bpluta · bpluta · Jeffrey Weatherford · 34d1ece1 · 34d1ece1
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 8 deletions

Dockerfile Dockerfile +29 -3

hardening_manifest.yaml hardening_manifest.yaml +10 -5

No files found.
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,8 +61,8 @@ RUN tar -zxf /usr/bin/scloud.tar.gz -C /usr/bin/ && rm /usr/bin/scloud.tar.gz
 #end base setup
 ARG SPLUNK_PRODUCT=splunk
-ARG SPLUNK_VERSION=8.2.1
+ARG SPLUNK_VERSION=8.2.2
-ARG SPLUNK_BUILD=ddff1c41e5cf
+ARG SPLUNK_BUILD=87344edfcdb4
 ARG SPLUNK_ARCH=x86_64
 ARG SPLUNK_LINUX_FILENAME=splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-${SPLUNK_ARCH}.tgz
@@ -72,7 +72,7 @@ FROM base as package
 COPY scripts/make-minimal-exclude.py /tmp
 ENV SPLUNK_BUILD_URL=https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_LINUX_FILENAME}
 RUN python /tmp/make-minimal-exclude.py $SPLUNK_BUILD_URL > /tmp/splunk-minimal-exclude.list
-COPY splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz /tmp/splunk.tgz
+COPY splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz /tmp/splunk.tgz
 RUN mkdir -p /minimal/splunk/var /extras/splunk/var
 RUN tar -C /minimal/splunk --strip 1 --exclude-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz
 RUN tar -C /extras/splunk --strip 1 --wildcards --files-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/splunk.tgz
@@ -159,6 +159,32 @@ RUN echo 'Create the ansible user/group' \
    && chmod 775 ${SPLUNK_ANSIBLE_HOME} \
    && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
    && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh
+RUN microdnf remove -y shadow-utils
+#STIG the instance
+COPY ubi8-development.tar.gz /ubi8-development.tar.gz
+RUN tar -zxvf /ubi8-development.tar.gz
+RUN ubi8-development/scripts/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh && \
+    ubi8-development/scripts/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh
+RUN rm -fdr ubi8-development
 USER ${SPLUNK_USER}
 HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -4,7 +4,7 @@ apiVersion: v1
 name: "splunk/splunk/splunk"
 tags:
- "8.2.0"
+- "8.2.2"
 - "latest"
 args:
@@ -17,7 +17,7 @@ labels:
  org.opencontainers.image.licenses: "Commercial"
  org.opencontainers.image.url: "https://www.splunk.com/en_us/legal/splunk-terms-overview.html"
  org.opencontainers.image.vendor: "Splunk"
-  org.opencontainers.image.version: "8.2.0"
+  org.opencontainers.image.version: "8.2.2"
  mil.dso.ironbank.image.keywords: "security,data,itops"
  mil.dso.ironbank.image.type: "commercial"
  mil.dso.ironbank.product.name: "Splunk Enterprise"
@@ -28,11 +28,11 @@ resources:
  validation:
    type: sha256
    value: 2b749382aab23a2590792245d9e8b79c4ab285049b90b06efded254de419a264              
- url: https://download.splunk.com/products/splunk/releases/8.2.1/linux/splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz
+- url: https://d7wz6hmoaavd0.cloudfront.net/products/splunk/releases/8.2.2/linux/splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz
-  filename: splunk-8.2.1-ddff1c41e5cf-Linux-x86_64.tgz
+  filename: splunk-8.2.2-87344edfcdb4-Linux-x86_64.tgz
  validation:
    type: sha256
-    value: 665485ddf65d115f0787f8b0df70ba7fc6fb325b7fa58cdbd3149e2dc7572c04          
+    value: 0f48c1f93dafe269bfd0e295f84859aa90298cd75ff56a32353ece2e2ead51b2          
 - url: https://github.com/splunk/splunk-cloud-sdk-go/releases/download/v1.11.1/scloud_v7.1.0_linux_amd64.tar.gz
  filename: scloud_v7.1.0_linux_amd64.tar.gz
  validation:
@@ -138,6 +138,11 @@ resources:
  validation:
    type: sha256
    value: 2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0
+- url: https://repo1.dso.mil/dsop/redhat/ubi/ubi8/-/archive/development/ubi8-development.tar.gz
+  filename: ubi8-development.tar.gz
+  validation:
+    type: sha256
+    value: 9158b944a8d3539caedd771e1d1021798ae4e36735ce933f82305619c6b84838
 maintainers:
 - name: "Bryan Pluta"