chore: Merge branch 'main' into 2-node

.gitignore

@@ -11,6 +11,7 @@ content-*/*
 .DS_Store
 
 hack/*.img
+hack/eks-hybrid
 test/.env
 two-node-create.json
 two-node-update.json

README.md

@@ -346,3 +346,56 @@ EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml
 ```shell
 earthly --push +build-all-images
 ```
+
+
+### Audit Logs User Customisation
+
+#### Configuration
+rsyslog config file: `overlay/files/etc/rsyslog.d/49-stylus.conf` copied to `/etc/rsyslog.d/49-stylus.conf`  
+logrotate config file: `overlay/files/etc/logrotate.d/stylus.conf` copied to `/etc/logrotate.d/stylus.conf`
+
+#### Send stylus audit events to user file
+Users can log stylus audit events to additional files, in addition to `/var/log/stylus-audit.log`. To log stylus audit events to custom files, create a configuration file in the `overlay/files/etc/rsyslog.d` directory named `<filename>.conf` (must be before `49-stylus.conf` lexicographically).
+
+Example: `48-audit.conf`
+
+Users can use the following configuration as a base for their filtering logic. replace `<log file name>` with the desired file name
+```
+$PrivDropToUser root
+$PrivDropToGroup root
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then {
+    action(
+        type="omfile" 
+        file="<log file name>" 
+    )
+}
+```
+
+#### Send user application audit events to stylus audit file
+To include user application audit events in the `/var/log/stylus-audit.log` file, add the following to the same configuration file (e.g. `48-audit.conf`) or create a new config file before `49-stylus.conf`:
+
+`<user app name>` : user application name or tag
+```
+$PrivDropToUser root
+$PrivDropToGroup root
+$Umask 0000
+$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains '<user app name>') then {
+    action(
+        type="omfile" 
+        file="/var/log/stylus-audit.log" 
+        FileCreateMode="0600"
+        fileowner="root"
+        template="ForwardFormat"
+    )
+}
+```
+
+To display user audit entries on the Local UI dashboard, audit entries must be logged in RFC 5424 format with the message (`msg`) part in JSON format. This JSON message must include the following keys: `edgeHostId`, `contentMsg`, `action`, `actor`, `actorType`, `resourceId`, `resourceName`, `resourceKind`
+
+Example syslog entry
+```
+<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"}
+```
+
+Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI.

cis-harden/harden.sh

@@ -174,8 +174,11 @@ harden_sysctl() {
 
 	update_config_files 'net.ipv4.icmp_echo_ignore_broadcasts' 'net.ipv4.icmp_echo_ignore_broadcasts=1' ${config_file}
 	update_config_files 'net.ipv4.icmp_ignore_bogus_error_responses' 'net.ipv4.icmp_ignore_bogus_error_responses=1' ${config_file}
-	update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=1' ${config_file}
-	update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file}
+
+        # CIS hardening requires "net.ipv4.conf.all.rp_filter=1" but this is incompatible with CNIs, hence we set this to 0 instead
+        update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=0' ${config_file}
+
+        update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file}
 	update_config_files 'net.ipv4.tcp_syncookies' 'net.ipv4.tcp_syncookies=1' ${config_file}
 	update_config_files 'kernel.randomize_va_space' 'kernel.randomize_va_space=2' ${config_file}
 	update_config_files 'fs.suid_dumpable' 'fs.suid_dumpable=0' ${config_file}
@@ -930,4 +933,4 @@ cleanup_cache
 
 mv /etc/os-release.bak /etc/os-release
 
-exit 0
+exit 0

earthly.sh

@@ -24,12 +24,44 @@ function build_without_proxy() {
     docker run --privileged -v ~/.docker/config.json:/root/.docker/config.json -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -e GLOBAL_CONFIG="$global_config" -v "$(pwd)":/workspace $SPECTRO_PUB_REPO/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }
 
+function print_os_pack() {
+    # Print the output for use in Palette Profile.
+    echo -e '##########################################################################################################'
+    echo -e '\nPASTE THE CONTENT BELOW INTO YOUR CLUSTER PROFILE IN PALETTE REPLACING ALL THE CONTENTS IN THE PROFILE\n'
+    echo -e '##########################################################################################################'
+    echo -e '\n'
+    echo -e 'pack:'
+    echo -e '  content:'
+    echo -e '    images:'
+    echo -e '      - image: "{{.spectro.pack.edge-native-byoi.options.system.uri}}"'
+    echo -e '  # Below config is default value, please uncomment if you want to modify default values'
+    echo -e '  #drain:'
+    echo -e '    #cordon: true'
+    echo -e '    #timeout: 60 # The length of time to wait before giving up, zero means infinite'
+    echo -e '    #gracePeriod: 60 # Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used'
+    echo -e '    #ignoreDaemonSets: true'
+    echo -e '    #deleteLocalData: true # Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained)'
+    echo -e '    #force: true # Continue even if there are pods that do not declare a controller'
+    echo -e '    #disableEviction: false # Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution'
+    echo -e '    #skipWaitForDeleteTimeout: 60 # If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.'
+    echo -e 'options:'
+    echo -e '  system.uri: "{{ .spectro.pack.edge-native-byoi.options.system.registry }}/{{ .spectro.pack.edge-native-byoi.options.system.repo }}:{{ .spectro.pack.edge-native-byoi.options.system.k8sDistribution }}-{{ .spectro.system.kubernetes.version }}-{{ .spectro.pack.edge-native-byoi.options.system.peVersion }}-{{ .spectro.pack.edge-native-byoi.options.system.customTag }}"'
+    echo -e '\n'
+    echo -e "  system.registry: $IMAGE_REGISTRY"
+    echo -e "  system.repo: $IMAGE_REPO"
+    echo -e "  system.k8sDistribution: $K8S_DISTRIBUTION"
+    echo -e "  system.osName: $OS_DISTRIBUTION"
+    echo -e "  system.peVersion: $PE_VERSION"
+    echo -e "  system.customTag: $CUSTOM_TAG"
+    echo -e "  system.osVersion: $OS_VERSION"
+}
+
 global_config="{disable_analytics: true}"
 PE_VERSION=$(git describe --abbrev=0 --tags)
 SPECTRO_PUB_REPO=gcr.io/spectro-images-public
 EARTHLY_VERSION=v0.8.5
 source .arg
-
+ALPINE_IMG=$SPECTRO_PUB_REPO/canvos/alpine:3.20
 ### Verify Depencies
 # Check if Docker is installed
 if command -v docker >/dev/null 2>&1; then
@@ -38,7 +70,7 @@ else
     echo "Docker not found.  Please use the guide for your platform located https://docs.docker.com/engine/install/ to install Docker."
 fi
 # Check if the current user has permission to run privileged containers
-if ! docker run --rm --privileged alpine sh -c 'echo "Privileged container test"' &>/dev/null; then
+if ! docker run --rm --privileged $ALPINE_IMG sh -c 'echo "Privileged container test"' &>/dev/null; then
     echo "Privileged containers are not allowed for the current user."
     exit 1
 fi
@@ -59,40 +91,16 @@ if [ "$(docker container inspect -f '{{.State.Running}}' earthly-buildkitd)" = "
     docker stop earthly-buildkitd
 fi
 docker rmi $SPECTRO_PUB_REPO/earthly/buildkitd:$EARTHLY_VERSION 2>/dev/null
-docker rmi alpine:latest
+docker rmi $ALPINE_IMG
 
 if [[ "$1" == "+uki-genkey" ]]; then
     ./keys.sh secure-boot/
 fi
 
-if [[ "$1" == "+build-provider-images" ]] || [[ "$1" == "+build-provider-images-fips" ]] ; then
-    # Print the output for use in Palette Profile.
-    echo -e '##########################################################################################################'
-    echo -e '\nPASTE THE CONTENT BELOW INTO YOUR CLUSTER PROFILE IN PALETTE REPLACING ALL THE CONTENTS IN THE PROFILE\n'
-    echo -e '##########################################################################################################'
-    echo -e '\n'
-    echo -e 'pack:'
-    echo -e '  content:'
-    echo -e '    images:'
-    echo -e '      - image: "{{.spectro.pack.edge-native-byoi.options.system.uri}}"'
-    echo -e '  # Below config is default value, please uncomment if you want to modify default values'
-    echo -e '  #drain:'
-    echo -e '    #cordon: true'
-    echo -e '    #timeout: 60 # The length of time to wait before giving up, zero means infinite'
-    echo -e '    #gracePeriod: 60 # Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used'
-    echo -e '    #ignoreDaemonSets: true'
-    echo -e '    #deleteLocalData: true # Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained)'
-    echo -e '    #force: true # Continue even if there are pods that do not declare a controller'
-    echo -e '    #disableEviction: false # Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution'
-    echo -e '    #skipWaitForDeleteTimeout: 60 # If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.'
-    echo -e 'options:'
-    echo -e '  system.uri: "{{ .spectro.pack.edge-native-byoi.options.system.registry }}/{{ .spectro.pack.edge-native-byoi.options.system.repo }}:{{ .spectro.pack.edge-native-byoi.options.system.k8sDistribution }}-{{ .spectro.system.kubernetes.version }}-{{ .spectro.pack.edge-native-byoi.options.system.peVersion }}-{{ .spectro.pack.edge-native-byoi.options.system.customTag }}"'
-    echo -e '\n'
-    echo -e "  system.registry: $IMAGE_REGISTRY"
-    echo -e "  system.repo: $IMAGE_REPO"
-    echo -e "  system.k8sDistribution: $K8S_DISTRIBUTION"
-    echo -e "  system.osName: $OS_DISTRIBUTION"
-    echo -e "  system.peVersion: $PE_VERSION"
-    echo -e "  system.customTag: $CUSTOM_TAG"
-    echo -e "  system.osVersion: $OS_VERSION"
-fi
+# if $1 is in oen of the following values, print the output for use in Palette Profile.
+targets=("+build-provider-images" "+build-provider-images-fips" "+build-all-images")
+for arg in "${targets[@]}"; do
+    if [[ "$1" == "$arg" ]]; then
+        print_os_pack
+    fi
+done

k8s_version.json

@@ -0,0 +1,106 @@
+{
+  "k3s": [
+    "1.24.6",
+    "1.25.2",
+    "1.26.4",
+    "1.26.12",
+    "1.26.14",
+    "1.27.2",
+    "1.27.9",
+    "1.27.11",
+    "1.27.15",
+    "1.28.5",
+    "1.28.7",
+    "1.28.11",
+    "1.28.13",
+    "1.29.0",
+    "1.29.2",
+    "1.29.6",
+    "1.29.8",
+    "1.30.4"
+  ],
+  "kubeadm": [
+    "1.24.6",
+    "1.25.2",
+    "1.25.13",
+    "1.25.15",
+    "1.26.4",
+    "1.26.8",
+    "1.26.10",
+    "1.26.12",
+    "1.26.15",
+    "1.27.2",
+    "1.27.5",
+    "1.27.7",
+    "1.27.9",
+    "1.27.11",
+    "1.27.15",
+    "1.27.16",
+    "1.28.2",
+    "1.28.5",
+    "1.28.9",
+    "1.28.11",
+    "1.28.12",
+    "1.28.13",
+    "1.29.0",
+    "1.29.6",
+    "1.29.7",
+    "1.29.8",
+    "1.30.4"
+  ],
+  "rke2": [
+    "1.24.6",
+    "1.25.2",
+    "1.25.13",
+    "1.26.4",
+    "1.26.8",
+    "1.26.10",
+    "1.26.12",
+    "1.26.14",
+    "1.26.15",
+    "1.27.2",
+    "1.27.5",
+    "1.27.7",
+    "1.27.9",
+    "1.27.11",
+    "1.27.13",
+    "1.27.14",
+    "1.27.15",
+    "1.28.2",
+    "1.28.5",
+    "1.28.7",
+    "1.28.9",
+    "1.28.10",
+    "1.28.11",
+    "1.28.12",
+    "1.29.3",
+    "1.29.4",
+    "1.29.5",
+    "1.29.6",
+    "1.29.7",
+    "1.30.3"
+  ],
+  "kubeadm-fips": [
+    "1.24.13",
+    "1.25.9",
+    "1.26.4",
+    "1.26.12",
+    "1.26.15",
+    "1.27.2",
+    "1.27.9",
+    "1.27.14",
+    "1.27.15",
+    "1.27.16",
+    "1.28.5",
+    "1.28.10",
+    "1.28.11",
+    "1.28.12",
+    "1.28.13",
+    "1.29.0",
+    "1.29.5",
+    "1.29.6",
+    "1.29.7",
+    "1.29.8",
+    "1.30.4"
+  ]
+}

os_version.json

@@ -0,0 +1,4 @@
+{
+  "ubuntu": ["22.04", "20.04"],
+  "opensuse-leap": ["15.5"]
+}

overlay/files/etc/logrotate.d/stylus.conf

@@ -0,0 +1,18 @@
+/var/log/stylus-audit.log {
+    yearly
+    rotate 2
+    missingok
+    notifempty
+    compress
+    dateext
+    dateformat -%d-%m-%Y
+    extension .log
+    maxsize 100M
+    create 600 root root
+    # to avoid 'writable by group or others' error
+    su root root
+    # reload or restart to point file handle to new log file
+    postrotate
+        systemctl try-reload-or-restart rsyslog 2>&1 || true
+    endscript
+}

overlay/files/etc/rsyslog.d/49-stylus.conf

@@ -0,0 +1,19 @@
+# Running rsyslog as root.
+$PrivDropToUser root
+$PrivDropToGroup root
+# default config has $Umask 0022 set. That breaks any config related to masks and modes.
+$Umask 0000
+
+# Mesage format as per rfc5424.
+$template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
+
+# route messages with facility local7 and severity notice to /var/log/stylus-audit.log
+if ($syslogfacility-text == 'local7' and $syslogseverity-text == 'notice' and $syslogtag contains 'stylus-audit') then{
+    action(
+        type="omfile" 
+        file="/var/log/stylus-audit.log" 
+        FileCreateMode="0600"
+        fileowner="root"
+        template="ForwardFormat"
+	) & stop
+}