diff --git a/Dockerfile b/Dockerfile index fcbaf8d7cbce1dae76b79c16e236877d63df8279..de478aed1468c74d2b0c5de94edf1e17e9806fc2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,7 @@ COPY apache-2.0.txt /licenses/apache-2.0.txt COPY EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf /licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf COPY requests-2.25.1.tar.gz requests-2.25.1.tar.gz COPY Jinja2-3.0.0.tar.gz Jinja2-3.0.0.tar.gz -COPY urllib3-1.26.4.tar.gz urllib3-1.26.4.tar.gz +COPY urllib3-1.26.5.tar.gz urllib3-1.26.5.tar.gz COPY chardet-4.0.0.tar.gz chardet-4.0.0.tar.gz COPY certifi-2020.12.5.tar.gz certifi-2020.12.5.tar.gz COPY idna-3.1.tar.gz idna-3.1.tar.gz @@ -118,7 +118,7 @@ EXPOSE 8000/tcp 8089/tcp FROM minimal as bare COPY --from=package --chown=splunk:splunk /extras /opt #remove unneeded packages that were vulnerable -RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_1_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar +RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_2_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar /opt/splunk/bin/jars/vendors/libs/json-smart-2.3.jar COPY scripts/delete_jquery.py /delete_jquery.py RUN python /delete_jquery.py EXPOSE 8000 8065 8088 8089 8191 9887 9997 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 4bd2cce62610947e3f19fd8a05bc431f4f546b1a..2c1335906f4065dbc0dc03b959026fdf265d2e68 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -98,11 +98,11 @@ resources: validation: type: sha256 value: c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 -- url: https://files.pythonhosted.org/packages/cb/cf/871177f1fc795c6c10787bc0e1f27bb6cf7b81dbde399fd35860472cecbc/urllib3-1.26.4.tar.gz - filename: urllib3-1.26.4.tar.gz +- url: https://files.pythonhosted.org/packages/94/40/c396b5b212533716949a4d295f91a4c100d51ba95ea9e2d96b6b0517e5a5/urllib3-1.26.5.tar.gz + filename: urllib3-1.26.5.tar.gz validation: type: sha256 - value: e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937 + value: a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098 - url: https://files.pythonhosted.org/packages/ee/2d/9cdc2b527e127b4c9db64b86647d567985940ac3698eeabc7ffaccb4ea61/chardet-4.0.0.tar.gz filename: chardet-4.0.0.tar.gz validation: diff --git a/scripts/install.sh b/scripts/install.sh index 0c5e76963b68bb2a89b217849d788e8705aac93a..a2a44c712a7cc79732a009d35174af5e8e1feffa 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -49,7 +49,7 @@ cd / pip --no-cache-dir install --no-deps --no-index cffi-1.14.5.tar.gz six-1.16.0.tar.gz wheel-0.36.2.tar.gz \ requests-2.25.1.tar.gz cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl \ jmespath-0.10.0.tar.gz Jinja2-3.0.0.tar.gz MarkupSafe-2.0.1.tar.gz PyYAML-5.4.1-cp37-cp37m-manylinux1_x86_64.whl \ - pycparser-2.20.tar.gz urllib3-1.26.4.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \ + pycparser-2.20.tar.gz urllib3-1.26.5.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \ idna-3.1.tar.gz pyparsing-2.4.7.tar.gz packaging-20.9-py2.py3-none-any.whl resolvelib-0.5.4-py2.py3-none-any.whl ansible-core-2.11.1.tar.gz \ ansible-4.0.0.tar.gz --upgrade # Remove tests packaged in python libs @@ -63,6 +63,10 @@ microdnf remove -y make gcc openssl-devel bzip2-devel libffi-devel findutils cpp libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel microdnf clean all +#additional STIG steps for OS +systemctl mask ctrl-alt-del.target +sed -i 's/ nullok//g' /etc/pam.d/* + cd /bin chmod u+s /usr/sbin/ping groupadd sudo