# Complete Enhancement Template # Copy these sections into each VM YAML file # 1. Add to packages list (after lsb-release): - chrony - unattended-upgrades - apt-listchanges # 2. Add NTP configuration (after package_upgrade: true): # Time synchronization (NTP) ntp: enabled: true ntp_client: chrony servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org # 3. Update package verification (replace the for loop): for pkg in qemu-guest-agent curl wget net-tools chrony unattended-upgrades; do # 4. Add before final_message (after guest agent verification): # Configure automatic security updates - | echo "Configuring automatic security updates..." cat > /etc/apt/apt.conf.d/50unattended-upgrades <<'EOF' Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; }; Unattended-Upgrade::AutoFixInterruptedDpkg "true"; Unattended-Upgrade::MinimalSteps "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "false"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; EOF systemctl enable unattended-upgrades systemctl start unattended-upgrades echo "Automatic security updates configured" # Configure NTP (Chrony) - | echo "Configuring NTP (Chrony)..." systemctl enable chrony systemctl restart chrony sleep 3 if systemctl is-active --quiet chrony; then echo "NTP (Chrony) is running" chronyc tracking | head -1 || true else echo "WARNING: NTP (Chrony) may not be running" fi # SSH hardening - | echo "Hardening SSH configuration..." if ! grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config fi if ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config fi if ! grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config; then sed -i 's/^#PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config fi systemctl restart sshd echo "SSH hardening completed" # Write files for security configuration write_files: - path: /etc/apt/apt.conf.d/20auto-upgrades content: | APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; permissions: '0644' owner: root:root # Final message final_message: | ========================================== System Boot Completed Successfully! ========================================== Services Status: - QEMU Guest Agent: $(systemctl is-active qemu-guest-agent) - NTP (Chrony): $(systemctl is-active chrony) - Automatic Security Updates: $(systemctl is-active unattended-upgrades) System Information: - Hostname: $(hostname) - IP Address: $(hostname -I | awk '{print $1}') - Time: $(date) Packages Installed: - qemu-guest-agent, curl, wget, net-tools - chrony (NTP), unattended-upgrades (Security) Security Configuration: - SSH: Root login disabled, Password auth disabled - Automatic security updates: Enabled - NTP synchronization: Enabled Next Steps: 1. Verify all services are running 2. Check cloud-init logs: /var/log/cloud-init-output.log 3. Test SSH access ==========================================