Skip to content

ENT-13766: Fixes / improvements / security hardning#2131

Open
larsewi wants to merge 5 commits intocfengine:masterfrom
larsewi:provision
Open

ENT-13766: Fixes / improvements / security hardning#2131
larsewi wants to merge 5 commits intocfengine:masterfrom
larsewi:provision

Conversation

@larsewi
Copy link
Contributor

@larsewi larsewi commented Mar 5, 2026
edited
Loading

  • Suppress cleanup() errors for missing files
  • Export NO_CONFIGURE so it propagates to autogen.sh subprocesses
  • Harden SSH on build hosts: disable root login and password auth
  • Install epel-release on all RHEL/CentOS versions
  • Install and configure fail2ban on all build hosts

@larsewi larsewi changed the title Suppress cleanup() errors for missing files More fixes / improvements to buildscripts and build machine provisioning Mar 5, 2026
@larsewi larsewi changed the title More fixes / improvements to buildscripts and build machine provisioning More fixes / improvements to buildscripts and buildmachine provisioning Mar 5, 2026
@larsewi larsewi changed the title More fixes / improvements to buildscripts and buildmachine provisioning ENT-13766: Fixes / improvements / security hardning Mar 5, 2026
larsewi and others added 5 commits March 5, 2026 16:38
@larsewi @claude
Suppress cleanup() errors for missing files
18e3b4d 
The mv commands in cleanup() print confusing "cannot stat" errors when
files don't exist, which is expected on first provisioning runs.

Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@larsewi @claude
Export NO_CONFIGURE so it propagates to autogen.sh subprocesses
395180d 
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@larsewi @claude
Harden SSH on build hosts: disable root login and password auth
e02399e 
Disable PermitRootLogin, PasswordAuthentication, and
KbdInteractiveAuthentication in sshd_config to enforce key-only SSH
access. This prevents brute force attacks on VMs exposed via autossh
tunnels through the SSH bridge.

Ticket: ENT-13766
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@larsewi @claude
Install epel-release on all RHEL/CentOS versions
7d592b8 
Broaden epel-release from redhat_7/centos_7 only to all redhat/centos
platforms. This is needed to install fail2ban (and potentially other
EPEL packages) on RHEL 8/9/10.

Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@larsewi @claude
Install and configure fail2ban on all build hosts
797e416 
Install fail2ban on Debian/Ubuntu and RHEL/CentOS platforms to ban IPs
with repeated failed SSH auth attempts. Configures sshd jail with
5 max retries, 1 hour ban time, and 10 minute find window.

Ticket: ENT-13766
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@craigcomstock craigcomstock Awaiting requested review from craigcomstock

@olehermanse olehermanse Awaiting requested review from olehermanse

@nickanderson nickanderson Awaiting requested review from nickanderson

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@larsewi