We are now going to create a VM from the Shared Image Gallery. As we created the image with plan information, we also need to specify that information when launching the instance.
If you already have an SSH key that you want to use, then use the following to launch the VM:
SSHPublicKeyPath=<path to your id_rsa.pub>
az vm create \
--resource-group $sigResourceGroup \
--subscription $subscriptionID \
--name myAibGalleryVM \
--admin-username aibuser \
--location $location \
--image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
--ssh-key-values $SSHPublicKeyPath \
--plan-name $ProPlanSku \
--plan-product $ProPlanOffer \
--public-ip-sku Standard \
--plan-publisher $ProPlanPublisher
Alternatively, if you do not yet have SSH keys, you can use the following and replace the --ssh-key-values $SSHPublicKeyPath
with --generate-ssh-keys
(note that this may overwrite the ssh keypair “id_rsa” and “id_rsa.pub” under .ssh in your home directory):
az vm create \
--resource-group $sigResourceGroup \
--subscription $subscriptionID \
--name myAibGalleryVM \
--admin-username aibuser \
--location $location \
--image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
--generate-ssh-keys \
--plan-name $ProPlanSku \
--plan-product $ProPlanOffer \
--public-ip-sku Standard \
--plan-publisher $ProPlanPublisher
When this completes, you should see something like the following:
{
"fqdns": "",
"id": "/subscriptions/[your subscription]/resourceGroups/ibUbuntuProGalleryRG/providers/Microsoft.Compute/virtualMachines/myAibGalleryVM",
"location": "northeurope",
"macAddress": "00-0D-3A-B9-32-27",
"powerState": "VM running",
"privateIpAddress": "10.0.0.4",
"publicIpAddress": "20.67.164.125",
"resourceGroup": "ibUbuntuProGalleryRG",
"zones": ""
}
Note the publicIpAddress
, which in my case is 20.67.164.125
. This is what you will use to ssh into the machine in the next step.
ssh aibuser@[the IP address from above]
In my case, this is:
ssh [email protected]
It will likely say:
The authenticity of host '20.67.164.125 (20.67.164.125)' can't be established.
ECDSA key fingerprint is SHA256:hvDCR6zYnEYDhnQSdOhKZzrFQ017nH5FqPL2hty1WE0.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
To which you can respond yes
.
Once you are in the VM, you can type sudo ua status --wait
and check the output:
$ sudo ua status --wait
SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
Enable services with: ua enable <service>
Account: <redacted>
Subscription: <redacted>
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
We can see that this VM is attached to an Ubuntu Pro subscription and that we have great features like esm-apps and esm-infra enabled.
(If you are using a Private Offer that includes support, your Technical support level
will read advanced
instead of essential
.)
And we can confirm that the CIS hardening is in place:
$ cat /etc/issue.net
Authorized uses only. All activity may be monitored and reported.
We can even run a CIS audit:
$ sudo ua enable cis
One moment, checking your subscription first
CIS Audit is already enabled.
See: sudo ua status
$ sudo cis-audit level1_server
Title Ensure mounting of cramfs filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.1
Result pass
Title Ensure mounting of freevxfs filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.2
Result pass
Title Ensure mounting of jffs2 filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.3
Result pass
Title Ensure mounting of hfs filesystems is disabled
Rule xccdf_com.ubuntu.bionic.cis_rule_CIS-1.1.1.4
Result pass
[...]
CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-security-guides/cis-18.04-report.html report.
You can bring this onto your local machine by first changing the permissions within your ssh session:
sudo chown aibuser /usr/share/ubuntu-scap-security-guides/cis-18.04-report.html
and then using a separate terminal window to download it with scp:
$ scp [email protected]:/usr/share/ubuntu-scap-security-guides/cis-18.04-report.html .
Authorized uses only. All activity may be monitored and reported.
cis-18.04-report.html 100% 579KB 3.1MB/s 00:00
For comparison, on an unhardened Ubuntu 18.04 VM, there are 80 CIS failures:
In our image, even without filing in the ruleset-params.conf or taking the manual CIS hardening steps set out in the documentation, the CIS audit should only show 13 failed rules:
We could add further customisations to our deployment template to improve this even further.