IA findings

dbe541f6 · bpluta · 07bb5de2 · dbe541f6 · dbe541f6 · dbe541f6
Commit dbe541f6 authored Jun 24, 2021 by bpluta
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

Dockerfile Dockerfile +2 -2

hardening_manifest.yaml hardening_manifest.yaml +3 -3

scripts/install.sh scripts/install.sh +5 -1

No files found.
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,7 +33,7 @@ COPY apache-2.0.txt /licenses/apache-2.0.txt
 COPY EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf /licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf
 COPY requests-2.25.1.tar.gz requests-2.25.1.tar.gz
 COPY Jinja2-3.0.0.tar.gz Jinja2-3.0.0.tar.gz
-COPY urllib3-1.26.4.tar.gz urllib3-1.26.4.tar.gz
+COPY urllib3-1.26.5.tar.gz urllib3-1.26.5.tar.gz
 COPY chardet-4.0.0.tar.gz chardet-4.0.0.tar.gz
 COPY certifi-2020.12.5.tar.gz certifi-2020.12.5.tar.gz
 COPY idna-3.1.tar.gz idna-3.1.tar.gz
@@ -118,7 +118,7 @@ EXPOSE 8000/tcp 8089/tcp
 FROM minimal as bare
 COPY --from=package --chown=splunk:splunk /extras /opt
 #remove unneeded packages that were vulnerable
-RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_1_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar
+RUN rm -fdr /opt/splunk/etc/apps/splunk_archiver /opt/splunk/bin/jars/thirdparty/hive /opt/splunk/bin/jars/thirdparty/hive_2_2 /opt/splunk/bin/jars/thirdparty/hive_3_1 /opt/splunk/bin/jars/vendors/spark /opt/splunk/bin/jars/thirdparty/common/commons-io-2.4.jar /opt/splunk/bin/jars/thirdparty/aws/commons-codec-1.7.jar /opt/splunk/bin/jars/vendors/libs/json-smart-2.3.jar
 COPY scripts/delete_jquery.py /delete_jquery.py
 RUN python /delete_jquery.py
 EXPOSE 8000 8065 8088 8089 8191 9887 9997

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -98,11 +98,11 @@ resources:
  validation:
    type: sha256
    value: c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1          
- url: https://files.pythonhosted.org/packages/cb/cf/871177f1fc795c6c10787bc0e1f27bb6cf7b81dbde399fd35860472cecbc/urllib3-1.26.4.tar.gz
-  filename: urllib3-1.26.4.tar.gz
+- url: https://files.pythonhosted.org/packages/94/40/c396b5b212533716949a4d295f91a4c100d51ba95ea9e2d96b6b0517e5a5/urllib3-1.26.5.tar.gz
+  filename: urllib3-1.26.5.tar.gz
  validation:
    type: sha256
-    value: e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937        
+    value: a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098        
 - url: https://files.pythonhosted.org/packages/ee/2d/9cdc2b527e127b4c9db64b86647d567985940ac3698eeabc7ffaccb4ea61/chardet-4.0.0.tar.gz
  filename: chardet-4.0.0.tar.gz
  validation:

--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -49,7 +49,7 @@ cd /
 pip --no-cache-dir install --no-deps --no-index cffi-1.14.5.tar.gz six-1.16.0.tar.gz wheel-0.36.2.tar.gz \
 	requests-2.25.1.tar.gz cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl \
 	jmespath-0.10.0.tar.gz Jinja2-3.0.0.tar.gz MarkupSafe-2.0.1.tar.gz PyYAML-5.4.1-cp37-cp37m-manylinux1_x86_64.whl \
-       	pycparser-2.20.tar.gz urllib3-1.26.4.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \
+       	pycparser-2.20.tar.gz urllib3-1.26.5.tar.gz chardet-4.0.0.tar.gz certifi-2020.12.5.tar.gz \
 	idna-3.1.tar.gz pyparsing-2.4.7.tar.gz packaging-20.9-py2.py3-none-any.whl resolvelib-0.5.4-py2.py3-none-any.whl ansible-core-2.11.1.tar.gz \
        ansible-4.0.0.tar.gz --upgrade
 # Remove tests packaged in python libs
@@ -63,6 +63,10 @@ microdnf remove -y make gcc openssl-devel bzip2-devel libffi-devel findutils cpp
                   libsepol-devel libverto-devel libxcrypt-devel pcre2-devel zlib-devel
 microdnf clean all

+#additional STIG steps for OS
+systemctl mask ctrl-alt-del.target
+sed -i 's/ nullok//g' /etc/pam.d/*
+
 cd /bin
 chmod u+s /usr/sbin/ping
 groupadd sudo