PE-8058 Ubuntu 24.04 STIG image changes

Earthfile

@@ -708,8 +708,15 @@ base-image:
 
         LET APT_UPGRADE_FLAGS="-y"
         IF [ "$UPDATE_KERNEL" = "false" ]
-            RUN if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION" ; fi && \
-                if dpkg -l linux-image-generic > /dev/null; then apt-mark hold linux-image-generic linux-headers-generic linux-generic; fi
+            RUN apt-get update && \
+                if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null 2>&1; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION"; fi && \
+                if dpkg -l linux-image-generic > /dev/null 2>&1; then \
+                    apt-mark hold linux-image-generic linux-headers-generic linux-generic; \
+                    latest_kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1 | awk -F '-' '{print $1"-"$2}'); \
+                    for pkg in linux-image-${latest_kernel}-generic linux-modules-${latest_kernel}-generic linux-modules-extra-${latest_kernel}-generic; do \
+                        if dpkg -l "$pkg" > /dev/null 2>&1; then apt-mark hold "$pkg"; fi; \
+                    done; \
+                fi
         ELSE
             SET APT_UPGRADE_FLAGS="-y --with-new-pkgs"
             RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
@@ -733,8 +740,13 @@ base-image:
                     dosfstools \ # Utilities for creating and checking FAT file systems.
                     rsync \ # Used for efficient file synchronization and transfer.
                     cryptsetup-bin \ # Provides tools for setting up encrypted disks.
-                    udev && \ # Device manager for the Linux kernel, required for managing device nodes.
+                    udev \ # Device manager for the Linux kernel, required for managing device nodes.
+                    dracut \ # Required for initramfs (custom base images like ubuntu24.04-byoi-stig need this after purge).
+                    dracut-live && \ # Required for live/squashfs boot; apt autoremove may remove it otherwise.
                 latest_kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1 | awk -F '-' '{print $1"-"$2}') && \
+                apt-mark manual linux-image-${latest_kernel}-generic linux-modules-${latest_kernel}-generic linux-modules-extra-${latest_kernel}-generic 2>/dev/null || true && \
+                apt-mark unhold linux-image-generic linux-headers-generic linux-generic 2>/dev/null || true && \
+                (apt-get purge -y --allow-change-held-packages linux-image-generic linux-headers-generic linux-generic || true) && \
                 if [ "$FIPS_ENABLED" = "true" ]; then \
                     # When FIPS is enabled, we need to remove any non-FIPS kernel packages (e.g., 5.15 HWE) to avoid conflicts.
                     # However, some kernel packages may be held (apt-mark hold), which causes `apt-get purge` to fail with:
@@ -745,9 +757,9 @@ base-image:
                         | grep -v "$latest_kernel" | grep -v fips); do \
                         apt-mark unhold "$pkg" || true; \
                     done && \
-                    apt-get purge -y $(dpkg -l | awk '/^.i\s+linux-(image|headers|modules)/ {print $2}' | grep -v "${latest_kernel}" | grep -v fips); \
+                    apt-get purge -y $(dpkg -l | awk '/^.i\s+linux-(image|headers|modules)/ {print $2}' | grep -E 'linux-(image|headers|modules)-[0-9]' | grep -v "${latest_kernel}" | grep -v fips); \
                 else \
-                    apt-get purge -y $(dpkg -l | awk '/^ii\s+linux-(image|headers|modules)/ {print $2}' | grep -v "${latest_kernel}"); \
+                    apt-get purge -y $(dpkg -l | awk '/^ii\s+linux-(image|headers|modules)/ {print $2}' | grep -E 'linux-(image|headers|modules)-[0-9]' | grep -v "${latest_kernel}"); \
                 fi && \
                 apt-get autoremove -y && \
                 rm -rf /var/lib/apt/lists/*

ubuntu-stig/Dockerfile.ubuntu24.04

@@ -0,0 +1,191 @@
+FROM quay.io/kairos/kairos-init:v0.5.28 AS kairos-init
+FROM ubuntu:24.04
+
+ARG KAIROS_VERSION=v3.5.9
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN --mount=type=bind,from=kairos-init,src=/kairos-init,dst=/kairos-init /kairos-init -l debug --version "${KAIROS_VERSION}" -m "generic" -t "false"
+
+# Enable universe repository for scap-security-guide
+RUN apt-get update && apt-get install -y --no-install-recommends software-properties-common && \
+    add-apt-repository universe && \
+    apt-get update
+
+# Configure dracut to skip problematic modules before installation
+# This prevents errors with livenet/network module dependencies during install
+RUN mkdir -p /etc/dracut.conf.d && \
+    echo 'omit_dracutmodules+=" livenet network network-legacy systemd-networkd "' > /etc/dracut.conf.d/99-skip-livenet.conf && \
+    echo 'hostonly="no"' >> /etc/dracut.conf.d/99-skip-livenet.conf
+
+# Install packages, allowing dracut post-install failures
+# Dracut post-install scripts will fail due to livenet/network dependencies,
+# but packages will be installed. We regenerate initramfs manually later anyway.
+RUN set +e && \
+    apt-get install -y --no-install-recommends \
+      squashfs-tools \
+      dracut-live \
+      efibootmgr \
+      dhcpcd5 \
+      auditd \
+      sudo \
+      systemd \
+      parted \
+      dracut \
+      e2fsprogs \
+      dosfstools \
+      coreutils \
+      dmsetup \
+      grub2-common \
+      grub-pc-bin \
+      grub-efi-amd64-bin \
+      grub-efi-amd64-signed \
+      which \
+      nano \
+      gawk \
+      haveged \
+      policykit-1 \
+      ncurses-base \
+      tar \
+      kbd \
+      lvm2 \
+      zstd \
+      openssh-server \
+      openssh-client \
+      shim-signed \
+      open-vm-tools \
+      open-iscsi \
+      iptables ethtool socat iproute2 conntrack \
+      linux-image-generic \
+      cloud-guest-utils \
+      rsync jq \
+      ssg-base ssg-debderived \
+      openscap-scanner \
+      ufw; \
+    INSTALL_EXIT=$?; \
+    if [ $INSTALL_EXIT -ne 0 ]; then \
+      echo "Package installation had errors (likely dracut post-install), attempting to fix..."; \
+      dpkg --configure -a || true; \
+      apt-get install -f -y || true; \
+    fi; \
+    set -e
+
+# Ensure kernel packages and their dependencies are properly installed
+# This is critical for the Earthfile kernel cleanup step
+RUN apt-get update && \
+    echo "Checking for held packages..." && \
+    HELD_PKGS=$(apt-mark showhold | grep -E "linux-image|linux-modules" || true) && \
+    if [ -n "$HELD_PKGS" ]; then \
+        echo "Found held kernel packages, unholding them:"; \
+        echo "$HELD_PKGS"; \
+        echo "$HELD_PKGS" | xargs -r apt-mark unhold || true; \
+    fi && \
+    apt-get install -y --no-install-recommends --fix-broken && \
+    apt-get install -y --no-install-recommends -f && \
+    echo "Verifying linux-image-generic installation..." && \
+    if dpkg -l | grep -q "^ii.*linux-image-generic"; then \
+        echo "linux-image-generic is installed"; \
+        echo "Checking its dependencies..."; \
+        apt-cache depends linux-image-generic | grep "Depends:" | head -10 || true; \
+        echo "Installed kernel packages:"; \
+        dpkg -l | grep -E "^ii.*linux-(image|modules)" | head -10 || true; \
+        echo "Ensuring kernel dependencies are installed..."; \
+        apt-get install -y --no-install-recommends linux-image-generic || true; \
+    else \
+        echo "WARNING: linux-image-generic is not installed!"; \
+    fi && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml
+RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml
+
+RUN mkdir -p /run/lock
+RUN touch /usr/libexec/.keep
+
+# Configure systemd services
+RUN systemctl enable systemd-networkd
+RUN systemctl enable systemd-resolved
+RUN systemctl enable ssh
+RUN systemctl enable systemd-udevd
+RUN systemctl enable systemd-logind.service
+# Disable dhcpcd - it conflicts with systemd-networkd; both request DHCP and cause dual IPs
+RUN systemctl disable dhcpcd 2>/dev/null || true
+
+COPY overlay/ubuntu24.04/ /
+
+# OpenSCAP workaround: create dummy rpmrc so CPE/platform detection doesn't error on Ubuntu
+# (OpenSCAP expects RPM files; Debian/Ubuntu has none - causes "Unknown IO error" in scans)
+RUN mkdir -p /usr/lib/rpm && echo '# Dummy for OpenSCAP CPE on Debian/Ubuntu' > /usr/lib/rpm/rpmrc
+
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
+  ln -sf "${kernel#/boot/}" /boot/vmlinuz
+# Create dummy dracut modules to satisfy dependencies
+# This prevents dracut from failing when dracut-live requires network modules
+RUN mkdir -p /usr/lib/dracut/modules.d/35systemd-networkd && \
+    echo '#!/bin/bash' > /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
+    echo '# Dummy module to satisfy dracut-live dependencies' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
+    echo 'check() { return 0; }' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
+    echo 'install() { return 0; }' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
+    chmod +x /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
+    mkdir -p /usr/lib/dracut/modules.d/45network-legacy && \
+    echo '#!/bin/bash' > /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
+    echo '# Dummy module to satisfy dracut-live dependencies' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
+    echo 'check() { return 0; }' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
+    echo 'install() { return 0; }' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
+    chmod +x /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh
+# Regenerate initramfs with dracut
+RUN kernel=$(ls /lib/modules | head -n1) && \
+  dracut -v -N --no-hostonly -f "/boot/initrd-${kernel}" "${kernel}" && \
+  ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
+RUN rm -rf /boot/initramfs-*
+
+# Ensure kernel packages are properly installed and dependencies are satisfied
+# This prevents issues when the Earthfile tries to purge old kernels
+RUN echo "Verifying kernel package installation..." && \
+    KERNEL_PKG=$(dpkg -l | grep "^ii.*linux-image-generic" | awk '{print $2}' || echo "") && \
+    if [ -n "$KERNEL_PKG" ]; then \
+        echo "Found kernel package: $KERNEL_PKG"; \
+        echo "Checking dependencies..."; \
+        apt-get update && \
+        apt-get install -y --no-install-recommends --fix-broken && \
+        apt-get install -y --no-install-recommends -f && \
+        echo "Kernel packages:" && \
+        dpkg -l | grep -E "linux-image|linux-modules" | head -10 || true; \
+    fi && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Verify STIG content is available, install full scap-security-guide if needed
+RUN echo "Checking for STIG XCCDF files..." && \
+    echo "Installed SSG packages:" && \
+    dpkg -l | grep -E "ssg|scap" || echo "No SSG packages found" && \
+    echo "Files provided by ssg-base:" && \
+    dpkg -L ssg-base 2>/dev/null | grep -E "\.xml$|ds\.xml" | head -10 || echo "ssg-base not installed or no XML files" && \
+    echo "Files provided by ssg-debderived:" && \
+    dpkg -L ssg-debderived 2>/dev/null | grep -E "\.xml$|ds\.xml" | head -10 || echo "ssg-debderived not installed or no XML files" && \
+    if [ ! -f "/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml" ] && \
+       [ ! -f "/usr/share/scap-security-guide/ssg-ubuntu2404-ds.xml" ] && \
+       [ ! -f "/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml" ]; then \
+        echo "STIG files not found, attempting to install full scap-security-guide package..."; \
+        apt-get update && \
+        apt-get install -y --no-install-recommends scap-security-guide || \
+        (echo "scap-security-guide not available, listing all STIG files:" && \
+         find /usr/share -name "*ubuntu*ds.xml" -type f 2>/dev/null | head -20 || echo "No Ubuntu STIG files found" && \
+         echo "All SSG XML files:" && \
+         find /usr/share -name "*ssg*.xml" -type f 2>/dev/null | head -20 || echo "No SSG XML files found"); \
+        apt-get clean && rm -rf /var/lib/apt/lists/*; \
+    else \
+        echo "STIG XCCDF file found!"; \
+    fi
+
+# Note: Some remediation rules may fail (e.g., download-dependent rules) - this is expected
+# Static STIG content (optional): for reproducible releases, run scripts/update-stig-content.sh
+# Without static content: build uses system scap-security-guide (latest STIG for customers who want current content)
+COPY static/ /tmp/stig-static/
+COPY stig-remediate.sh /tmp/stig-remediate.sh
+RUN chmod +x /tmp/stig-remediate.sh && \
+    /tmp/stig-remediate.sh 2>&1 && \
+    rm -f /tmp/stig-remediate.sh
+
+RUN mkdir -p /etc/luet/repos.conf.d
+## Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm -f /etc/machine-id