From dbe541f63c15863a8d1f71f321e46a2adc95144b Mon Sep 17 00:00:00 2001 From: bpluta Date: Thu, 24 Jun 2021 16:26:25 +0000 Subject: [PATCH] IA findings --- Dockerfile | 4 ++-- hardening_manifest.yaml | 6 +++--- scripts/install.sh | 6 +++++- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index fcbaf8d..de478ae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,7 @@ COPY apache-2.0.txt /licenses/apache-2.0.txt COPY EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf /licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf COPY requests-2.25.1.tar.gz requests-2.25.1.tar.gz COPY Jinja2-3.0.0.tar.gz Jinja2-3.0.0.tar.gz -COPY urllib3-1.26.4.tar.gz urllib3-1.26.4.tar.gz +COPY urllib3-1.26.5.tar.gz urllib3-1.26.5.tar.gz COPY chardet-4.0.0.tar.gz chardet-4.0.0.tar.gz COPY certifi-2020.12.5.tar.gz certifi-2020.12.5.tar.gz COPY idna-3.1.tar.gz idna-3.1.tar.gz @@ -118,7 +118,7 @@ EXPOSE 8000/tcp 8089/tcp FROM minimal as bare COPY --from=package --chown=splunk:splunk /extras /opt #remove unneeded packages that were vulnerable -RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_1_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar +RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_2_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar /opt/splunk/bin/jars/vendors/libs/json-smart-2.3.jar COPY scripts/delete_jquery.py /delete_jquery.py RUN python /delete_jquery.py EXPOSE 8000 8065 8088 8089 8191 9887 9997 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 4bd2cce..2c13359 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -98,11 +98,11 @@ resources: validation: type: sha256 value: c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 -- url: https://files.pythonhosted.org/packages/cb/cf/871177f1fc795c6c10787bc0e1f27bb6cf7b81dbde399fd35860472cecbc/urllib3-1.26.4.tar.gz - filename: urllib3-1.26.4.tar.gz +- url: https://files.pythonhosted.org/packages/94/40/c396b5b212533716949a4d295f91a4c100d51ba95ea9e2d96b6b0517e5a5/urllib3-1.26.5.tar.gz + filename: urllib3-1.26.5.tar.gz validation: type: sha256 - value: e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937 + value: a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098 - url: https://files.pythonhosted.org/packages/ee/2d/9cdc2b527e127b4c9db64b86647d567985940ac3698eeabc7ffaccb4ea61/chardet-4.0.0.tar.gz filename: chardet-4.0.0.tar.gz validation: diff --git a/scripts/install.sh b/scripts/install.sh index 0c5e769..a2a44c7 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -49,7 +49,7 @@ cd / pip --no-cache-dir install --no-deps --no-index cffi-1.14.5.tar.gz six-1.16.0.tar.gz wheel-0.36.2.tar.gz \ requests-2.25.1.tar.gz cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl \ jmespath-0.10.0.tar.gz Jinja2-3.0.0.tar.gz MarkupSafe-2.0.1.tar.gz PyYAML-5.4.1-cp37-cp37m-manylinux1_x86_64.whl \ - pycparser-2.20.tar.gz urllib3-1.26.4.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \ + pycparser-2.20.tar.gz urllib3-1.26.5.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \ idna-3.1.tar.gz pyparsing-2.4.7.tar.gz packaging-20.9-py2.py3-none-any.whl resolvelib-0.5.4-py2.py3-none-any.whl ansible-core-2.11.1.tar.gz \ ansible-4.0.0.tar.gz --upgrade # Remove tests packaged in python libs @@ -63,6 +63,10 @@ microdnf remove -y make gcc openssl-devel bzip2-devel libffi-devel findutils cpp libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel microdnf clean all +#additional STIG steps for OS +systemctl mask ctrl-alt-del.target +sed -i 's/ nullok//g' /etc/pam.d/* + cd /bin chmod u+s /usr/sbin/ping groupadd sudo -- GitLab