diff --git a/README.md b/README.md index d6e14cf..03ff8ba 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,8 @@ There are templates available for creating a - [Azure virtual machine image](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/build-image-with-packer) - [Vagrant](https://www.vagrantup.com/) server base box -[20.04 LTS (Focal Fossa)](https://releases.ubuntu.com/focal/) and -[22.04 LTS (Jammy Jellyfish)](https://releases.ubuntu.com/jammy/) are supported. +[22.04 LTS (Jammy Jellyfish)](https://releases.ubuntu.com/jammy/) +[24.04 (Noble Numbat)](https://releases.ubuntu.com/noble/) are supported. The Ansible role used to make the server a bit more secure is available in the [konstruktoid/ansible-role-hardening](https://github.com/konstruktoid/ansible-role-hardening) @@ -36,7 +36,7 @@ validating the configuration and building the Amazon Machine Image. { "aws_region": "eu-west-3", "instance_type": "t3.medium", - "release": "22.04" + "release": "24.04" } ``` @@ -105,7 +105,7 @@ Vagrant.configure("2") do |config| config.vm.define "noble" do |noble| noble.vm.hostname = "hardened-noble" - noble.vm.box = "ubuntu-noble/20.04" + noble.vm.box = "ubuntu-noble/24.04" noble.vm.box_url = "file://output/ubuntu-24.04-x86_64.bento-hardened.box" end end diff --git a/Vagrantfile b/Vagrantfile index 27348cb..87ae473 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -8,7 +8,7 @@ Vagrant.configure("2") do |config| config.vm.define "noble" do |noble| noble.vm.hostname = "hardened-noble" - noble.vm.box = "ubuntu-noble/20.04" + noble.vm.box = "ubuntu-noble/24.04" noble.vm.box_url = "file://output/ubuntu-24.04-x86_64.bento-hardened.box" end end diff --git a/build_box.sh b/build_box.sh index 86c42de..d059efe 100644 --- a/build_box.sh +++ b/build_box.sh @@ -5,6 +5,7 @@ shellcheck -x -s bash -f gcc scripts/* BASE_DIR="$(pwd)" GIT_CLONE_DIR="$(mktemp --directory -p /var/tmp bento.XXXXXX)" +BUILD_ISOS="virtualbox-iso.vm" # "virtualbox-iso.vm,vmware-iso.vm" mkdir -p "${BASE_DIR}/output" @@ -20,9 +21,9 @@ git apply ./packer_templates/config/bento.diff packer init -upgrade ./packer_templates find . -name 'ubuntu-2[4-8].04-x86_64.pkrvars.hcl' | while read -r template; do - packer build -only=virtualbox-iso.vm,vmware-iso.vm -var-file="${template}" ./packer_templates + packer build -only="${BUILD_ISOS}" -var-file="${template}" ./packer_templates box_name="$(basename "${template}" | awk -F '-' '{print $2}')" - find . -name "ubuntu-${box_name}-*" | while read -r box; do + find . -name "ubuntu-${box_name}-*.box" | while read -r box; do mod_name="$(basename "$box" | sed 's/virtualbox/bento-hardened/g')" mv -v "${box}" "${BASE_DIR}/output/${mod_name}" done diff --git a/config/local.yml b/config/local.yml index b5c51df..b586700 100644 --- a/config/local.yml +++ b/config/local.yml @@ -18,7 +18,7 @@ ansible.builtin.git: repo: https://github.com/konstruktoid/ansible-role-hardening dest: /etc/ansible/roles/konstruktoid.hardening - version: v2.0.4 + version: v2.1.1 - name: Remove git ansible.builtin.package: diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh index 0a84777..e4d6346 100755 --- a/scripts/cleanup.sh +++ b/scripts/cleanup.sh @@ -13,10 +13,9 @@ rm -rvf /etc/ansible/* rm -rvf /etc/apt/sources.list.d/* -dpkg --list | awk '{ print $2 }' | grep 'linux-headers' | xargs apt-get --assume-yes purge; +dpkg --list | awk '{ print $2 }' | grep 'linux-headers' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge; dpkg --list | awk '{ print $2 }' | grep 'linux-image-.*-generic' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge; dpkg --list | awk '{ print $2 }' | grep 'linux-modules-.*-generic' | grep -v "$(uname -r)" | xargs apt-get --assume-yes purge; -dpkg --list | awk '{ print $2 }' | grep -- '-dev\(:[a-z0-9]\+\)\?$' | xargs apt-get --assume-yes purge; dpkg --list | awk '{ print $2 }' | grep linux-source | xargs apt-get --assume-yes purge; dpkg --list | awk '{ print $2 }' | grep -- '-doc$' | xargs apt-get --assume-yes purge; diff --git a/scripts/hardening.sh b/scripts/hardening.sh index 47ff5f5..008b7fd 100755 --- a/scripts/hardening.sh +++ b/scripts/hardening.sh @@ -9,7 +9,7 @@ export HISTFILESIZE=0 export PATH=$PATH:$HOME/.local/bin apt-get update -apt-get --assume-yes --no-install-recommends install pipx +apt-get --assume-yes --no-install-recommends install git pipx pipx install ansible-core pipx ensurepath @@ -34,4 +34,6 @@ pipx uninstall-all unset PATH export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +apt-get --assume-yes purge git + reboot diff --git a/ubuntu-aws-vars.json b/ubuntu-aws-vars.json index 766f465..d7aff2a 100644 --- a/ubuntu-aws-vars.json +++ b/ubuntu-aws-vars.json @@ -1,5 +1,5 @@ { "aws_region": "eu-west-3", "instance_type": "t3.medium", - "release": "22.04" + "release": "24.04" } diff --git a/ubuntu-hardened-aws.pkr.hcl b/ubuntu-hardened-aws.pkr.hcl index a779c43..fc4cfff 100644 --- a/ubuntu-hardened-aws.pkr.hcl +++ b/ubuntu-hardened-aws.pkr.hcl @@ -32,7 +32,7 @@ source "amazon-ebs" "hardened" { region = var.aws_region source_ami_filter { filters = { - name = "ubuntu/images/hvm-ssd/*ubuntu-*${var.release}-amd64-server*" + name = "ubuntu/images/hvm-ssd-gp3/*ubuntu-*${var.release}-amd64-server*" root-device-type = "ebs" virtualization-type = "hvm" } @@ -44,6 +44,7 @@ source "amazon-ebs" "hardened" { ssh_pty = "true" ssh_timeout = "10m" ssh_username = "ubuntu" + temporary_key_pair_type = "ed25519" } build { diff --git a/ubuntu-hardened-azure.pkr.hcl b/ubuntu-hardened-azure.pkr.hcl index 82631fc..6f8b53f 100644 --- a/ubuntu-hardened-azure.pkr.hcl +++ b/ubuntu-hardened-azure.pkr.hcl @@ -72,6 +72,7 @@ source "azure-arm" "hardened" { ssh_pty = "true" ssh_timeout = "10m" ssh_username = "ubuntu" + temporary_key_pair_type = "ed25519" client_id = var.client_id client_secret = var.client_secret subscription_id = var.subscription_id