diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index f3ca713ae6e..eb4f4e3a442 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -760,9 +760,9 @@ stages: - template: ./templates/.builder-release-template.yaml parameters: artifactName: 2004-fips-containerd - - stage: build_vhd_2204_fips_containerd + - stage: build_vhd_2004_fips_gen2_containerd dependsOn: [] - condition: eq('${{ parameters.build2204fipscontainerd }}', true) + condition: eq('${{ parameters.build2004fipsgen2containerd }}', true) jobs: - job: build timeoutInMinutes: 180 @@ -770,25 +770,26 @@ stages: - bash: | echo '##vso[task.setvariable variable=DRY_RUN]${{parameters.dryrun}}' echo '##vso[task.setvariable variable=OS_SKU]Ubuntu' - echo '##vso[task.setvariable variable=OS_VERSION]22.04' + echo '##vso[task.setvariable variable=OS_VERSION]20.04' echo '##vso[task.setvariable variable=IMG_PUBLISHER]Canonical' - echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-jammy' - echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts' - echo '##vso[task.setvariable variable=HYPERV_GENERATION]V1' - echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2' + echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-focal' + echo '##vso[task.setvariable variable=IMG_SKU]20_04-lts-gen2' + echo '##vso[task.setvariable variable=IMG_VERSION]latest' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' echo '##vso[task.setvariable variable=ENABLE_FIPS]True' echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]False' - echo '##vso[task.setvariable variable=SGX_INSTALL]False' + echo '##vso[task.setvariable variable=SGX_INSTALL]True' displayName: Setup Build Variables - template: ./templates/.builder-release-template.yaml parameters: - artifactName: 2204-fips-containerd - - stage: build_vhd_2204_fips_gen2_containerd + artifactName: 2004-fips-gen2-containerd + - stage: build_vhd_2204_fips_containerd dependsOn: [] - condition: eq('${{ parameters.build2204fipsgen2containerd }}', true) + condition: eq('${{ parameters.build2204fipscontainerd }}', true) jobs: - job: build timeoutInMinutes: 180 @@ -799,8 +800,8 @@ stages: echo '##vso[task.setvariable variable=OS_VERSION]22.04' echo '##vso[task.setvariable variable=IMG_PUBLISHER]Canonical' echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-jammy' - echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts-gen2' - echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' + echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts' + echo '##vso[task.setvariable variable=HYPERV_GENERATION]V1' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' @@ -811,10 +812,10 @@ stages: displayName: Setup Build Variables - template: ./templates/.builder-release-template.yaml parameters: - artifactName: 2204-fips-gen2-containerd - - stage: build_vhd_2004_fips_gen2_containerd + artifactName: 2204-fips-containerd + - stage: build_vhd_2204_fips_gen2_containerd dependsOn: [] - condition: eq('${{ parameters.build2004fipsgen2containerd }}', true) + condition: eq('${{ parameters.build2204fipsgen2containerd }}', true) jobs: - job: build timeoutInMinutes: 180 @@ -822,23 +823,22 @@ stages: - bash: | echo '##vso[task.setvariable variable=DRY_RUN]${{parameters.dryrun}}' echo '##vso[task.setvariable variable=OS_SKU]Ubuntu' - echo '##vso[task.setvariable variable=OS_VERSION]20.04' + echo '##vso[task.setvariable variable=OS_VERSION]22.04' echo '##vso[task.setvariable variable=IMG_PUBLISHER]Canonical' - echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-focal' - echo '##vso[task.setvariable variable=IMG_SKU]20_04-lts-gen2' - echo '##vso[task.setvariable variable=IMG_VERSION]latest' + echo '##vso[task.setvariable variable=IMG_OFFER]0001-com-ubuntu-server-jammy' + echo '##vso[task.setvariable variable=IMG_SKU]22_04-lts-gen2' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' - echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' + echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_DS2_v2' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' echo '##vso[task.setvariable variable=CONTAINER_RUNTIME]containerd' echo '##vso[task.setvariable variable=ARCHITECTURE]X86_64' echo '##vso[task.setvariable variable=ENABLE_FIPS]True' echo '##vso[task.setvariable variable=ENABLE_TRUSTED_LAUNCH]False' - echo '##vso[task.setvariable variable=SGX_INSTALL]True' + echo '##vso[task.setvariable variable=SGX_INSTALL]False' displayName: Setup Build Variables - template: ./templates/.builder-release-template.yaml parameters: - artifactName: 2004-fips-gen2-containerd + artifactName: 2204-fips-gen2-containerd - stage: build_vhd_2204_arm64_gen2_containerd dependsOn: [] condition: eq('${{ parameters.build2204arm64gen2containerd }}', true) diff --git a/parts/linux/cloud-init/artifacts/sshd_config_2204_fips b/parts/linux/cloud-init/artifacts/sshd_config_2204_fips index 6c01016b69d..1b92a7d430f 100644 --- a/parts/linux/cloud-init/artifacts/sshd_config_2204_fips +++ b/parts/linux/cloud-init/artifacts/sshd_config_2204_fips @@ -1,4 +1,4 @@ -# This file is a copy of the default sshd_config file, but relaxes used encryption +# This file is a copy of the default sshd_config file, but relaxes used encryption # for sshd to work with 5.15.0-1059-azure-fips # What ports, IPs and protocols we listen for diff --git a/pkg/templates/templates_generated.go b/pkg/templates/templates_generated.go index 7af9cca95c3..0d5caef4bed 100644 --- a/pkg/templates/templates_generated.go +++ b/pkg/templates/templates_generated.go @@ -6861,128 +6861,98 @@ func linuxCloudInitArtifactsSshd_config_1804_fips() (*asset, error) { return a, nil } -var _linuxCloudInitArtifactsSshd_config_2204_fips = []byte(` -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -Include /etc/ssh/sshd_config.d/*.conf +var _linuxCloudInitArtifactsSshd_config_2204_fips = []byte(`# This file is a copy of the default sshd_config file, but relaxes used encryption +# for sshd to work with 5.15.0-1059-azure-fips -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +# 5.2.11 Ensure only approved MAC algorithms are used +# Disabled for FIPS +# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +# KexAlgorithms curve25519-sha256@libssh.org +# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -# Ciphers and keying -#RekeyLimit default none +# 5.2.12 Ensure SSH Idle Timeout Interval is configured +ClientAliveInterval 120 +ClientAliveCountMax 3 + +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key # Logging -#SyslogFacility AUTH -#LogLevel INFO +SyslogFacility AUTH +LogLevel INFO # Authentication: +LoginGraceTime 60 -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none +# 5.2.8 Ensure SSH root login is disabled +PermitRootLogin no +# 5.2.10 Ensure SSH PermitUserEnvironment is disabled +PermitUserEnvironment no -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody +StrictModes yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +IgnoreRhosts yes +# similar for protocol version 2 +HostbasedAuthentication no -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -KbdInteractiveAuthentication no +ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no +# 5.2.4 Ensure SSH X11 forwarding is disabled +X11Forwarding no -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -UsePAM yes +# 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less +MaxAuthTries 4 -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes +X11DisplayOffset 10 PrintMotd no -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no -# no default banner path -#Banner none +#MaxStartups 10:30:60 +Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server +Subsystem sftp /usr/lib/openssh/sftp-server -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes +UseDNS no +GSSAPIAuthentication no + +# Mariner AKS CIS Benchmark: Ensure SSH access is limited +DenyUsers root omsagent nxautomation `) func linuxCloudInitArtifactsSshd_config_2204_fipsBytes() ([]byte, error) {