From: Ricardo Noriega <rnoriega@redhat.com>
Date: Thu, 21 Jan 2021 11:22:41 +0000 (+0100)
Subject: Add fixes for Akraino Security checks:
X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F58%2F4058%2F1;p=kni%2Finstaller.git

Add fixes for Akraino Security checks:

  It includes Lynis and Kube-Hunter fixes

Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
Change-Id: Ib08a41c03f3124ca6c5921081a3f32590de090cf
---

diff --git a/utils/akraino-kubehunter.yaml b/utils/akraino-kubehunter.yaml
new file mode 100644
index 0000000..98681b2
--- /dev/null
+++ b/utils/akraino-kubehunter.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:public-info-viewer
+rules:
+- nonResourceURLs:  # /version has been removed
+  - /healthz
+  - /livez
+  - /readyz
+  verbs:
+  - get
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: default
+automountServiceAccountToken: false
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+  name: 50-disable-secret-automount
+spec:
+  config:
+    ignition:
+      version: 2.2.0
+    storage:
+      files:
+      - contents:
+          source: data:text/plain;charset=utf-8;base64,Cg==
+        filesystem: root
+        mode: 0644
+        path: /etc/containers/mounts.conf
diff --git a/utils/akraino-lynis-fixes.sh b/utils/akraino-lynis-fixes.sh
new file mode 100644
index 0000000..ebde0d4
--- /dev/null
+++ b/utils/akraino-lynis-fixes.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+sudo sysctl -w kernel.dmesg_restrict=1
+sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+sudo sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   998' /etc/login.defs
+sudo echo "AllowUsers core" >> /etc/ssh/sshd_config
+sudo echo "AllowGroups core" >> /etc/ssh/sshd_config
+sudo sed -i 's/^    umask.*/    umask 027/g' /etc/profile
diff --git a/utils/akraino-machineconfig-master.yaml b/utils/akraino-machineconfig-master.yaml
new file mode 100644
index 0000000..f988002
--- /dev/null
+++ b/utils/akraino-machineconfig-master.yaml
@@ -0,0 +1,34 @@
+kind: MachineConfig
+apiVersion: machineconfiguration.openshift.io/v1
+metadata:
+  name: 99-akraino-sec-master
+  creationTimestamp:
+  labels:
+    machineconfiguration.openshift.io/role: master
+spec:
+  config:
+    ignition:
+      version: 2.2.0
+    storage:
+      files:
+      - filesystem: root
+        path: "/root/akrainosec.sh"
+        contents:
+          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc3VkbyBzeXNjdGwgLXcga2VybmVsLmRtZXNnX3Jlc3RyaWN0PTEKc3VkbyBzeXNjdGwgLXcgbmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU9MApzdWRvIHNlZCAtaSAnL15QQVNTX01BWF9EQVlTL2NcUEFTU19NQVhfREFZUyAgIDk5OCcgL2V0Yy9sb2dpbi5kZWZzCnN1ZG8gZWNobyAiQWxsb3dVc2VycyBjb3JlIiA+PiAvZXRjL3NzaC9zc2hkX2NvbmZpZwpzdWRvIGVjaG8gIkFsbG93R3JvdXBzIGNvcmUiID4+IC9ldGMvc3NoL3NzaGRfY29uZmlnCnN1ZG8gc2VkIC1pICdzL14gICAgdW1hc2suKi8gICAgdW1hc2sgMDI3L2cnIC9ldGMvcHJvZmlsZQ==
+          verification: {}
+        mode: 0755
+    systemd:
+      units:
+        - contents: |
+            [Unit]
+            Description=Akraino Security
+            DefaultDependencies=no
+            [Service]
+            Type=oneshot
+            ExecStart=/bin/bash /root/akrainosec.sh
+            Restart=on-failure
+            RestartSec=30
+            [Install]
+            WantedBy=multi-user.target
+          name: akrainosec.service
+          enabled: true
diff --git a/utils/akraino-machineconfig-worker.yaml b/utils/akraino-machineconfig-worker.yaml
new file mode 100644
index 0000000..7837537
--- /dev/null
+++ b/utils/akraino-machineconfig-worker.yaml
@@ -0,0 +1,34 @@
+kind: MachineConfig
+apiVersion: machineconfiguration.openshift.io/v1
+metadata:
+  name: 99-akraino-sec-worker
+  creationTimestamp:
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 2.2.0
+    storage:
+      files:
+      - filesystem: root
+        path: "/root/akrainosec.sh"
+        contents:
+          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc3VkbyBzeXNjdGwgLXcga2VybmVsLmRtZXNnX3Jlc3RyaWN0PTEKc3VkbyBzeXNjdGwgLXcgbmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU9MApzdWRvIHNlZCAtaSAnL15QQVNTX01BWF9EQVlTL2NcUEFTU19NQVhfREFZUyAgIDk5OCcgL2V0Yy9sb2dpbi5kZWZzCnN1ZG8gZWNobyAiQWxsb3dVc2VycyBjb3JlIiA+PiAvZXRjL3NzaC9zc2hkX2NvbmZpZwpzdWRvIGVjaG8gIkFsbG93R3JvdXBzIGNvcmUiID4+IC9ldGMvc3NoL3NzaGRfY29uZmlnCnN1ZG8gc2VkIC1pICdzL14gICAgdW1hc2suKi8gICAgdW1hc2sgMDI3L2cnIC9ldGMvcHJvZmlsZQ==
+          verification: {}
+        mode: 0755
+    systemd:
+      units:
+        - contents: |
+            [Unit]
+            Description=Akraino Security
+            DefaultDependencies=no
+            [Service]
+            Type=oneshot
+            ExecStart=/bin/bash /root/akrainosec.sh
+            Restart=on-failure
+            RestartSec=30
+            [Install]
+            WantedBy=multi-user.target
+          name: akrainosec.service
+          enabled: true