Update README.md
This commit is contained in:
@@ -554,6 +554,32 @@ If you ran `remediate.sh` (which uses UFW) and then `nist-800-53-harden-v2.sh` (
|
|||||||
├── nist-800-53-harden-v2.sh # Step 2: OS hardening (iptables, CIS/Wazuh aligned)
|
├── nist-800-53-harden-v2.sh # Step 2: OS hardening (iptables, CIS/Wazuh aligned)
|
||||||
└── remediate.sh # Step 3: Post-scan targeted fixes
|
└── remediate.sh # Step 3: Post-scan targeted fixes
|
||||||
```
|
```
|
||||||
|
---
|
||||||
|
|
||||||
|
## Post-Clone Identity Reset
|
||||||
|
|
||||||
|
When cloning from the template, each new VM must have a unique machine ID and SSH host keys. The `firstboot-harden.service` handles SSH key regeneration automatically, and cloud-init regenerates the machine ID — but if cloud-init is not configured or the firstboot service didn't run, perform these steps manually after the first boot of each clone.
|
||||||
|
|
||||||
|
**Regenerate the machine ID:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo rm -f /etc/machine-id
|
||||||
|
sudo systemd-machine-id-setup
|
||||||
|
sudo rm -f /var/lib/dbus/machine-id
|
||||||
|
sudo ln -s /etc/machine-id /var/lib/dbus/machine-id
|
||||||
|
```
|
||||||
|
|
||||||
|
**Regenerate SSH host keys:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo rm -f /etc/ssh/ssh_host_*
|
||||||
|
sudo ssh-keygen -A
|
||||||
|
sudo systemctl restart ssh
|
||||||
|
```
|
||||||
|
|
||||||
|
Without these steps, cloned VMs will share the same machine ID (which breaks DHCP leases, logging, and systemd journal identification) and the same SSH host keys (which triggers host key mismatch warnings on your admin workstation and would allow impersonation between clones).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user