/packer/packer_source.sh index 5600b38a742..9e1e0f17aff 100644 --- a/vhdbuilder/packer/packer_source.sh +++ b/vhdbuilder/packer/packer_source.sh @@ -247,6 +247,8 @@ copyPackerFiles() { SSHD_CONFIG_SRC=/home/packer/sshd_config_1604 elif [[ ${UBUNTU_RELEASE} == "18.04" && ${ENABLE_FIPS,,} == "true" ]]; then SSHD_CONFIG_SRC=/home/packer/sshd_config_1804_fips + elif [[ ${UBUNTU_RELEASE} == "22.04" && ${ENABLE_FIPS,,} == "true" ]]; then + SSHD_CONFIG_SRC=/home/packer/sshd_config_2204_fips fi # Install AKS log collector diff --git a/vhdbuilder/packer/pre-install-dependencies.sh b/vhdbuilder/packer/pre-install-dependencies.sh index df9b0a7dbbb..26f72ab00d8 100644 --- a/vhdbuilder/packer/pre-install-dependencies.sh +++ b/vhdbuilder/packer/pre-install-dependencies.sh @@ -120,7 +120,7 @@ if [[ ${OS} == ${MARINER_OS_NAME} ]] && [[ "${ENABLE_CGROUPV2,,}" == "true" ]]; enableCgroupV2forAzureLinux fi -if [[ "${UBUNTU_RELEASE}" == "22.04" ]]; then +if [[ "${UBUNTU_RELEASE}" == "22.04" && "${ENABLE_FIPS,,}" != "true" ]]; then echo "Logging the currently running kernel: $(uname -r)" echo "Before purging kernel, here is a list of kernels/headers installed:"; dpkg -l 'linux-*azure*' diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh index d7b14dd8fc6..7ad5eb2bf79 100644 --- a/vhdbuilder/packer/test/linux-vhd-content-test.sh +++ b/vhdbuilder/packer/test/linux-vhd-content-test.sh @@ -271,7 +271,7 @@ testFips() { os_version=$1 enable_fips=$2 - if [[ (${os_version} == "18.04" || ${os_version} == "20.04" || ${os_version} == "V2") && ${enable_fips,,} == "true" ]]; then + if [[ (${os_version} == "18.04" || ${os_version} == "20.04" || ${os_version} == "22.04" || ${os_version} == "V2") && ${enable_fips,,} == "true" ]]; then kernel=$(uname -r) if [[ -f /proc/sys/crypto/fips_enabled ]]; then fips_enabled=$(cat /proc/sys/crypto/fips_enabled) diff --git a/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json b/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json index f3e0ab680f1..ab7f19cb78f 100644 --- a/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json +++ b/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json @@ -313,11 +313,6 @@ "source": "parts/linux/cloud-init/artifacts/sshd_config_1604", "destination": "/home/packer/sshd_config_1604" }, - { - "type": "file", - "source": "parts/linux/cloud-init/artifacts/sshd_config_1804_fips", - "destination": "/home/packer/sshd_config_1804_fips" - }, { "type": "file", "source": "parts/linux/cloud-init/artifacts/rsyslog-d-60-CIS.conf", diff --git a/vhdbuilder/packer/vhd-image-builder-base.json b/vhdbuilder/packer/vhd-image-builder-base.json index 762213911db..74cd5466106 100644 --- a/vhdbuilder/packer/vhd-image-builder-base.json +++ b/vhdbuilder/packer/vhd-image-builder-base.json @@ -328,6 +328,11 @@ "source": "parts/linux/cloud-init/artifacts/sshd_config_1804_fips", "destination": "/home/packer/sshd_config_1804_fips" }, + { + "type": "file", + "source": "parts/linux/cloud-init/artifacts/sshd_config_2204_fips", + "destination": "/home/packer/sshd_config_2204_fips" + }, { "type": "file", "source": "parts/linux/cloud-init/artifacts/rsyslog-d-60-CIS.conf",