diff --git a/Dockerfile b/Dockerfile index 21556785032146716815cf368a5274ae1cd3ea51..9dfbdd29e36d119251283173de0544d9e800d6c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -61,8 +61,8 @@ RUN tar -zxf /usr/bin/scloud.tar.gz -C /usr/bin/ && rm /usr/bin/scloud.tar.gz #end base setup ARG SPLUNK_PRODUCT=splunk -ARG SPLUNK_VERSION=8.2.1 -ARG SPLUNK_BUILD=ddff1c41e5cf +ARG SPLUNK_VERSION=8.2.2 +ARG SPLUNK_BUILD=87344edfcdb4 ARG SPLUNK_ARCH=x86_64 ARG SPLUNK_LINUX_FILENAME=splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-${SPLUNK_ARCH}.tgz @@ -72,7 +72,7 @@ FROM base as package COPY scripts/make-minimal-exclude.py /tmp ENV SPLUNK_BUILD_URL=https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_LINUX_FILENAME} RUN python /tmp/make-minimal-exclude.py $SPLUNK_BUILD_URL > /tmp/splunk-minimal-exclude.list -COPY splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz /tmp/splunk.tgz +COPY splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz /tmp/splunk.tgz RUN mkdir -p /minimal/splunk/var /extras/splunk/var RUN tar -C /minimal/splunk --strip 1 --exclude-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz RUN tar -C /extras/splunk --strip 1 --wildcards --files-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz @@ -159,6 +159,32 @@ RUN echo 'Create the ansible user/group' \ && chmod 775 ${SPLUNK_ANSIBLE_HOME} \ && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \ && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh +RUN microdnf remove -y shadow-utils + +#STIG the instance +COPY ubi8-development.tar.gz /ubi8-development.tar.gz +RUN tar -zxvf /ubi8-development.tar.gz +RUN ubi8-development/scripts/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh && \ + ubi8-development/scripts/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh +RUN rm -fdr ubi8-development USER ${SPLUNK_USER} HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 3400adf49ef51197a92863d8cc21eb39050a3a23..f0c14d9f27e3e023a6f25c4f3f4df4fb2bf3e2f4 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -4,7 +4,7 @@ apiVersion: v1 name: "splunk/splunk/splunk" tags: -- "8.2.0" +- "8.2.2" - "latest" args: @@ -17,7 +17,7 @@ labels: org.opencontainers.image.licenses: "Commercial" org.opencontainers.image.url: "https://www.splunk.com/en_us/legal/splunk-terms-overview.html" org.opencontainers.image.vendor: "Splunk" - org.opencontainers.image.version: "8.2.0" + org.opencontainers.image.version: "8.2.2" mil.dso.ironbank.image.keywords: "security,data,itops" mil.dso.ironbank.image.type: "commercial" mil.dso.ironbank.product.name: "Splunk Enterprise" @@ -28,11 +28,11 @@ resources: validation: type: sha256 value: 2b749382aab23a2590792245d9e8b79c4ab285049b90b06efded254de419a264 -- url: https://download.splunk.com/products/splunk/releases/8.2.1/linux/splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz - filename: splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz +- url: https://d7wz6hmoaavd0.cloudfront.net/products/splunk/releases/8.2.2/linux/splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz + filename: splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz validation: type: sha256 - value: 665485ddf65d115f0787f8b0df70ba7fc6fb325b7fa58cdbd3149e2dc7572c04 + value: 0f48c1f93dafe269bfd0e295f84859aa90298cd75ff56a32353ece2e2ead51b2 - url: https://github.com/splunk/splunk-cloud-sdk-go/releases/download/v1.11.1/scloud_v7.1.0_linux_amd64.tar.gz filename: scloud_v7.1.0_linux_amd64.tar.gz validation: @@ -138,6 +138,11 @@ resources: validation: type: sha256 value: 2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0 +- url: https://repo1.dso.mil/dsop/redhat/ubi/ubi8/-/archive/development/ubi8-development.tar.gz + filename: ubi8-development.tar.gz + validation: + type: sha256 + value: 9158b944a8d3539caedd771e1d1021798ae4e36735ce933f82305619c6b84838 maintainers: - name: "Bryan Pluta"