diff --git a/.DS_Store b/.DS_Store index 18b55040..65b247f9 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index a5c4e034..76c3a8a4 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -5,9 +5,12 @@ Rules ----- 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) -3) All work is done in your own branch +3) All work is done in your own branch or own fork +4) Pull requests + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +5) Be open and nice to each other Workflow -------- diff --git a/README.md b/README.md index d96fb7ba..793eca37 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Ubuntu 20 CIS ![Release](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic) -Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix +Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) v1.1.0 compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix Caution(s) ------- diff --git a/defaults/main.yml b/defaults/main.yml index e0164f13..2925d6d9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -47,8 +47,8 @@ ubtu20cis_system_is_container: false system_is_ec2: false # Section 1 Fixes -# Section 1 is Iniitial setup (FileSystem Configuration, Configure Software Updates, Configure sudo, Filesystem Integrity Checking, Secure Boot Settings, -# Additional Process Hardening, Mandatory Access Control, and Warning Banners) +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) ubtu20cis_rule_1_1_1_1: true ubtu20cis_rule_1_1_1_2: true ubtu20cis_rule_1_1_1_3: true @@ -83,63 +83,62 @@ ubtu20cis_rule_1_2_1: true ubtu20cis_rule_1_2_2: true ubtu20cis_rule_1_3_1: true ubtu20cis_rule_1_3_2: true -ubtu20cis_rule_1_3_3: true ubtu20cis_rule_1_4_1: true ubtu20cis_rule_1_4_2: true +ubtu20cis_rule_1_4_3: true +ubtu20cis_rule_1_4_4: true ubtu20cis_rule_1_5_1: true ubtu20cis_rule_1_5_2: true ubtu20cis_rule_1_5_3: true -ubtu20cis_rule_1_6_1: true -ubtu20cis_rule_1_6_2: true -ubtu20cis_rule_1_6_3: true -ubtu20cis_rule_1_6_4: true -ubtu20cis_rule_1_7_1_1: true -ubtu20cis_rule_1_7_1_2: true -ubtu20cis_rule_1_7_1_3: true -ubtu20cis_rule_1_7_1_4: true -ubtu20cis_rule_1_8_1_1: true -ubtu20cis_rule_1_8_1_2: true -ubtu20cis_rule_1_8_1_3: true -ubtu20cis_rule_1_8_1_4: true -ubtu20cis_rule_1_8_1_5: true -ubtu20cis_rule_1_8_1_6: true +ubtu20cis_rule_1_5_4: true +ubtu20cis_rule_1_6_1_1: true +ubtu20cis_rule_1_6_1_2: true +ubtu20cis_rule_1_6_1_3: true +ubtu20cis_rule_1_6_1_4: true +ubtu20cis_rule_1_7_1: true +ubtu20cis_rule_1_7_2: true +ubtu20cis_rule_1_7_3: true +ubtu20cis_rule_1_7_4: true +ubtu20cis_rule_1_7_5: true +ubtu20cis_rule_1_7_6: true +ubtu20cis_rule_1_8_1: true +ubtu20cis_rule_1_8_2: true +ubtu20cis_rule_1_8_3: true +ubtu20cis_rule_1_8_4: true ubtu20cis_rule_1_9: true -ubtu20cis_rule_1_10: true # Section 2 Fixes -# Section 2 is Services (inetd, special purpose, and service clients) -ubtu20cis_rule_2_1_1: true +# Section 2 is Services (Special Purpose Services, and service clients) +ubtu20cis_rule_2_1_1_1: true +ubtu20cis_rule_2_1_1_2: true +ubtu20cis_rule_2_1_1_3: true +ubtu20cis_rule_2_1_1_4: true ubtu20cis_rule_2_1_2: true -ubtu20cis_rule_2_2_1_1: true -ubtu20cis_rule_2_2_1_2: true -ubtu20cis_rule_2_2_1_3: true -ubtu20cis_rule_2_2_1_4: true +ubtu20cis_rule_2_1_3: true +ubtu20cis_rule_2_1_4: true +ubtu20cis_rule_2_1_5: true +ubtu20cis_rule_2_1_6: true +ubtu20cis_rule_2_1_7: true +ubtu20cis_rule_2_1_8: true +ubtu20cis_rule_2_1_9: true +ubtu20cis_rule_2_1_10: true +ubtu20cis_rule_2_1_11: true +ubtu20cis_rule_2_1_12: true +ubtu20cis_rule_2_1_13: true +ubtu20cis_rule_2_1_14: true +ubtu20cis_rule_2_1_15: true +ubtu20cis_rule_2_1_16: true +ubtu20cis_rule_2_1_17: true +ubtu20cis_rule_2_2_1: true ubtu20cis_rule_2_2_2: true ubtu20cis_rule_2_2_3: true ubtu20cis_rule_2_2_4: true ubtu20cis_rule_2_2_5: true ubtu20cis_rule_2_2_6: true -ubtu20cis_rule_2_2_7: true -ubtu20cis_rule_2_2_8: true -ubtu20cis_rule_2_2_9: true -ubtu20cis_rule_2_2_10: true -ubtu20cis_rule_2_2_11: true -ubtu20cis_rule_2_2_12: true -ubtu20cis_rule_2_2_13: true -ubtu20cis_rule_2_2_14: true -ubtu20cis_rule_2_2_15: true -ubtu20cis_rule_2_2_16: true -ubtu20cis_rule_2_2_17: true -ubtu20cis_rule_2_3_1: true -ubtu20cis_rule_2_3_2: true -ubtu20cis_rule_2_3_3: true -ubtu20cis_rule_2_3_4: true -ubtu20cis_rule_2_3_5: true -ubtu20cis_rule_2_3_6: true -ubtu20cis_rule_2_4: true +ubtu20cis_rule_2_3: true # Section 3 Fixes -# Section 3 is Network Configuration (disable unused networks, network parameters (host and router), uncommon network protocols, and firewall configuration) +# Section 3 is Network Configuration (Disable Unused Networks, Network Parameters (Host Only), Network Parameters (Host and Router), Uncommon Network Protocols, and Firewall Configuration) ubtu20cis_rule_3_1_1: true ubtu20cis_rule_3_1_2: true ubtu20cis_rule_3_2_1: true @@ -187,7 +186,7 @@ ubtu20cis_rule_3_5_3_3_3: true ubtu20cis_rule_3_5_3_3_4: true # Section 4 Fixes -# Section 4 is Logging and Auditing (configure system accounting (auditd) and configure logging) +# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) ubtu20cis_rule_4_1_1_1: true ubtu20cis_rule_4_1_1_2: true ubtu20cis_rule_4_1_1_3: true @@ -224,8 +223,8 @@ ubtu20cis_rule_4_3: true ubtu20cis_rule_4_4: true # Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (configure cron, configure ssh server, configure PAM -# and user accounts and environment) +# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM +# and User Accounts and Environment) ubtu20cis_rule_5_1_1: true ubtu20cis_rule_5_1_2: true ubtu20cis_rule_5_1_3: true @@ -238,43 +237,46 @@ ubtu20cis_rule_5_1_9: true ubtu20cis_rule_5_2_1: true ubtu20cis_rule_5_2_2: true ubtu20cis_rule_5_2_3: true -ubtu20cis_rule_5_2_4: true -ubtu20cis_rule_5_2_5: true -ubtu20cis_rule_5_2_6: true -ubtu20cis_rule_5_2_7: true -ubtu20cis_rule_5_2_8: true -ubtu20cis_rule_5_2_9: true -ubtu20cis_rule_5_2_10: true -ubtu20cis_rule_5_2_11: true -ubtu20cis_rule_5_2_12: true -ubtu20cis_rule_5_2_13: true -ubtu20cis_rule_5_2_14: true -ubtu20cis_rule_5_2_15: true -ubtu20cis_rule_5_2_16: true -ubtu20cis_rule_5_2_17: true -ubtu20cis_rule_5_2_18: true -ubtu20cis_rule_5_2_19: true -ubtu20cis_rule_5_2_20: true -ubtu20cis_rule_5_2_21: true -ubtu20cis_rule_5_2_22: true ubtu20cis_rule_5_3_1: true ubtu20cis_rule_5_3_2: true ubtu20cis_rule_5_3_3: true ubtu20cis_rule_5_3_4: true -ubtu20cis_rule_5_4_1_1: true -ubtu20cis_rule_5_4_1_2: true -ubtu20cis_rule_5_4_1_3: true -ubtu20cis_rule_5_4_1_4: true -ubtu20cis_rule_5_4_1_5: true +ubtu20cis_rule_5_3_5: true +ubtu20cis_rule_5_3_6: true +ubtu20cis_rule_5_3_7: true +ubtu20cis_rule_5_3_8: true +ubtu20cis_rule_5_3_9: true +ubtu20cis_rule_5_3_10: true +ubtu20cis_rule_5_3_11: true +ubtu20cis_rule_5_3_12: true +ubtu20cis_rule_5_3_13: true +ubtu20cis_rule_5_3_14: true +ubtu20cis_rule_5_3_15: true +ubtu20cis_rule_5_3_16: true +ubtu20cis_rule_5_3_17: true +ubtu20cis_rule_5_3_18: true +ubtu20cis_rule_5_3_19: true +ubtu20cis_rule_5_3_20: true +ubtu20cis_rule_5_3_21: true +ubtu20cis_rule_5_3_22: true +ubtu20cis_rule_5_4_1: true ubtu20cis_rule_5_4_2: true ubtu20cis_rule_5_4_3: true ubtu20cis_rule_5_4_4: true -ubtu20cis_rule_5_4_5: true -ubtu20cis_rule_5_5: true +ubtu20cis_rule_5_5_1_1: true +ubtu20cis_rule_5_5_1_2: true +ubtu20cis_rule_5_5_1_3: true +ubtu20cis_rule_5_5_1_4: true +ubtu20cis_rule_5_5_1_5: true +ubtu20cis_rule_5_5_2: true +ubtu20cis_rule_5_5_3: true +ubtu20cis_rule_5_5_4: true +ubtu20cis_rule_5_5_5: true ubtu20cis_rule_5_6: true +ubtu20cis_rule_5_7: true # Section 6 Fixes -# Section is Systme Maintenance (system file permissions and user and group settings) +# Section is Systme Maintenance (System File Permissions and User and Group Settings) ubtu20cis_rule_6_1_1: true ubtu20cis_rule_6_1_2: true ubtu20cis_rule_6_1_3: true @@ -341,9 +343,9 @@ ubtu20cis_ipv4_required: true ubtu20cis_ipv6_required: false # Other system wide variables -# ubtu20cis_xwindows_required is the toggle for requiring x windows. True means you use X Windoes (not recommented for servers) -# false means you do not require X Windows enabled -ubtu20cis_xwindows_required: false +# ubtu20cis_desktop_required is the toggle for requiring desktop environments. True means you use a desktop and will not disable/remove needed items to run a desktop (not recommented for servers) +# false means you do not require a desktop +ubtu20cis_desktop_required: false # Section 1 Control Variables # Control 1.1.2/1.1.3/1.1.4/1.1.5 @@ -373,16 +375,7 @@ ubtu20cis_vartmp: opts: "defaults,nodev,nosuid,noexec,bind" enabled: false -# Control 1.3.1 -# ubtu20cis_sudo_package is the name of the sudo package to install -# The possible values are "sudo" or "sudo-ldap" -ubtu20cis_sudo_package: "sudo" - -# Control 1.3.3 -# ubtu20cis_sudo_logfile is the path and file name of the sudo log file -ubtu20cis_sudo_logfile: "/var/log/sudo.log" - -# Control 1.4.2 +# Control 1.3.2 # These are the crontab settings for file system integrity enforcement ubtu20cis_aide_cron: cron_user: root @@ -394,31 +387,31 @@ ubtu20cis_aide_cron: aide_month: '*' aide_weekday: '*' -# Control 1.5.3 -# THIS VARAIBLE SHOULD BE CHANGED AND INCORPROATED INTO VAULT +# Control 1.4.4 +# THIS VARAIBLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu20cis_root_pw: "Password1" -# Control 1.8.1.1 +# Control 1.8.2 # This will be the motd banner must not contain the below items in order to be compliant with Ubuntu 20 CIS # \m, \r, \s, \v or references to the OS platform ubtu20cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # Section 2 Control Variables -# Control 2.2.1.1 +# Control 2.1.1.1 # ubtu20cis_time_sync_tool is the tool in which to synchronize time # The two options are chrony, ntp, or systemd-timesyncd ubtu20cis_time_sync_tool: "ntp" -# Control 2.2.1.2 +# Control 2.1.1.2 # ubtu20cis_ntp_server_list is the list ntp servers # ubtu20cis_ntp_fallback_server_list is the list of fallback NTP servers ubtu20cis_ntp_server_list: "0.debian.pool.ntp.org 1.debian.pool.ntp.org" ubtu20cis_ntp_fallback_server_list: "2.debian.pool.ntp.org 3.debian.pool.ntp.org" -# Control 2.2.1.3/2.2.1.4 +# Control 2.1.1.3/2.1.1.4 # ubtu20cis_chrony_server_options is the server options for chrony ubtu20cis_chrony_server_options: "minpoll 8" # ubtu20cis_time_synchronization_servers are the synchronization servers @@ -432,7 +425,7 @@ ubtu20cis_chrony_user: "_chrony" # ubtu20cis_ntp_server_options is the server options for ntp ubtu20cis_ntp_server_options: "iburst" -# Control 2.2.15 +# Control 2.1.15 # ubtu20_cis_mail_transfer_agent is the mail transfer agent in use # The options are exim4, postfix or other ubtu20_cis_mail_transfer_agent: "other" @@ -510,31 +503,43 @@ ubtu20cis_logrotate: "daily" ubtu20cis_logrotate_create_settings: "0640 root utmp" # Section 5 Control Variables +# Control 5.2.1 +# ubtu20cis_sudo_package is the name of the sudo package to install +# The possible values are "sudo" or "sudo-ldap" +ubtu20cis_sudo_package: "sudo" + +# Control 5.2.3 +# ubtu20cis_sudo_logfile is the path and file name of the sudo log file +ubtu20cis_sudo_logfile: "/var/log/sudo.log" + # ubtu20cis_sshd will contain all sshd variables. The task association and variable descriptions for each section are listed below -# Control 5.2.4 +# Control 5.3.4 +# allow_users, allow_groups, deny_users, and deny_groups. These are lists of users and groups to allow or deny ssh access to +# These are lists that are just space delimited, for example allow_users: "vagrant ubuntu" for the vagrant and ubuntu users +# Control 5.3.5 # log_level is the log level variable. This needs to be set to VERBOSE or INFO to conform to CIS standards -# Control 5.2.6 +# Control 5.3.7 # max_auth_tries is the max number of authentication attampts per connection. # This value should be 4 or less to conform to CIS standards -# Control 5.2.12 +# Control 5.3.13 # ciphers is a comma seperated list of site approved ciphers # ONLY USE STRONG CIPHERS. Weak ciphers are listed below # DO NOT USE: 3des-cbc, aes128-cbc, aes192-cbc, and aes256-cbc -# Control 5.2.13 +# Control 5.3.14 # MACs is the comma seperated list of site approved MAC algorithms that SSH can use during communication # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below # DO NOT USE: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com, # hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com -# Control 5.2.14 +# Control 5.3.15 # kex_algorithms is comma seperated list of the algorithms for key exchange methods # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below # DO NOT USE: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1 -# Control 5.2.15 +# Control 5.3.16 # client_alive_interval is the amount of time idle before ssh session terminated. Set to 300 or less to conform to CIS standards # client_alive_count_max will send client alive messages at the configured interval. Set to 3 or less to conform to CIS standards -# Control 5.2.16 +# Control 5.3.17 # login_grace_time is the time allowed for successful authentication to the SSH server. This needs to be set to 60 seconds or less to conform to CIS standards -# Control 5.2.22 +# Control 5.3.22 # max_sessions is the max number of open sessions permitted. Set the value to 4 or less to conform to CIS standards ubtu20cis_sshd: log_level: "INFO" @@ -552,19 +557,19 @@ ubtu20cis_sshd: # deny_users: # deny_groups: -# Control 5.3.3 +# Control 5.4.3 # ubtu20cis_pamd_pwhistory_remember is number of password chnage cycles a user can re-use a password # This needs to be 5 or more to conform to CIS standards ubtu20cis_pamd_pwhistory_remember: 5 # ubtu20cis_pass will be password based variables -# # Control 5.4.1.1 -# max_days forces passwords to expire in configured number of days. Set to 365 or less to conform to CIS standards -# Control 5.4.1.2 +# Control 5.5.1.1 # pass_min_days is the min number of days allowed between changing passwords. Set to 1 or more to conform to CIS standards -# Control 5.4.1.3 +# Control 5.5.1.2 +# max_days forces passwords to expire in configured number of days. Set to 365 or less to conform to CIS standards +# Control 5.5.1.3 # warn_age is how many days before pw expiry the user will be warned. Set to 7 or more to conform to CIS standards -# Control 5.4.1.4 +# Control 5.5.1.4 # inactive the number of days of inactivity before the account will lock. Set to 30 day sor less to conform to CIS standards ubtu20cis_pass: max_days: 365 @@ -572,14 +577,14 @@ ubtu20cis_pass: warn_age: 7 inactive: 30 -# Control 5.4.5 +# Control 5.5.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. Set value to 900 seconds or less ubtu20cis_shell_session_timeout: file: /etc/profile.d/tmout.sh timeout: 900 -# Control 5.6 +# Control 5.7 # ubtu20cis_su_group is the su group to use with pam_wheel ubtu20cis_su_group: "wheel" @@ -607,6 +612,6 @@ ubtu20cis_no_group_adjust: true # Set to true this role will remove that bit, set to false we will just warn about the files ubtu20cis_suid_adjust: false -# Control 6.2.6 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +# Control 6.2.5 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable # ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml index ac85ee64..846e700b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -53,3 +53,6 @@ service: name: sshd state: restarted + +- name: reload gdm + command: dpkg-reconfigure gdm3 \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index cc0d47a8..2fd5cebf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,8 +1,12 @@ --- # - debug: var=ansible_facts - name: Gather distribution info + # we need: + # - hardware for ansible_mounts + # - platform for ansible_architecture (ansible internal) + # - virtual for ansible_virtualization_type setup: - gather_subset: distribution,!all,!min + gather_subset: distribution,hardware,platform,virtual,!all,!min when: - ansible_distribution is not defined tags: @@ -34,37 +38,37 @@ ubtu20cis_section6_patch - name: Include section 1 patches - import_tasks: section1.yml + import_tasks: section_1/main.yml when: ubtu20cis_section1_patch tags: - section1 - name: Include section 2 patches - import_tasks: section2.yml + import_tasks: section_2/main.yml when: ubtu20cis_section2_patch tags: - section2 - name: Include section 3 patches - import_tasks: section3.yml + import_tasks: section_3/main.yml when: ubtu20cis_section3_patch tags: - section3 - name: Include section 4 patches - import_tasks: section4.yml + import_tasks: section_4/main.yml when: ubtu20cis_section4_patch tags: - section4 - name: Include section 5 patches - import_tasks: section5.yml + import_tasks: section_5/main.yml when: ubtu20cis_section5_patch tags: - section5 - name: Include section 6 patches - import_tasks: section6.yml + import_tasks: section_6/main.yml when: ubtu20cis_section6_patch tags: - section6 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 76d6f6bf..fc625242 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ apt: update_cache: yes when: - - ubtu20cis_rule_1_4_1 + - ubtu20cis_rule_1_3_1 - name: "PRELIM | Check for autofs service" shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" @@ -21,7 +21,7 @@ changed_when: false check_mode: false when: - - ubtu20cis_rule_2_2_3 + - ubtu20cis_rule_2_1_3 tags: - skip_ansible_lint @@ -38,15 +38,15 @@ name: acl state: present when: - - ubtu20cis_rule_6_2_5 + - ubtu20cis_rule_6_2_6 - ubtu20cis_install_network_manager - name: "PRELIM | List users accounts" command: "awk -F: '{print $1}' /etc/passwd" changed_when: false + check_mode: false register: ubtu20cis_users when: - ubtu20cis_rule_6_2_8 or ubtu20cis_rule_6_2_9 or - ubtu20cis_rule_6_2_10 or - ubtu20cis_rule_6_2_11 + ubtu20cis_rule_6_2_10 diff --git a/tasks/section1.yml b/tasks/section1.yml deleted file mode 100644 index 4cc31c84..00000000 --- a/tasks/section1.yml +++ /dev/null @@ -1,974 +0,0 @@ ---- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" - block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/cramfs.conf - regexp: "^(#)?install cramfs(\\s|$)" - line: install cramfs /bin/true - create: yes - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - modprobe: - name: cramfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" - block: - - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/freevxfs.conf - regexp: "^(#)?install freevxfs(\\s|$)" - line: install freevxfs /bin/true - create: yes - - - name: "1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" - modprobe: - name: freevxfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.2 - - freevxfs - -- name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" - block: - - name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/jffs2.conf - regexp: "^(#)?install jffs2(\\s|$)" - line: install jffs2 /bin/true - create: yes - - - name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" - modprobe: - name: jffs2 - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.3 - - jffs2 - -- name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" - block: - - name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/hfs.conf - regexp: "^(#)?install hfs(\\s|$)" - line: install hfs /bin/true - create: yes - - - name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" - modprobe: - name: hfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.4 - - hfs - -- name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" - block: - - name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/hfsplus.conf - regexp: "^(#)?install hfsplus(\\s|$)" - line: install hfsplus /bin/true - create: yes - - - name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" - modprobe: - name: hfsplus - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.5 - - hfsplus - -- name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled" - block: - - name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/udf.conf - regexp: "^(#)?install udf(\\s|$)" - line: install udf /bin/true - create: yes - - - name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" - modprobe: - name: udf - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.1.6 - - udf - -# ----------- -# ----------- -# Flagged as disruptive due to UEFI systems for EFI boot partitions being FAT. Also flash drives are also generally formatted in FAT -# ----------- -# ----------- -- name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited" - block: - - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/vfat.conf - regexp: "^(#)?install vfat(\\s|$)" - line: install vfat /bin/true - create: yes - - - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Disable FAT" - modprobe: - name: vfat - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_7 - - ubtu20cis_disruption_high - tags: - - level2-server - - level2-workstation - - manual - - patch - - rule_1.1.1.7 - - vfat - -- name: "1.1.2 | PATCH | Ensure /tmp is configured" - mount: - path: /tmp - src: /tmp - state: mounted - fstype: tmpfs - opts: "{{ ubtu20cis_tmp_fstab_options }}" - when: - - ubtu20cis_rule_1_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.2 - - tmp - -- name: | - "1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - mount: - name: /tmp - src: /tmp - state: remounted - fstype: tmpfs - opts: "{{ ubtu20cis_tmp_fstab_options }}" - when: - - ubtu20cis_rule_1_1_3 or - ubtu20cis_rule_1_1_4 or - ubtu20cis_rule_1_1_5 - # - ubtu20cis_vartmp['enabled'] - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - - tmp - -- name: "1.1.6 | PATCH | Ensure /dev/shm is configured" - mount: - name: /dev/shm - src: /dev/shm - state: mounted - fstype: tmpfs - opts: "{{ ubtu20cis_dev_shm_fstab_options }}" - when: - - ubtu20cis_rule_1_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.6 - - dev_shm - -- name: | - "1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" - "1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" - "1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" - mount: - name: /dev/shm - src: /dev/shm - state: remounted - fstype: tmpfs - opts: "{{ ubtu20cis_dev_shm_fstab_options }}" - when: - - ubtu20cis_rule_1_1_7 or - ubtu20cis_rule_1_1_8 or - ubtu20cis_rule_1_1_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.7 - - rule_1.1.8 - - rule_1.1.9 - - dev_shm - -- name: "1.1.10 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" - shell: mount | grep "on /var " - changed_when: false - failed_when: false - args: - warn: false - register: ubtu20cis_1_1_10_var_mounted - - - name: "| 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var" - - "Please create a separate partition for /var" - when: ubtu20cis_1_1_10_var_mounted.stdout == "" - when: - - ubtu20cis_rule_1_1_10 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.1.10 - - var - -- name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" - block: - - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" - shell: mount | grep "on /var/tmp " - changed_when: false - failed_when: false - args: - warn: false - register: ubtu20cis_1_1_11_var_tmp_mounted - - - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/tmp" - - "Please create a separate partition for /var/tmp" - when: ubtu20cis_1_1_11_var_tmp_mounted.stdout == "" - when: - - ubtu20cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.1.11 - - var/tmp - -- name: | - "1.1.12 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.13 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.14 | PATCH | Ensure noexec option set on /var/tmp partition" - mount: - name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" - state: present - fstype: "{{ ubtu20cis_vartmp['fstype'] }}" - opts: "{{ ubtu20cis_vartmp['opts'] }}" - when: - - ubtu20cis_rule_1_1_12 or - ubtu20cis_rule_1_1_13 or - ubtu20cis_rule_1_1_14 - - ubtu20cis_vartmp['enabled'] - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.12 - - rule_1.1.13 - - rule_1.1.14 - - var/tmp - -- name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" - shell: mount | grep "on /var/log " - changed_when: false - failed_when: false - register: ubtu20cis_1_1_15_var_log_mounted - args: - warn: false - - - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/log" - - "Please create a separate partition for /var/log" - when: ubtu20cis_1_1_15_var_log_mounted.stdout == "" - when: - - ubtu20cis_rule_1_1_15 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.1.15 - - var/log - -- name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" - shell: mount | grep "on /var/log/audit " - changed_when: false - failed_when: false - register: ubtu20cis_1_1_16_var_log_audit_mounted - args: - warn: false - - - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/log/audit" - - "Please create a separate partition for /var/log/audit" - when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout == "" - when: - - ubtu20cis_rule_1_1_16 - tags: - - level2-server - - level2-workstation - - audit - - var/log/audit - -- name: "1.1.17 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" - shell: mount | grep "on /home" - changed_when: false - failed_when: false - register: ubtu20cis_1_1_17_home_mounted - args: - warn: false - - - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /home" - - "Please create a separate partition for /home" - when: ubtu20cis_1_1_17_home_mounted.stdout == "" - when: - - ubtu20cis_rule_1_1_17 - tags: - - level2-server - - level2-workstation - - audit - - /home - -- name: "1.1.18 | PATCH | Ensure nodev option set on /home partition" - mount: - name: "/home" - src: "{{ item.device }}" - state: mounted - fstype: "{{ item.fstype }}" - opts: "nodev" - with_items: "{{ ansible_mounts }}" - when: - - ubtu20cis_rule_1_1_18 - - item.mount == "/home" - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.18 - - /home - -- name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevent control" - when: - - ubtu20cis_rule_1_1_19 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.19 - - removable_media - -- name: "1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevent control" - when: - - ubtu20cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.20 - - removable_media - -- name: "1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevent control" - when: - - ubtu20cis_rule_1_1_21 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.21 - - removable_media - -- name: "1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' - failed_when: ubtu20cis_1_1_22_status.rc>0 - register: ubtu20cis_1_1_22_status - when: - - ubtu20cis_rule_1_1_22 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.1.22 - - sticky_bit - -- name: "1.1.23 | PATCH | Disable Automounting" - service: - name: autofs - state: stopped - enabled: no - when: - - ubtu20cis_rule_1_1_23 - - ubtu20cis_autofs_service_status.stdout == "loaded" - - not ubtu20cis_allow_autofs - tags: - - level1-server - - level2-workstation - - patch - - rule_1.1.23 - - automounting - -- name: "1.1.24 | PATCH | Disable USB Storage" - block: - - name: "1.1.24 | PATCH | Disable USB Storage | Set modprobe config" - lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: yes - - - name: "1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" - modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_24 - - not ubtu20cis_allow_usb_storage - tags: - - level1-server - - level2-workstation - - patch - - rule_1.1.24 - - usb_storage - -- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" - command: apt-cache policy - changed_when: false - failed_when: false - register: ubtu20cis_1_2_1_apt_policy - - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" - debug: - msg: - - "Alert!!!! Below are the apt package repositories" - - "Please review to make sure they conform to your sites policies" - - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.1 - - apt - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - command: apt-key list - changed_when: false - failed_when: false - register: ubtu20cis_1_2_2_apt_gpgkeys - - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" - debug: - msg: - - "Alert!!!! Below are the apt gpg kyes configured" - - "Please review to make sure they are configured" - - "in accordance with site policy" - - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.2 - - gpg - - keys - -- name: "1.3.1 | PATCH | Ensure sudo is installed" - apt: - name: "{{ ubtu20cis_sudo_package }}" - state: present - when: - - ubtu20cis_rule_1_3_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.1 - - sudo - -- name: "1.3.2 | PATCH | Ensure sudo commands use pty" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults use_' - line: 'Defaults use_pty' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_1_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.3.2 - - sudo - -- name: "1.3.3 | PATCH | Ensure sudo log file exists" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults logfile' - line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.3.3 - - sudo - -- name: "1.4.1 | PATCH | Ensure AIDE is installed" - apt: - name: ['aide', 'aide-common'] - state: present - when: - - ubtu20cis_rule_1_4_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.4.1 - - aide - -- name: "1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" - user: "{{ ubtu20cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu20cis_aide_cron['aide_job'] }}" - when: - - ubtu20cis_rule_1_4_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.4.2 - - cron - -# --------------- -# --------------- -# The RHEL7 based control uses a custom module, grub_crypt -# I need to research best way to set grub pw for Ubuntu using the -# grub-mkpasswd-pbkdf2 command and passing the data at the same time. -# --------------- -# --------------- -- name: "1.5.1 | PATCH | Ensure bootloader password is set" - command: /bin/true - changed_when: false - failed_when: false - when: - - ubtu20cis_rule_1_5_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.1 - - grub - - notimplemented - -- name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" - stat: - path: /boot/grub/grub.cfg - register: ubtu20cis_1_5_2_grub_cfg_status - - - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" - file: - path: /boot/grub/grub.cfg - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_1_5_2_grub_cfg_status.stat.exists - when: - - ubtu20cis_rule_1_5_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.2 - - grub - -- name: "1.5.3 | PATCH | Ensure authentication required for single user mode" - user: - name: root - password: "{{ ubtu20cis_root_pw }}" - when: - - ubtu20cis_rule_1_5_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.3 - - passwd - -- name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled" - block: - - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" - shell: "journalctl | grep 'protection: active'" - changed_when: false - failed_when: false - register: ubtu20cis_1_6_1_xdnx_status - - - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" - debug: - msg: - - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" - - "To conform to CIS standards this needs to be enabled" - when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" - when: - - ubtu20cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - audit - - rule_1.6.1 - - xd/nx - -- name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - block: - - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.randomize_va_space' - line: 'kernel.randomize_va_space = 2' - - - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - sysctl: - name: kernel.randomize_va_space - value: '2' - when: - - ubtu20cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.2 - - aslr - -- name: "1.6.3 | PATCH | Ensure prelink is disabled" - block: - - name: "1.6.3 | PATCH | Ensure prelink is disabled | Restore binaries to normal" - command: prelink -ua - changed_when: false - failed_when: false - - - name: "1.6.3 | PATCH | Ensure prelink is disabled | Remove prelink package" - apt: - name: prelink - state: absent - when: - - ubtu20cis_rule_1_6_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.3 - - prelink - -- name: "1.6.4 | PATCH | Ensure core dumps are restricted" - sysctl: - name: fs.suid_dumpable - value: '0' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes - when: - - ubtu20cis_rule_1_6_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.4 - - coredump - -- name: "1.7.1.1 | PATCH | Ensure AppArmor is installed" - apt: - name: ['apparmor', 'apparmor-utils'] - state: present - when: - - ubtu20cis_rule_1_7_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.1 - - apparmor - -- name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - block: - - name: "1.7.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: ubtu20cis_1_7_1_2_cmdline_settings - - - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_7_1_2_cmdline_settings.stdout }}"' - insertafter: '^GRUB_' - when: - - "'apparmor' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - - "'security' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - notify: grub update - - - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" - replace: - path: /etc/default/grub - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - with_items: - - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } - - { regexp: 'security=\S+', replace: 'security=apparmor' } - when: - - "'apparmor' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - - "'security' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - notify: grub update - when: - - ubtu20cis_rule_1_7_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.2 - - apparmor - -- name: "1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_7_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.3 - - apparmor - -- name: "1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.4 - - apparmor - - -- name: "1.8.1.1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - when: - - ubtu20cis_rule_1_8_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.1 - - motd - -- name: "1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - when: - - ubtu20cis_rule_1_8_1_2 - tags: - - level1-server - - level1-workstation - - patch - - banner - -- name: "1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - when: - - ubtu20cis_rule_1_8_1_3 - tags: - - level1-server - - level1-workstation - - patch - - banner - -- name: "1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: - path: /etc/motd - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.4 - - permissions - - motd - -- name: "1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: - path: /etc/issue - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.5 - - permissions - - banner - -- name: "1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - path: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.6 - - permissions - - banner - -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - apt: - name: "*" - state: latest - when: - - ubtu20cis_rule_1_9 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.9 - - patching - -- name: "1.10 | PATCH | Ensure GDM is removed or login is configured" - block: - - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" - lineinfile: - path: /etc/gdm3/greeter.dconf-defaults - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0644 - with_items: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } - - when: - - ubtu20cis_rule_1_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.10 - - gdm diff --git a/tasks/section4.yml b/tasks/section4.yml deleted file mode 100644 index 4184b32a..00000000 --- a/tasks/section4.yml +++ /dev/null @@ -1,656 +0,0 @@ ---- -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - apt: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - ubtu20cis_rule_4_1_1_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.1.1 - - auditd - -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - service: - name: auditd - state: started - enabled: yes - when: - - ubtu20cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.1.2 - - auditd - -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: ubtu20cis_4_1_1_3_cmdline_settings - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' - when: "'audit=' not in ubtu20cis_4_1_1_3_cmdline_settings.stdout" - notify: grub update - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - replace: - dest: /etc/default/grub - regexp: 'audit=([0-9]+)' - replace: 'audot=1' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: grub update - when: "'audit=' in ubtu20cis_4_1_1_3_cmdline_settings.stdout" - when: - - ubtu20cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_4_1_1_3 - - auditd - -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: ubtu20cis_4_1_1_4_cmdline_settings - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}"' - notify: grub update - when: "'audit_backlog_limit=' not in ubtu20cis_4_1_1_4_cmdline_settings.stdout" - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" - replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([0-9]+)' - replace: 'audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: grub update - when: - - ubtu20cis_rule_4_1_1_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.1.4 - - auditd - -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = {{ ubtu20cis_max_log_file_size }}" - state: present - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.2.1 - - auditd - -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action' - line: "max_log_file_action = {{ ubtu20cis_auditd['max_log_file_action'] }}" - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.2.2 - - auditd - -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left_action', line: 'space_left_action = email' } - - { regexp: '^action_mail_acct', line: 'action_mail_acct = root' } - - { regexp: '^admin_space_left_action = halt', line: 'admin_space_left_action = halt' } - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.2.3 - - auditd - -- name: "4.1.3 | PATCH | Ensure events that modify date and time information are collected" - template: - src: audit/ubtu20cis_4_1_3_timechange.rules.j2 - dest: /etc/audit/rules.d/time-change.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.3 - - auditd - -- name: "4.1.4 | PATCH | Ensure events that modify user/group information are collected" - template: - src: audit/ubtu20cis_4_1_4_identity.rules.j2 - dest: /etc/audit/rules.d/identity.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.4 - - auditd - -- name: "4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" - template: - src: audit/ubtu20cis_4_1_5_systemlocale.rules.j2 - dest: /etc/audit/rules.d/system-locale.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.5 - - auditd - -- name: "4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - template: - src: audit/ubtu20cis_4_1_6_macpolicy.rules.j2 - dest: /etc/audit/rules.d/MAC-policy.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.6 - - auditd - -- name: "4.1.7 | PATCH | Ensure login and logout events are collected" - template: - src: audit/ubtu20cis_4_1_7_logins.rules.j2 - dest: /etc/audit/rules.d/logins.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.7 - - auditd - -- name: "4.1.8 | PATCH | Ensure session initiation information is collected" - template: - src: audit/ubtu20cis_4_1_8_session.rules.j2 - dest: /etc/audit/rules.d/session.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.8 - - auditd - -- name: "4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" - template: - src: audit/ubtu20cis_4_1_9_permmod.rules.j2 - dest: /etc/audit/rules.d/perm_mod.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.9 - - auditd - -- name: "4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - template: - src: audit/ubtu20cis_4_1_10_access.rules.j2 - dest: /etc/audit/rules.d/access.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.10 - - auditd - -- name: "4.1.11 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs - changed_when: no - check_mode: no - - - name: "4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" - template: - src: audit/ubtu20cis_4_1_11_privileged.rules.j2 - dest: /etc/audit/rules.d/privileged.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.11 - - auditd - -- name: "4.1.12 | PATCH | Ensure successful file system mounts are collected" - template: - src: audit/ubtu20cis_4_1_12_audit.rules.j2 - dest: /etc/audit/rules.d/audit.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - ubtu20cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.12 - - auditd - -- name: "4.1.13 | PATCH | Ensure file deletion events by users are collected" - template: - src: audit/ubtu20cis_4_1_13_delete.rules.j2 - dest: /etc/audit/rules.d/delete.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.13 - - auditd - -- name: "4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - template: - src: audit/ubtu20cis_4_1_14_scope.rules.j2 - dest: /etc/audit/rules.d/scope.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.14 - - auditd - -- name: "4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected" - template: - src: audit/ubtu20cis_4_1_15_actions.rules.j2 - dest: /etc/audit/rules.d/actions.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.15 - - auditd - -- name: "4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" - template: - src: audit/ubtu20cis_4_1_16_modules.rules.j2 - dest: /etc/audit/rules.d/modules.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.16 - - auditd - -- name: "4.1.17 | PATCH | Ensure the audit configuration is immutable" - template: - src: audit/ubtu20cis_4_1_17_99finalize.rules.j2 - dest: /etc/audit/rules.d/99-finalize.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_4.1.17 - - auditd - -- name: "4.2.1.1 | PATCH | Ensure rsyslog is installed" - apt: - name: rsyslog - state: present - when: - - ubtu20cis_rule_4_2_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.1 - - rsyslog - - apt - -- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - service: - name: rsyslog - enabled: yes - when: - - ubtu20cis_rule_4_2_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.2 - - rsyslog - -- name: "4.2.1.3 | PATCH | Ensure logging is configured" - block: - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" - shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" - changed_when: false - failed_when: false - register: ubtu20cis_4_2_1_3_rsyslog_config_path - - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" - changed_when: false - failed_when: false - register: ubtu20cis_4_2_1_3_rsyslog_config - - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" - debug: - msg: - - "Alert!!!Below is the current logging configurations for rsyslog, please review" - - "{{ ubtu20cis_4_2_1_3_rsyslog_config.stdout_lines }}" - when: not ubtu20cis_rsyslog_ansible_managed - - - name: "4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" - lineinfile: - path: "{{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } - - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/auth.log', insertafter: '^# First some standard log files. Log by facility' } - - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } - - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^news.crit|^#news.crit', line: 'news.crit -/var/log/news/news.crit', insertafter: '^# First some standard log files'} - - { regexp: '^news.err|^#news.err', line: 'news.err -/var/log/news/news.err', insertafter: '^# First some standard log files' } - - { regexp: '^news.notice|^#news.notice', line: 'news.notice -/var/log/news/news.notice', insertafter: '^# First some standard log files' } - - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } - - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - notify: restart rsyslog - when: ubtu20cis_rsyslog_ansible_managed - when: - - ubtu20cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.1.3 - - rsyslog - -- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$FileCreateMode|^#\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: restart rsyslog - when: - - ubtu20cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.4 - - rsyslog - -- name: "4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - blockinfile: - path: /etc/rsyslog.conf - block: | - ##Enable sending of logs over TCP add the following line: - *.* @@{{ ubtu20cis_remote_log_server }} - insertafter: EOF - when: - - ubtu20cis_rule_4_2_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.1.5 - - rsyslog - -- name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" - block: - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" - replace: - path: /etc/rsyslog.conf - regexp: '({{ item }})' - replace: '#\1' - with_items: - - '^(\$ModLoad)' - - '^(\$InputTCPServerRun)' - notify: restart rsyslog - when: not ubtu20cis_system_is_log_server - - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" - lineinfile: - path: /etc/rsyslog.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtc' } - - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } - notify: restart rsyslog - when: ubtu20cis_system_is_log_server - when: - - ubtu20cis_rule_4_2_1_6 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.1.6 - - rsyslog - -- name: "4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^ForwardToSyslog|^#ForwardToSyslog' - line: 'ForwardToSyslog=yes' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.1 - - rsyslog - - journald - -- name: "4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^Compress|^#Compress' - line: 'Compress=yes' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.2 - - rsyslog - - journald - -- name: "4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^Storage|^#Storage' - line: 'Storage=persistent' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.3 - - rsyslog - - journald - -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + - changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 - register: ubtu20cis_4_2_3_logfile_perms_status - when: - - ubtu20cis_rule_4_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.3 - - logfiles - - permissions - -- name: "4.3 | PATCH | Ensure logrotate is configured" - block: - - name: "4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" - find: - paths: /etc/logrotate.d/ - register: ubtu20cis_4_3_logrotate_files - - - name: "4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" - replace: - path: "{{ item.path }}" - regexp: '^(\s*)(daily|weekly|monthly|yearly)$' - replace: "\\1{{ ubtu20cis_logrotate }}" - with_items: - - "{{ ubtu20cis_4_3_logrotate_files.files }}" - - { path: "/etc/logrotate.conf" } - when: - - ubtu20cis_rule_4_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.3 - - logrotate - -- name: "4.4 | PATCH | Ensure logrotate assigns appropriate permissions" - lineinfile: - path: /etc/logrotate.conf - regexp: '^create' - line: ' create {{ ubtu20cis_logrotate_create_settings }}' - when: - - ubtu20cis_rule_4_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3 - - logrotate diff --git a/tasks/section5.yml b/tasks/section5.yml deleted file mode 100644 index 4900c7ac..00000000 --- a/tasks/section5.yml +++ /dev/null @@ -1,1039 +0,0 @@ ---- -- name: "5.1.1 | PATCH | Ensure cron daemon is enabled and running" - service: - name: cron - state: started - enabled: yes - when: - - ubtu20cis_rule_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.1 - - cron - -- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - file: - path: /etc/crontab - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.2 - - cron - -- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - file: - path: /etc/cron.hourly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.3 - - cron - -- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - file: - path: /etc/cron.daily - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.4 - - cron - -- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - file: - path: /etc/cron.weekly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.5 - - cron - -- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - file: - path: /etc/cron.monthly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.6 - - cron - -- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - file: - path: /etc/cron.d - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.7 - - cron - -- name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" - block: - - name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" - file: - path: /etc/cron.deny - state: absent - - - name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" - file: - path: /etc/cron.allow - owner: root - group: root - mode: 0640 - state: touch - when: - - ubtu20cis_rule_5_1_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.8 - - cron - -- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" - block: - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - file: - path: /etc/at.deny - state: absent - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" - file: - path: /etc/at.allow - owner: root - group: root - mode: 0640 - state: touch - when: - - ubtu20cis_rule_5_1_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.1.9 - - cron - -- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - file: - path: /etc/ssh/sshd_config - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_5_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.1 - - ssh - -- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" - find: - paths: /etc/ssh - patterns: 'ssh_host_*_key' - register: ubtu20cis_5_2_2_ssh_host_priv_keys - - - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" - file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0600 - with_items: - - "{{ ubtu20cis_5_2_2_ssh_host_priv_keys.files }}" - when: - - ubtu20cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - - ssh - -- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" - block: - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" - find: - paths: /etc/ssh - patterns: 'ssh_host_*_key.pub' - register: ubtu20cis_5_2_3_ssh_host_pub_keys - - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" - file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0644 - with_items: - - "{{ ubtu20cis_5_2_3_ssh_host_pub_keys.files }}" - when: - - ubtu20cis_rule_5_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.3 - - ssh - -- name: "5.2.4 | PATCH | Ensure SSH LogLevel is appropriate" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu20cis_sshd.log_level }}' - insertafter: '^# Logging' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.4 - - ssh - -- name: "5.2.5 | PATCH | Ensure SSH X11 forwarding is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^X11Forwarding|^#X11Forwarding' - line: 'X11Forwarding no' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_5 - tags: - - level2-server - - level1-workstation - - patch - - rule_5.2.5 - - ssh - -- name: "5.2.6 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu20cis_sshd.max_auth_tries }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.6 - - ssh - -- name: "5.2.7 | PATCH | Ensure SSH IgnoreRhosts is enabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^IgnoreRhosts|^#IgnoreRhosts' - line: 'IgnoreRhosts yes' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.7 - - ssh - -- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' - line: 'HostbasedAuthentication no' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.8 - - ssh - -- name: "5.2.9 | PATCH | Ensure SSH root login is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin|^#PermitRootLogin' - line: 'PermitRootLogin no' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.9 - - ssh - -- name: "5.2.10 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - insertafter: '# To disable tunneled clear text passwords' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.10 - - ssh - -- name: "5.2.11 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' - line: 'PermitUserEnvironment no' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.11 - - ssh - -- name: "5.2.12 | PATCH | Ensure only strong Ciphers are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Ciphers|^#Ciphers' - line: 'Ciphers {{ ubtu20cis_sshd.ciphers }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_12 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.12 - - ssh - -- name: "5.2.13 | PATCH | Ensure only strong MAC algorithms are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MACs|^#MACs' - line: 'MACs {{ ubtu20cis_sshd.macs }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_13 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.13 - - ssh - -- name: "5.2.14 | PATCH | Ensure only strong Key Exchange algorithms are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^KexAlgorithms|^#KexAlgorithms' - line: 'KexAlgorithms {{ ubtu20cis_sshd.kex_algorithms }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_14 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.14 - - ssh - -- name: "5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu20cis_sshd.client_alive_interval }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu20cis_sshd.client_alive_count_max }}' } - notify: restart sshd - when: - - ubtu20cis_rule_5_2_15 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.15 - - sshd - -- name: "5.2.16 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu20cis_sshd.login_grace_time }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_16 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.16 - - ssh - -- name: "5.2.17 | PATCH | Ensure SSH access is limited" - block: - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add allowed users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_users']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add allowed groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_groups']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add deny users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_users']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add deny groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_groups']|default('') != ''" - when: - - ubtu20cis_rule_5_2_17 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.18 - - ssh - -- name: "5.2.18 | PATCH | Ensure SSH warning banner is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Banner|^#Banner' - line: Banner /etc/issue.net - insertafter: '^# no default banner path' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_18 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_5.2.18 - - ssh - -- name: "5.2.19 | PATCH | Ensure SSH PAM is enabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^UsePAM|^#UsePAM' - line: 'UsePAM yes' - insertafter: '^# and ChallengeResponseAuthentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.19 - - ssh - - pam - -- name: "5.2.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' - line: 'AllowTcpForwarding no' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_20 - tags: - - level2-server - - level2-workstation - - patch - - rule_5.2.20 - - ssh - -- name: "5.2.21 | PATCH | Ensure SSH MaxStartups is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxStartups|^#MaxStartups' - line: 'MaxStartups 10:30:60' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_21 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_5.2.21 - - ssh - -- name: "5.2.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu20cis_sshd.max_sessions }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_2_22 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.22 - - ssh - -- name: "5.3.1 | PATCH | Ensure password creation requirements are configured" - block: - - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" - apt: - name: libpam-pwquality - state: present - - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Add minlen" - lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minlen|^# minlen' - line: minlen = 14 - - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Add minclass" - lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minclass|^# minclass' - line: 'minclass = 4' - - - name: "5.3.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" - command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - register: ubtu20cis_5_3_1_pam_pwquality_state - - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" - pamd: - name: common-password - type: password - control: requisite - module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: args_present - when: ubtu20cis_5_3_1_pam_pwquality_state.stdout != "" - - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" - pamd: - name: common-password - type: password - control: required - module_path: pam_permit.so - new_type: password - new_control: requisite - new_module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: after - when: ubtu20cis_5_3_1_pam_pwquality_state.stdout == "" - when: - - ubtu20cis_rule_5_3_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.3.1 - - pam - -# ------------- -# ------------- -# There is a bug in pam_tally2.so where the use of the audit keyword may log credentials in the case of user error during authentication. -# To work around this bug the CIS documentation has you setting pam_tally2 to the account section. -# Once bug is fixed please set pam_tally2 to the auth sections. We have those commented out in the task -# ------------- -# ------------- - -# ------------- -# ------------- -# figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items -# ------------- -# ------------- -- name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" - command: /bin/true - changed_when: false - failed_when: false - # block: - # - name: "5.3.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" - # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth - # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account - # changed_when: false - # failed_when: false - # register: ubtu20cis_5_3_2_pam_tally2_state - - # - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" - # pamd: - # # name: common-auth - # name: common-account - # # type: auth - # type: account - # control: required - # module_path: pam_tally2.so - # module_arguments: 'onerr=fail - # audit - # silent - # deny=5 - # unlock_time=900' - # when: ubtu20cis_5_3_2_pam_tally2_state.stdout != "" - - # - name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" - # lineinfile: - # # path: /etc/pam.d/common-auth - # path: /etc/pam.d/common-account - # # line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' - # line: 'account required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' - # insertafter: '^# end of pam-auth-update config' - # when: ubtu20cis_5_3_2_pam_tally2_state == "" - - # - name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" - # lineinfile: - # path: /etc/pam.d/common-account - # regexp: "{{ item.regexp }}" - # line: "{{ item.line }}" - # insertafter: '^# end of pam-auth-update config' - # with_items: - # # - { regexp: '^accout.*requisite.*pam_deny.so', line: 'account requisite pam_george.so' } - # - { regexp: '^account.*required.*pam_tally.so', line: 'account required pam_tally.so' } - when: - - ubtu20cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.3.2 - - pamd - - notimplemented - -- name: "5.3.3 | PATCH | Ensure password reuse is limited" - block: - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" - command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - register: ubtu20cis_5_3_3_pam_pwhistory_state - - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" - pamd: - name: common-password - type: password - control: required - module_path: pam_pwhistory.so - module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' - state: args_present - when: ubtu20cis_5_3_3_pam_pwhistory_state.stdout != "" - - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" - lineinfile: - path: /etc/pam.d/common-password - line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' - insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_3_3_pam_pwhistory_state.stdout == "" - when: - - ubtu20cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.3.3 - - pamd - -- name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" - block: - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" - shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password - changed_when: false - failed_when: false - register: ubtu20cis_5_3_4_pam_unix_state - - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" - pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - when: ubtu20cis_5_3_4_pam_unix_state.stdout != "" - - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" - lineinfile: - path: /etc/pam.d/common-password - line: 'password [success=1 default=ignore] pam_unix.so sha512' - insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_3_4_pam_unix_state.stdout == "" - when: - - ubtu20cis_rule_5_3_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.3.4 - - pamd - -- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - block: - - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' - insertafter: '# Password aging controls' - - - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_4_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1.1 - - user - - login - -- name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured" - block: - - name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' - - - name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_4_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1.1 - - user - - login - -- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - block: - - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' - - - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_4_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1.3 - - user - - login - -- name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" - command: useradd -D -f {{ ubtu20cis_pass.inactive }} - failed_when: false - - - name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" - command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_4_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1.4 - - user - - login - -- name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) - changed_when: false - failed_when: false - register: ubtu20cis_5_4_1_5_current_time - - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_4_1_5_current_time.stdout }})print$1}'" - changed_when: false - failed_when: false - register: ubtu20cis_5_4_1_5_user_list - - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" - debug: - msg: - - "WARNING!!!!The following accounts have the last PW change date in the future" - - "{{ ubtu20cis_5_4_1_5_user_list.stdout_lines }}" - when: ubtu20cis_5_4_1_5_user_list.stdout != "" - - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" - command: passwd --expire {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_5_4_1_5_user_list.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_5_4_1_5_user_list.stdout != "" - when: - - ubtu20cis_rule_5_4_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.1.5 - - user - - login - -- name: "5.4.2 | PATCH | Ensure system accounts are secured" - block: - - name: "5.4.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" - user: - name: "{{ item }}" - shell: /sbin/nologin - with_items: - - "{{ ubtu20cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - - item != "sync" - - item != "shutdown" - - item != "halt" - - - name: "5.4.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" - user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - when: - - ubtu20cis_rule_5_4_2 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.2 - - user - - system - -- name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0" - block: - - name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" - group: - name: root - gid: 0 - - - name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" - user: - name: root - group: root - when: - - ubtu20cis_rule_5_4_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.3 - - user - - system - -- name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "5.4.4 | AUDIT | Ensure default user umask is 027 or more restrictive" - shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session - changed_when: false - failed_when: false - register: ubtu20cis_5_4_4_umask_pam_status - - - name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" - lineinfile: - path: /etc/pam.d/common-session - line: 'session optional pam_umask.so' - insertbefore: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_4_umask_pam_status.stdout != "" - - - name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" - replace: - path: "{{ item }}" - regexp: '(^\s+umask) 002' - replace: '\1 027' - with_items: - - /etc/bash.bashrc - - /etc/profile - - /etc/login.defs - when: - - ubtu20cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.4 - - user - -- name: "5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID 5.4.5 - TMOUT={{ ubtu20cis_shell_session_timeout.timeout }} - readonly TMOUT - export TMOUT - with_items: - - { dest: "{{ ubtu20cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - - { dest: /etc/bash.bashrc, state: present } - when: - - ubtu20cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.4.5 - - user - -- name: "5.5 | AUDIT | Ensure root login is restricted to system console" - block: - - name: "5.5 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" - command: cat /etc/securetty - changed_when: false - failed_when: false - register: ubtu20cis_5_5_terminal_list - - - name: "5.5 | AUDIT | Ensure root login is restricted to system console | Message out list" - debug: - msg: - - "WARNING!!!!Below is the list of conoles with root login access" - - "Please review for any conoles that are not in a physically secure location" - - "{{ ubtu20cis_5_5_terminal_list.stdout_lines }}" - when: - - ubtu20cis_rule_5_5 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_5.5 - - user - -- name: "5.6 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" - command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su - changed_when: false - failed_when: false - register: ubtu20cis_5_6_pam_wheel_status - - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" - group: - name: "{{ ubtu20cis_su_group }}" - - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" - pamd: - name: su - type: auth - control: required - module_path: pam_wheel.so - module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' - when: ubtu20cis_5_6_pam_wheel_status.stdout != "" - - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" - lineinfile: - path: /etc/pam.d/su - line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' - create: yes - when: ubtu20cis_5_6_pam_wheel_status.stdout == "" - when: - - ubtu20cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.6 - - user diff --git a/tasks/section6.yml b/tasks/section6.yml deleted file mode 100644 index f7b976da..00000000 --- a/tasks/section6.yml +++ /dev/null @@ -1,863 +0,0 @@ ---- -- name: "6.1.1 | AUDIT | Audit system file permissions" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Register package list" - command: ls -a /bin/ - changed_when: false - failed_when: false - register: ubtu20cis_6_1_1_packages - - # - name: "NOTSCORED | 6.1.1 | AUDIT | Audit system file permissions | Audit the packages" - # command: dpkg --verify {{ item }} - # changed_when: false - # failed_when: false - # with_items: - # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" - # register: ubtu18cis_6_1_1_packages_audited - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" - debug: - msg: - - "ALERT!!!! Below are the packages that need to be reviewed." - - "You can run dpkg --verify and if nothing is returned the package is installed correctly" - - "{{ ubtu20cis_6_1_1_packages.stdout_lines }}" - when: - - ubtu20cis_rule_6_1_1 - tags: - - level2-server - - level2-workstation - - manual - - audit - - rule_6.1.1 - - permissions - -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - path: /etc/passwd - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.2 - - permissions - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured" - file: - path: /etc/gshadow- - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.3 - - permissions - -- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" - file: - path: /etc/shadow - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.4 - - permissions - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" - file: - path: /etc/group - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.5 - - permissions - -- name: "6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" - file: - path: /etc/passwd- - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_6_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.6 - - permissions - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" - file: - path: /etc/shadow- - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.7 - - permissions - -- name: "6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" - file: - path: /etc/group- - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.8 - - permissions - -- name: "6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured" - file: - path: /etc/gshadow - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.9 - - permissions - -- name: "6.1.10 | PATCH | Ensure no world writable files exist" - block: - - name: "6.1.10 | PATCH | Ensure no world writable files exist | Get list of world-writable files" - shell: find {{ item.mount }} -xdev -type f -perm -0002 - changed_when: false - failed_when: false - register: ubtu20cis_6_1_10_wwf - with_items: - - "{{ ansible_mounts }}" - - - name: "6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" - file: - path: "{{ item }}" - mode: o-w - with_items: - - "{{ ubtu20cis_6_1_10_wwf.results | map(attribute='stdout_lines') | flatten }}" - when: ubtu20cis_no_world_write_adjust - when: - - ubtu20cis_rule_6_1_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.10 - - permissions - -- name: "6.1.11 | PATCH | Ensure no unowned files or directories exist" - block: - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" - shell: find {{ item.mount }} -xdev -nouser - changed_when: false - failed_when: false - register: ubtu20cis_6_1_11_no_user_items - with_items: - - "{{ ansible_mounts }}" - - - name: "6.1.11 | PATCH | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" - set_fact: - ubtu20cis_6_1_11_no_user_items_flatten: "{{ ubtu20cis_6_1_11_no_user_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" - debug: - msg: - - "ALERT!!!You have unowned files and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign an owner" - - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" - when: - - not ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten != "" - - - name: "6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" - file: - path: "{{ item }}" - owner: "{{ ubtu20cis_unowned_owner }}" - with_items: - - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" - when: - - ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten != "" - when: - - ubtu20cis_rule_6_1_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.11 - - permissions - -- name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist" - block: - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" - shell: find {{ item.mount }} -xdev -nogroup - changed_when: false - failed_when: false - register: ubtu20cis_6_1_12_ungrouped_items - with_items: - - "{{ ansible_mounts }}" - - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" - set_fact: - ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" - debug: - msg: - - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign a group" - - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" - when: - - not ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten != "" - - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" - file: - path: "{{ item }}" - group: "{{ ubtu20cis_ungrouped_group }}" - with_items: - - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" - when: - - ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten != "" - when: - - ubtu20cis_rule_6_1_12 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.1.12 - - permissions - -- name: "6.1.13 | AUDIT | Audit SUID executables" - block: - - name: "6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" - # shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - shell: find {{ item.mount }} -xdev -type f -perm -4000 - changed_when: false - failed_when: false - register: ubtu20cis_6_1_13_suid_executables - with_items: - - "{{ ansible_mounts }}" - - - name: "6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" - set_fact: - ubtu20cis_6_1_13_suid_executables_flatten: "{{ ubtu20cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" - debug: - msg: - - "ALERT!!!!You have SUID executables" - - "The files are listed below, please confirm the integrity of these binaries" - - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" - when: - - ubtu20cis_6_1_13_suid_executables_flatten != "" - - not ubtu20cis_suid_adjust - - - name: "6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" - file: - path: "{{ item }}" - mode: 'u-s' - with_items: - - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" - when: - - ubtu20cis_suid_adjust - - ubtu20cis_6_1_13_suid_executables_flatten != "" - when: - - ubtu20cis_rule_6_1_13 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.13 - - permissions - -- name: "6.1.14 | AUDIT | Audit SGID executables" - block: - - name: "6.1.14 | PATCH | Audit SGID executables | Find SGID executables" - shell: find {{ item }} -xdev -type f -perm -2000 - changed_when: false - failed_when: false - register: ubtu20cis_6_1_14_sgid_executables - with_items: - - "{{ ansible_mounts }}" - - - name: "6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" - set_fact: - ubtu20cis_6_1_14_sgid_executables_flatten: "{{ ubtu20cis_6_1_14_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" - debug: - msg: - - "ALERT!!!!You have SGID executables" - - "The files are listed below, please review the integrity of these binaries" - - "{{ ubtu20cis_6_1_14_sgid_executables_flatten }}" - when: ubtu20cis_6_1_14_sgid_executables_flatten != [] - when: - - ubtu20cis_rule_6_1_14 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.14 - - permissions - -- name: "6.2.1 | PATCH | Ensure password fields are not empty" - block: - - name: "6.2.1 | PATCH | Ensure password fields are not empty | Find users with no password" - shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow - register: ubtu20cis_6_2_1_empty_password_acct - changed_when: no - check_mode: no - - - name: "6.2.1 | PATCH | Ensure password fields are not empty | Lock users with empty password" - user: - name: "{{ item }}" - password_lock: yes - with_items: - - "{{ ubtu20cis_6_2_1_empty_password_acct.stdout_lines }}" - when: ubtu20cis_6_2_1_empty_password_acct.stdout != "" - when: - - ubtu20cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.1 - - user - - permissions - -- name: "6.2.2 | PATCH | Ensure root is the only UID 0 account" - block: - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" - shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd - changed_when: false - failed_when: false - register: ubtu20cis_6_2_2_uid_0_notroot - - - name: "6.2.2 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" - user: - name: "{{ item }}" - password_lock: yes - with_items: - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" - - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" - - "This means the following accounts were password locked and will need to have the UID's manually adjusted" - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" - - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" - - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - not ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" - when: - - ubtu20cis_rule_6_2_2 - tags: - - level1-server - - level1-workstation - - scored - - rule_6.2.2 - - user - - root - -- name: "6.2.3 | PATCH | Ensure root PATH Integrity" - command: /bin/true - changed_when: false - failed_when: false - # block: - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine empty value" - # shell: 'echo $PATH | grep ::' - # changed_when: False - # failed_when: ubtu20cis_6_2_3_path_colon.rc == 0 - # register: ubtu20cis_6_2_3_path_colon - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine colon end" - # shell: 'echo $PATH | grep :$' - # changed_when: False - # failed_when: ubtu20cis_6_2_3_path_colon_end.rc == 0 - # register: ubtu20cis_6_2_3_path_colon_end - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine working dir" - # shell: echo "$PATH" - # changed_when: False - # failed_when: '"." in ubtu20cis_6_2_3_working_dir.stdout_lines' - # register: ubtu20cis_6_2_3_working_dir - # - debug: var=ubtu20cis_6_2_3_working_dir - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Check paths" - # stat: - # path: "{{ item }}" - # register: ubtu20cis_6_2_3_path_stat - # with_items: - # - "{{ ubtu20cis_6_2_3_working_dir.stdout.split(':') }}" - - # - debug: var=ubtu20cis_6_2_3_path_stat - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" - # debug: - # msg: - # - "The following paths have no working directory: {{ ubtu20cis_6_2_3_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" - - # # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Set permissions" - # # file: - # # path: "{{ item }}" - # # owner: root - # # mode: 'o-w,g-w' - # # follow: yes - # # state: directory - # # with_items: - # # - "{{ ubtu18cis_6_2_7_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" - when: - - ubtu20cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.3 - - user - - root - - notimplemented - -- name: "6.2.4 | PATCH | Ensure all users' home directories exist" - block: - - name: capture audit task for missing homedirs - block: &u20s_homedir_audit - - name: "6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" - shell: pwck -r | grep -P {{ ld_regex | quote }} - check_mode: no - register: ubtu20cis_users_missing_home - changed_when: ubtu20cis_6_2_4_audit | length > 0 - # failed_when: 0: success, 1: no grep match, 2: pwck found something - failed_when: ubtu20cis_users_missing_home.rc not in [0,1,2] - - ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. - - name: "6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" - command: "mkhomedir_helper {{ item }}" - # check_mode: "{{ ubtu20cis_disruptive_check_mode }}" - with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='id') | list }}" - when: - - ubtu20cis_users_missing_home is changed - - ubtu20cis_disruption_high - - ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, I need to confirm if that user is removed in an earlier task. - ### ^ Likely doesn't matter as 6.2.7 defines "local interactive users" as those w/ uid 1000-4999 - - name: replay audit task - block: *u20s_homedir_audit - - # CAUTION: debug loops don't show changed since 2.4: - # Fix: https://github.com/ansible/ansible/pull/59958 - - name: "6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" - debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." - with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='dir') | list }}" - changed_when: ubtu20cis_audit_complex - when: - - ubtu20cis_users_missing_home is changed - vars: - ld_regex: >- - ^user '(?P.*)': directory '(?P.*)' does not exist$ - ld_users: "{{ ubtu20cis_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" - ubtu20cis_6_2_4_audit: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('id', 'in', ld_users) | list }}" - when: - - ubtu20cis_rule_6_2_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.4 - - user - -- name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - block: - - name: "6.2.5 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Stat home directories" - stat: - path: "{{ item }}" - with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - register: ubtu20cis_6_2_5_audit - - - name: "6.2.5 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 - register: ubtu20cis_6_2_4_patch_audit - changed_when: ubtu20cis_6_2_4_patch_audit.stdout != "" - when: - - item.1.exists - with_together: - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - - name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" - file: - path: "{{ item.0 }}" - recurse: yes - mode: a-st,g-w,o-rwx - register: ubtu20cis_6_2_5_patch - when: - - ubtu20cis_disruption_high - - item.1.exists - with_together: - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" - acl: - path: "{{ item.0 }}" - default: yes - state: present - recursive: yes - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - when: not ubtu20cis_system_is_container - with_nested: - - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_5_patch_audit, ubtu20cis_6_2_5_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - ubtu20cis_rule_6_2_5 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.5 - - user - -- name: "6.2.6 | PATCH | Ensure users own their home directories" - file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - with_items: - - "{{ ubtu20cis_passwd }}" - loop_control: - label: "{{ ubtu20cis_passwd_label }}" - when: - - ubtu20cis_rule_6_2_6 - - item.uid >= 1000 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.6 - - user - -- name: "6.2.7 | PATCH | Ensure users' dot files are not group or world writable" - block: - - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -name "\.*" -perm /g+w,o+w - changed_when: no - failed_when: no - register: ubtu20cis_6_2_7_audit - - - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - failed_when: false - changed_when: false - when: - - ubtu20cis_6_2_7_audit.stdout == "" - - - name: "6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ ubtu20cis_6_2_7_audit.stdout_lines }}" - when: - - ubtu20cis_6_2_7_audit.stdout != "" - - ubtu20cis_dotperm_ansibleManaged - when: - - ubtu20cis_rule_6_2_7 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.7 - - user - -- name: "6.2.8 | PATCH | Ensure no users have .forward files" - file: - dest: "~{{ item }}/.forward" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_8 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.8 - - user - -- name: "6.2.9 | PATCH | Ensure no users have .netrc files" - file: - dest: "~{{ item }}/.netrc" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_9 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.9 - - user - -- name: "6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" - file: - dest: "~{{ item }}/.netrc" - mode: go-w - failed_when: false - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_10 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.10 - - user - -- name: "6.2.11 | PATCH | Ensure no users have .rhosts files" - file: - dest: "~{{ item }}/.rhosts" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_11 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.11 - - user - -- name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - register: ubtu20cis_6_2_12_passwd_gid_check - - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu20cis_6_2_12_passwd_gid_check.stdout == "" - - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_12_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu20cis_6_2_12_passwd_gid_check.stdout != "" - when: - - ubtu20cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.12 - - groups - -- name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist" - block: - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - changed_when: false - failed_when: false - register: ubtu20cis_6_2_13_user_uid_check - - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: - msg: "Good News! There are no duplicate UID's in the system" - when: ubtu20cis_6_2_13_user_uid_check.stdout == "" - - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" - when: ubtu20cis_6_2_13_user_uid_check.stdout != "" - when: - - ubtu20cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.13 - - user - -- name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: no - failed_when: no - register: ubtu20cis_6_2_14_user_user_check - - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: ubtu20cis_6_2_14_user_user_check.stdout == "" - - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" - when: ubtu20cis_6_2_14_user_user_check.stdout != "" - when: - - ubtu20cis_rule_6_2_14 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.14 - - groups - -- name: "6.2.15 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - changed_when: no - failed_when: no - register: ubtu20cis_6_2_15_user_username_check - - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: ubtu20cis_6_2_15_user_username_check.stdout == "" - - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" - when: ubtu20cis_6_2_15_user_username_check.stdout != "" - when: - - ubtu20cis_rule_6_2_15 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.15 - - user - -- name: "6.2.16 | AUDIT | Ensure no duplicate group names exist" - block: - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - changed_when: false - failed_when: false - register: ubtu20cis_6_2_16_group_group_check - - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: ubtu20cis_6_2_16_group_group_check.stdout == "" - - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" - when: ubtu20cis_6_2_16_group_group_check.stdout != "" - when: - - ubtu20cis_rule_6_2_16 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.16 - - groups - -- name: "6.2.17 | AUDIT | Ensure shadow group is empty" - block: - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" - shell: grep ^shadow /etc/group | cut -f3 -d":" - changed_when: false - failed_when: false - register: ubtu20cis_6_2_17_shadow_gid - - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" - shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" - changed_when: false - failed_when: false - register: ubtu20cis_6_2_17_users_shadow_gid - - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" - debug: - msg: "Good News! There are no users with the Shado GID on your system" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout == "" - - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" - debug: - msg: - - "WARNING!!!! There are users that are in the Shadow group" - - "To conform to CIS standards no users should be in this group" - - "Please move the users below into another group" - - "{{ ubtu20cis_6_2_17_users_shadow_gid.stdout_lines }}" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout != "" - when: - - ubtu20cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.17 - - groups - - user diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml new file mode 100644 index 00000000..8d73c0df --- /dev/null +++ b/tasks/section_1/cis_1.1.x.yml @@ -0,0 +1,524 @@ +--- +- name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/cramfs.conf + regexp: "^(#)?install cramfs(\\s|$)" + line: install cramfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + modprobe: + name: cramfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.1 + - cramfs + +- name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/freevxfs.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: install freevxfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" + modprobe: + name: freevxfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.2 + - freevxfs + +- name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/jffs2.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: install jffs2 /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" + modprobe: + name: jffs2 + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.3 + - jffs2 + +- name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/hfs.conf + regexp: "^(#)?install hfs(\\s|$)" + line: install hfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" + modprobe: + name: hfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.4 + - hfs + +- name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/hfsplus.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: install hfsplus /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" + modprobe: + name: hfsplus + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.5 + - hfsplus + +- name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" + block: + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/squashfs.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: install squashfs /bin/true + create: yes + + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + modprobe: + name: squashfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_6 + tags: + - level2-server + - level2-workstation + - manual + - patch + - rule_1.1.1.6 + - squashfs + +- name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/udf.conf + regexp: "^(#)?install udf(\\s|$)" + line: install udf /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" + modprobe: + name: udf + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.7 + - udf + +- name: "AUTOMATED | 1.1.2 | PATCH | Ensure /tmp is configured" + mount: + path: /tmp + src: /tmp + state: mounted + fstype: tmpfs + opts: "{{ ubtu20cis_tmp_fstab_options }}" + when: + - ubtu20cis_rule_1_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2 + - tmp + +- name: | + "AUTOMATED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" + "AUTOMATED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "AUTOMATED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" + mount: + name: /tmp + src: /tmp + state: remounted + fstype: tmpfs + opts: "{{ ubtu20cis_tmp_fstab_options }}" + when: + - ubtu20cis_rule_1_1_3 or + ubtu20cis_rule_1_1_4 or + ubtu20cis_rule_1_1_5 + # - ubtu20cis_vartmp['enabled'] + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.3 + - rule_1.1.4 + - rule_1.1.5 + - tmp + +- name: "AUTOMATED | 1.1.6 | PATCH | Ensure /dev/shm is configured" + mount: + name: /dev/shm + src: /dev/shm + state: mounted + fstype: tmpfs + opts: "{{ ubtu20cis_dev_shm_fstab_options }}" + when: + - ubtu20cis_rule_1_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.6 + - dev_shm + +- name: | + "AUTOMATED | 1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" + "AUTOMATED | 1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" + "AUTOMATED | 1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" + mount: + name: /dev/shm + src: /dev/shm + state: remounted + fstype: tmpfs + opts: "{{ ubtu20cis_dev_shm_fstab_options }}" + when: + - ubtu20cis_rule_1_1_7 or + ubtu20cis_rule_1_1_8 or + ubtu20cis_rule_1_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.7 + - rule_1.1.8 + - rule_1.1.9 + - dev_shm + +- name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var" + block: + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" + shell: mount | grep "on /var " + changed_when: false + failed_when: false + check_mode: false + args: + warn: false + register: ubtu20cis_1_1_10_var_mounted + + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var" + - "Please create a separate partition for /var" + when: ubtu20cis_1_1_10_var_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_10 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.10 + - var + +- name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" + block: + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" + shell: mount | grep "on /var/tmp " + changed_when: false + failed_when: false + check_mode: false + args: + warn: false + register: ubtu20cis_1_1_11_var_tmp_mounted + + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/tmp" + - "Please create a separate partition for /var/tmp" + when: ubtu20cis_1_1_11_var_tmp_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_11 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.11 + - var/tmp + +- name: | + "AUTOMATED | 1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" + "AUTOMATED | 1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" + "AUTOMATED | 1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" + mount: + name: /var/tmp + src: "{{ ubtu20cis_vartmp['source'] }}" + state: present + fstype: "{{ ubtu20cis_vartmp['fstype'] }}" + opts: "{{ ubtu20cis_vartmp['opts'] }}" + when: + - ubtu20cis_rule_1_1_12 or + ubtu20cis_rule_1_1_13 or + ubtu20cis_rule_1_1_14 + - ubtu20cis_vartmp['enabled'] + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.12 + - rule_1.1.13 + - rule_1.1.14 + - var/tmp + +- name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log" + block: + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" + shell: mount | grep "on /var/log " + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_15_var_log_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/log" + - "Please create a separate partition for /var/log" + when: ubtu20cis_1_1_15_var_log_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_15 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.15 + - var/log + +- name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" + block: + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" + shell: mount | grep "on /var/log/audit " + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_16_var_log_audit_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/log/audit" + - "Please create a separate partition for /var/log/audit" + when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_16 + tags: + - level2-server + - level2-workstation + - automated + - audit + - var/log/audit + +- name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home" + block: + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" + shell: mount | grep "on /home" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_17_home_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /home" + - "Please create a separate partition for /home" + when: ubtu20cis_1_1_17_home_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_17 + tags: + - level2-server + - level2-workstation + - automated + - audit + - /home + +- name: "AUTOMATED | 1.1.18 | PATCH | Ensure /home partition includes the nodev option" + mount: + name: "/home" + src: "{{ item.device }}" + state: mounted + fstype: "{{ item.fstype }}" + opts: "nodev" + with_items: "{{ ansible_mounts }}" + when: + - ubtu20cis_rule_1_1_18 + - item.mount == "/home" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.18 + - /home + +- name: "MANUAL | 1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_19 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.19 + - removable_media + +- name: "MANUAL | 1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_20 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.20 + - removable_media + +- name: "MANUAL | 1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_21 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.21 + - removable_media + +- name: "AUTOMATED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' + failed_when: ubtu20cis_1_1_22_status.rc>0 + check_mode: false + register: ubtu20cis_1_1_22_status + when: + - ubtu20cis_rule_1_1_22 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.22 + - sticky_bit + +- name: "AUTOMATED | 1.1.23 | PATCH | Disable Automounting" + service: + name: autofs + state: stopped + enabled: no + when: + - ubtu20cis_rule_1_1_23 + - ubtu20cis_autofs_service_status.stdout == "loaded" + - not ubtu20cis_allow_autofs + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_1.1.23 + - automounting + +- name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage" + block: + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Set modprobe config" + lineinfile: + path: /etc/modprobe.d/usb_storage.conf + regexp: '^install usb-storage' + line: 'install usb-storage /bin/true' + create: yes + + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" + modprobe: + name: usb-storage + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_24 + - not ubtu20cis_allow_usb_storage + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_1.1.24 + - usb_storage diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml new file mode 100644 index 00000000..6849ca9a --- /dev/null +++ b/tasks/section_1/cis_1.2.x.yml @@ -0,0 +1,52 @@ +--- +- name: "MANUAL | 1.2.1 | AUDIT | Ensure package manager repositories are configured" + block: + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" + command: apt-cache policy + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_1_apt_policy + + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + debug: + msg: + - "Alert!!!! Below are the apt package repositories" + - "Please review to make sure they conform to your sites policies" + - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.1 + - apt + +- name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured" + block: + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + command: apt-key list + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_2_apt_gpgkeys + + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + debug: + msg: + - "Alert!!!! Below are the apt gpg kyes configured" + - "Please review to make sure they are configured" + - "in accordance with site policy" + - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_2 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.2 + - gpg + - keys diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml new file mode 100644 index 00000000..dafbaed3 --- /dev/null +++ b/tasks/section_1/cis_1.3.x.yml @@ -0,0 +1,35 @@ +--- +- name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed" + apt: + name: ['aide', 'aide-common'] + state: present + when: + - ubtu20cis_rule_1_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.3.1 + - aide + +- name: "AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" + user: "{{ ubtu20cis_aide_cron['cron_user'] }}" + minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubtu20cis_aide_cron['aide_job'] }}" + when: + - ubtu20cis_rule_1_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.3.2 + - cron diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml new file mode 100644 index 00000000..4c261f8f --- /dev/null +++ b/tasks/section_1/cis_1.4.x.yml @@ -0,0 +1,86 @@ +--- +- name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden" + block: + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Change chmod setting" + replace: + path: /usr/sbin/grub-mkconfig + regexp: 'chmod\s\d\d\d\s\${grub_cfg}.new' + replace: 'chmod 400 ${grub_cfg}.new' + + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Remove check on password" + lineinfile: + path: /usr/sbin/grub-mkconfig + regexp: 'if \[ \"x\$\{grub_cfg\}\" != "x" \] && ! grep "\^password" \${grub_cfg}.new' + line: if [ "x${grub_cfg}" != "x" ]; then + when: + - ubtu20cis_rule_1_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.1 + - grub + +# --------------- +# --------------- +# The RHEL7 based control uses a custom module, grub_crypt +# I need to research best way to set grub pw for Ubuntu using the +# grub-mkpasswd-pbkdf2 command and passing the data at the same time. +# --------------- +# --------------- +- name: "AUTOMATED | 1.4.2 | PATCH | Ensure bootloader password is set" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + when: + - ubtu20cis_rule_1_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.2 + - grub + - notimplemented + +- name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "AUTOMATED | 1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" + stat: + path: /boot/grub/grub.cfg + check_mode: false + register: ubtu20cis_1_4_3_grub_cfg_status + + - name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" + file: + path: /boot/grub/grub.cfg + owner: root + group: root + mode: 0400 + when: + - ubtu20cis_1_4_3_grub_cfg_status.stat.exists + when: + - ubtu20cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 + - grub + +- name: "AUTOMATED | 1.4.4 | PATCH | Ensure authentication required for single user mode" + user: + name: root + password: "{{ ubtu20cis_root_pw }}" + when: + - ubtu20cis_rule_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.4 + - passwd diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml new file mode 100644 index 00000000..2731f3ea --- /dev/null +++ b/tasks/section_1/cis_1.5.x.yml @@ -0,0 +1,86 @@ +--- +- name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled" + block: + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" + shell: "journalctl | grep 'protection: active'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_5_1_xdnx_status + + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" + debug: + msg: + - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" + - "To conform to CIS standards this needs to be enabled" + when: "'active'not in ubtu20cis_1_5_1_xdnx_status.stdout" + when: + - ubtu20cis_rule_1_5_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.5.1 + - xd/nx + +- name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + block: + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.randomize_va_space' + line: 'kernel.randomize_va_space = 2' + + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" + sysctl: + name: kernel.randomize_va_space + value: '2' + when: + - ubtu20cis_rule_1_5_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.2 + - aslr + +- name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed" + block: + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + command: prelink -ua + changed_when: false + failed_when: false + + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" + apt: + name: prelink + state: absent + when: + - ubtu20cis_rule_1_5_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.3 + - prelink + +- name: "AUTOMATED | 1.5.4 | PATCH | Ensure core dumps are restricted" + sysctl: + name: fs.suid_dumpable + value: '0' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes + when: + - ubtu20cis_rule_1_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.4 + - coredump diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml new file mode 100644 index 00000000..376047fa --- /dev/null +++ b/tasks/section_1/cis_1.6.x.yml @@ -0,0 +1,83 @@ +--- +- name: "AUTOMATED | 1.6.1.1 | PATCH | Ensure AppArmor is installed" + apt: + name: ['apparmor', 'apparmor-utils'] + state: present + when: + - ubtu20cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.1 + - apparmor + +- name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + block: + - name: "AUTOMATED | 1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_6_1_2_cmdline_settings + + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_6_1_2_cmdline_settings.stdout }}"' + insertafter: '^GRUB_' + when: + - "'apparmor' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" + replace: + path: /etc/default/grub + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + with_items: + - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } + - { regexp: 'security=\S+', replace: 'security=apparmor' } + when: + - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + when: + - ubtu20cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.2 + - apparmor + +- name: "AUTOMATED | 1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.3 + - apparmor + +- name: "AUTOMATED | 1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_4 + tags: + - level2-server + - level2-workstation + - automated + - scored + - patch + - rule_1.6.1.4 + - apparmor diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml new file mode 100644 index 00000000..ddde1a40 --- /dev/null +++ b/tasks/section_1/cis_1.7.x.yml @@ -0,0 +1,93 @@ +--- +- name: "AUTOMATED | 1.7.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + when: + - ubtu20cis_rule_1_7_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.1 + - motd + +- name: "AUTOMATED | 1.7.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + when: + - ubtu20cis_rule_1_7_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.2 + - banner + +- name: "AUTOMATED | 1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + when: + - ubtu20cis_rule_1_7_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.3 + - banner + +- name: "AUTOMATED | 1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + path: /etc/motd + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.4 + - permissions + - motd + +- name: "AUTOMATED | 1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + path: /etc/issue + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.5 + - permissions + - banner + +- name: "AUTOMATED | 1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + path: /etc/issue.net + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.6 + - permissions + - banner diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml new file mode 100644 index 00000000..b03ebc99 --- /dev/null +++ b/tasks/section_1/cis_1.8.x.yml @@ -0,0 +1,78 @@ +--- +- name: "MANUAL | 1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + apt: + name: gdm3 + state: absent + when: + - ubtu20cis_rule_1_8_1 + - not ubtu20cis_desktop_required + - ubtu20cis_disruption_high + tags: + - level2-server + - manual + - patch + - rule_1.8.1 + - gnome + +- name: "AUTOMATED | 1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaults + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + with_items: + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } + when: + - ubtu20cis_rule_1_8_2 + - ubtu20cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.2 + - gnome + +- name: "AUTOMATED | 1.8.3 | PATCH | Ensure disable-user-list is enabled" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaul + regexp: '^disable-user-list=' + line: 'disable-user-list=true' + insertafter: 'banner-message-text=' + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + when: + - ubtu20cis_rule_1_8_3 + - ubtu20cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.3 + - gdm3 + +- name: "AUTOMATED | 1.8.4 | PATCH | Ensure XDCMP is not enabled" + lineinfile: + path: /etc/gdm3/custom.conf + regexp: '^Enable.*=.*true' + state: absent + when: + - ubtu20cis_rule_1_8_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.4 + - xdcmp diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml new file mode 100644 index 00000000..5460d849 --- /dev/null +++ b/tasks/section_1/cis_1.9.yml @@ -0,0 +1,14 @@ +--- +- name: "MANUAL | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" + apt: + name: "*" + state: latest + when: + - ubtu20cis_rule_1_9 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_1.9 + - patch diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml new file mode 100644 index 00000000..36ecb9d1 --- /dev/null +++ b/tasks/section_1/main.yml @@ -0,0 +1,27 @@ +--- +- name: "SECTION | 1.1 | Disable Unused Filesystems" + include: cis_1.1.x.yml + +- name: "SECTION | 1.2 | Cofnigure Software Updates" + include: cis_1.2.x.yml + +- name: "SECTION | 1.3. | Filesystem Integrity Checking" + include: cis_1.3.x.yml + +- name: "SECTION | 1.4 | Secure Boot Settings" + include: cis_1.4.x.yml + +- name: "SECTION | 1.5 | Additional Process Hardening" + include: cis_1.5.x.yml + +- name: "SECTION | 1.6 | Mandatory Access Control" + include: cis_1.6.x.yml + +- name: "SECTION | 1.7 | Command Line Warning Banners" + include: cis_1.7.x.yml + +- name: "SECTION | 1.8 | GNOME Display Manager" + include: cis_1.8.x.yml + +- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" + include: cis_1.9.yml \ No newline at end of file diff --git a/tasks/section2.yml b/tasks/section_2/cis_2.1.x.yml similarity index 51% rename from tasks/section2.yml rename to tasks/section_2/cis_2.1.x.yml index 360144ca..5c752625 100644 --- a/tasks/section2.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -1,51 +1,26 @@ --- -- name: "2.1.1 | PATCH | Ensure xinetd is not installed" - apt: - name: xinetd - state: absent - when: - - ubtu20cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.1 - - xinetd - -- name: "2.1.2 | PATCH | Ensure openbsd-inetd is not installed" - apt: - name: openbsd-inetd - state: absent - when: - - ubtu20cis_rule_2_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2 - - openbsd-inetd - -- name: "2.2.1.1 | PATCH | Ensure time synchronization is in use" +- name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" state: present when: - - ubtu20cis_rule_2_2_1_1 + - ubtu20cis_rule_2_1_1_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1.1 + - rule_2.1.1.1 - chrony -- name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" +- name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" block: - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" apt: name: ['ntp', 'chrony'] state: absent - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" lineinfile: path: /etc/systemd/timesyncd.conf regexp: "{{ item.regexp }}" @@ -57,47 +32,49 @@ - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP={{ ubtu20cis_ntp_fallback_server_list }}', insertafter: '\[Time\]' } - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" systemd: name: systemd-timesyncd.service state: started enabled: yes masked: no - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" command: timedatectl set-ntp true when: - - ubtu20cis_rule_2_2_1_2 + - ubtu20cis_rule_2_1_1_2 - ubtu20cis_time_sync_tool == "systemd-timesyncd" tags: - level1-server - level1-workstation + - automated - manual - patch - - rule_2.2.1.2 + - rule_2.1.1.2 - systemd-timesyncd -- name: "2.2.1.3 | PATCH | Ensure chrony is configured" +- name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured" block: - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Remove ntp" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" apt: name: ntp state: absent - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.2.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" + - name: "AUTOMATED | 2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd changed_when: false failed_when: false - register: ubtu20cis_2_2_1_3_chrony_user_status + check_mode: false + register: ubtu20cis_2_1_1_3_chrony_user_status - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf @@ -105,43 +82,44 @@ group: root mode: 0644 - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Create chrony user" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" user: name: "{{ ubtu20cis_chrony_user }}" shell: /usr/sbin/nologin system: true - when: ubtu20cis_2_2_1_3_chrony_user_status.stdout != "" + when: ubtu20cis_2_1_1_3_chrony_user_status.stdout | length > 0 - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" + - name: "AUTOMATED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" lineinfile: path: /etc/default/chrony regexp: '^DAEMON_OPTS' line: 'DAEMON_OPTS="-u _chrony"' when: - - ubtu20cis_rule_2_2_1_3 + - ubtu20cis_rule_2_1_1_3 - ubtu20cis_time_sync_tool == "chrony" tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1.3 + - rule_2.1.1.3 - chrony -- name: "2.2.1.4 | PATCH | Ensure ntp is configured" +- name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured" block: - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Remove chrony" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" apt: name: chrony state: absent - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" template: src: ntp.conf.j2 dest: /etc/ntp.conf @@ -149,7 +127,7 @@ group: root mode: 0644 - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" lineinfile: path: /etc/sysconfig/ntpd regexp: "{{ item.regexp }}" @@ -159,235 +137,249 @@ - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" lineinfile: path: /etc/init.d/ntp regexp: '^RUNAUSER' line: 'RUNAUSER=npt' when: - - ubtu20cis_rule_2_2_1_4 + - ubtu20cis_rule_2_1_1_4 - ubtu20cis_time_sync_tool == "ntp" tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1.4 + - rule_2.1.1.4 - ntp -- name: "2.2.2 | PATCH | Ensure X Window System is not installed" +- name: "AUTOMATED | 2.1.2 | PATCH | Ensure X Window System is not installed" apt: name: xserver-xorg* state: absent when: - - ubtu20cis_rule_2_2_2 - - not ubtu20cis_xwindows_required + - ubtu20cis_rule_2_1_2 + - not ubtu20cis_desktop_required tags: - level1-server - + - automated - patch - - rule_2.2.2 + - rule_2.1.2 - xwindows -- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" +- name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed" block: - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" service: name: avahi-daemon.service state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" service: name: avahi-daemon.socket state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" apt: name: avahi-daemon state: absent when: - - ubtu20cis_rule_2_2_3 + - ubtu20cis_rule_2_1_3 - not ubtu20cis_avahi_server + - ubtu20cis_disruption_high tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.3 + - rule_2.1.3 - avahi - services -- name: "2.2.4 | PATCH | Ensure CUPS is not installed" +- name: "AUTOMATED | 2.1.4 | PATCH | Ensure CUPS is not installed" apt: name: cups state: absent when: - - ubtu20cis_rule_2_2_4 + - ubtu20cis_rule_2_1_4 - not ubtu20cis_cups_server tags: - level1-server - level2-workstation + - automated - patch - - rule_2.2.4 + - rule_2.1.4 - cups - services -- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" +- name: "AUTOMATED | 2.1.5 | PATCH | Ensure DHCP Server is not installed" apt: name: isc-dhcp-server state: absent when: - - ubtu20cis_rule_2_2_5 + - ubtu20cis_rule_2_1_5 - not ubtu20cis_dhcp_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.5 + - rule_2.1.5 - dhcp - services -- name: "2.2.6 | PATCH | Ensure LDAP server is not installed" +- name: "AUTOMATED | 2.1.6 | PATCH | Ensure LDAP server is not installed" apt: name: slapd state: absent when: - - ubtu20cis_rule_2_2_6 + - ubtu20cis_rule_2_1_6 - not ubtu20cis_ldap_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.6 + - rule_2.1.6 - ldap - services -- name: "2.2.7 | PATCH | Ensure NFS is not installed" +- name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" apt: - name: rpcbind + name: nfs-kernel-server state: absent when: - - ubtu20cis_rule_2_2_7 + - ubtu20cis_rule_2_1_7 - not ubtu20cis_nfs_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.7 + - rule_2.1.7 - nfs - rpc - services -- name: "2.2.8 | PATCH | Ensure DNS Server is not installed" +- name: "AUTOMATED | 2.1.8 | PATCH | Ensure DNS Server is not installed" apt: name: bind9 state: absent when: - - ubtu20cis_rule_2_2_8 + - ubtu20cis_rule_2_1_8 - not ubtu20cis_dns_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.8 + - rule_2.1.8 - dns - service -- name: "2.2.9 | PATCH | Ensure FTP Server is not installed" +- name: "AUTOMATED | 2.1.9 | PATCH | Ensure FTP Server is not installed" apt: name: vsftpd state: absent when: - - ubtu20cis_rule_2_2_9 + - ubtu20cis_rule_2_1_9 - not ubtu20cis_vsftpd_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.9 + - rule_2.1.9 - ftp - service -- name: "2.2.10 | PATCH | Ensure HTTP server is not installed" +- name: "AUTOMATED | 2.1.10 | PATCH | Ensure HTTP server is not installed" apt: name: apache2 state: absent when: - - ubtu20cis_rule_2_2_10 + - ubtu20cis_rule_2_1_10 - not ubtu20cis_httpd_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.10 + - rule_2.1.10 - httpd - service -- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server are not installed" +- name: "AUTOMATED | 2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" apt: name: ['dovecot-imapd', 'dovecot-pop3d'] state: absent when: - - ubtu20cis_rule_2_2_11 + - ubtu20cis_rule_2_1_11 - not ubtu20cis_dovecot_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.11 + - rule_2.1.11 - dovecot - service -- name: "2.2.12 | PATCH | Ensure Samba is not installed" +- name: "AUTOMATED | 2.1.12 | PATCH | Ensure Samba is not installed" apt: name: samba state: absent when: - - ubtu20cis_rule_2_2_12 + - ubtu20cis_rule_2_1_12 - not ubtu20cis_smb_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.12 + - rule_2.1.12 - samba - service -- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" +- name: "AUTOMATED | 2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" apt: name: squid state: absent when: - - ubtu20cis_rule_2_2_13 + - ubtu20cis_rule_2_1_13 - not ubtu20cis_squid_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.13 + - rule_2.1.13 - http_proxy - service -- name: "2.2.14 | PATCH | Ensure SNMP Server is not installed" +- name: "AUTOMATED | 2.1.14 | PATCH | Ensure SNMP Server is not installed" apt: name: snmpd state: absent when: - - ubtu20cis_rule_2_2_14 + - ubtu20cis_rule_2_1_14 - not ubtu20cis_snmp_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.14 + - rule_2.1.14 - snmp - service -- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" +- name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" block: - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" @@ -407,7 +399,7 @@ notify: restart exim4 when: ubtu20_cis_mail_transfer_agent == "exim4" - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" lineinfile: path: /etc/postfix/main.cf regexp: '^(#)?inet_interfaces' @@ -415,152 +407,49 @@ notify: restart postfix when: ubtu20_cis_mail_transfer_agent == "postfix" - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" debug: msg: - "Warning!! You are not using either exim4 or postfix" - "Please review your vendors documentation to configure local-only mode" when: ubtu20_cis_mail_transfer_agent == "other" when: - - ubtu20cis_rule_2_2_15 + - ubtu20cis_rule_2_1_15 tags: - level1-server - level1-workstation + - automated - scored - patch - - rule_2.2.15 + - rule_2.1.15 - postfix -- name: "2.2.16 | PATCH | Ensure rsync service is not installed" +- name: "AUTOMATED | 2.1.16 | PATCH | Ensure rsync service is not installed" apt: name: rsync state: absent when: - - ubtu20cis_rule_2_2_16 + - ubtu20cis_rule_2_1_16 - not ubtu20cis_rsync_server tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.16 + - rule_2.1.16 - rsync -- name: "2.2.17 | PATCH | Ensure NIS Server is not installed" +- name: "AUTOMATED | 2.1.17 | PATCH | Ensure NIS Server is not installed" apt: name: nis state: absent when: - - ubtu20cis_rule_2_2_17 + - ubtu20cis_rule_2_1_17 - not ubtu20cis_nis_server tags: - level1-server - level1-workstation - - rule_2.2.17 + - automated + - rule_2.1.17 - nis - service - -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" - apt: - name: nis - state: absent - when: - - ubtu20cis_rule_2_3_1 - - not ubtu20cis_nis_required - tags: - - level1-server - - level1-workstation - - rule_2.3.1 - - nis - -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" - apt: - name: rsh-client - state: absent - when: - - ubtu20cis_rule_2_3_2 - - not ubtu20cis_rsh_required - tags: - - level1-server - - level1-workstation - - patch - - rule_2.3.2 - - rsh - -- name: "2.3.3 | PATCH | Ensure talk client is not installed" - apt: - name: talk - state: absent - when: - - ubtu20cis_rule_2_3_3 - - not ubtu20cis_talk_required - tags: - - level1-server - - level1-workstation - - patch - - rule_2.3.3 - - talk - -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" - apt: - name: telnet - state: absent - when: - - ubtu20cis_rule_2_3_4 - - not ubtu20cis_telnet_required - tags: - - level1-server - - level1-workstation - - patch - - rule_2.3.4 - - telnet - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" - apt: - name: ldap-utils - state: absent - when: - - ubtu20cis_rule_2_3_5 - - not ubtu20cis_ldap_clients_required - tags: - - level1-server - - level1-workstation - - patch - - rule_2.3.5 - - ldap - -- name: "2.3.6 | PATCH | Ensure RPC is not installed" - apt: - name: rpcbind - state: absent - when: - - ubtu20cis_rule_2_3_6 - - not ubtu20cis_rpc_required - tags: - - level1-server - - level1-workstation - - patch - - rule_2.3.6 - - rpbc - -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" - block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" - shell: lsof -i -P -n | grep -v "(ESTABLISHED)" - changed_when: false - failed_when: false - register: ubtu20cis_2_4_services - - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" - debug: - msg: - - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ ubtu20cis_2_4_services.stdout_lines }}" - when: - - ubtu20cis_rule_2_4 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_2.4 - - services" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml new file mode 100644 index 00000000..72851419 --- /dev/null +++ b/tasks/section_2/cis_2.2.x.yml @@ -0,0 +1,88 @@ +--- +- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" + apt: + name: nis + state: absent + when: + - ubtu20cis_rule_2_2_1 + - not ubtu20cis_nis_required + tags: + - level1-server + - level1-workstation + - rule_2.2.1 + - nis + +- name: "AUTOMATED | 2.2.2 | PATCH | Ensure rsh client is not installed" + apt: + name: rsh-client + state: absent + when: + - ubtu20cis_rule_2_2_2 + - not ubtu20cis_rsh_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.2 + - rsh + +- name: "AUTOMATED | 2.2.3 | PATCH | Ensure talk client is not installed" + apt: + name: talk + state: absent + when: + - ubtu20cis_rule_2_2_3 + - not ubtu20cis_talk_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.3 + - talk + +- name: "AUTOMATED | 2.2.4 | PATCH | Ensure telnet client is not installed" + apt: + name: telnet + state: absent + when: + - ubtu20cis_rule_2_2_4 + - not ubtu20cis_telnet_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.4 + - telnet + +- name: "AUTOMATED | 2.2.5 | PATCH | Ensure LDAP client is not installed" + apt: + name: ldap-utils + state: absent + when: + - ubtu20cis_rule_2_2_5 + - not ubtu20cis_ldap_clients_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.5 + - ldap + +- name: "AUTOMATED | 2.2.6 | PATCH | Ensure RPC is not installed" + apt: + name: rpcbind + state: absent + when: + - ubtu20cis_rule_2_2_6 + - not ubtu20cis_rpc_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.6 + - rpbc diff --git a/tasks/section_2/cis_2.3.yml b/tasks/section_2/cis_2.3.yml new file mode 100644 index 00000000..7a8d21d3 --- /dev/null +++ b/tasks/section_2/cis_2.3.yml @@ -0,0 +1,24 @@ +--- +- name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Check for services" + shell: lsof -i -P -n | grep -v "(ESTABLISHED)" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_2_3_services + + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" + debug: + msg: + - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" + - "{{ ubtu20cis_2_3_services.stdout_lines }}" + when: + - ubtu20cis_rule_2_3 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_2.3 + - services diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml new file mode 100644 index 00000000..7dedfbe6 --- /dev/null +++ b/tasks/section_2/main.yml @@ -0,0 +1,9 @@ +--- +- name: "SECTION | 2.1 | Special Purpose Services" + include: cis_2.1.x.yml + +- name: "SECTION | 2.2 | Service Clients" + include: cis_2.2.x.yml + +- name: "SECTION | 2.3 | Ensure nonessential services are removed or masked" + include: cis_2.3.yml \ No newline at end of file diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml new file mode 100644 index 00000000..50697bd8 --- /dev/null +++ b/tasks/section_3/cis_3.1.x.yml @@ -0,0 +1,70 @@ +--- +- name: "MANUAL | 3.1.1 | PATCH | Disable IPv6" + block: + - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_1_1_grub_cmdline_linux_settings + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"' + when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" + notify: grub update + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" + replace: + path: /etc/default/grub + regexp: 'ipv6\.disable=.' + replace: 'ipv6.disable=1' + when: "'ipv6.disable' in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" + notify: grub update + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.disable_ipv6.*' + state: absent + when: + - ubtu20cis_rule_3_1_1 + - not ubtu20cis_ipv6_required + tags: + - level2-server + - level2-workstation + - manual + - patch + - rule_3.1.1 + - ipv6 + +- name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + shell: dpkg -l | grep network-manager + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_1_2_network_manager_status + + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + command: nmcli radio all off + changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 + register: ubtu20cis_3_1_2_nmcli_radio_off + when: ubtu20cis_3_1_2_network_manager_status.stdout | length > 0 + + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + debug: + msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" + when: ubtu20cis_3_1_2_network_manager_status.stdout | length == 0 + when: + - ubtu20cis_rule_3_1_2 + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_3.1.2 + - wireless diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml new file mode 100644 index 00000000..90c2a20c --- /dev/null +++ b/tasks/section_3/cis_3.2.x.yml @@ -0,0 +1,60 @@ +--- +- name: "AUTOMATED | 3.2.1 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.send_redirects + - net.ipv4.conf.default.send_redirects + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_2_1 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.2.1 + - packet_redirect + - sysctl + +- name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled" + block: + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" + sysctl: + name: net.ipv4.ip_forward + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" + sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_2_2 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.2.2 + - ip_forwarding + - sysctl diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml new file mode 100644 index 00000000..b4060c48 --- /dev/null +++ b/tasks/section_3/cis_3.3.x.yml @@ -0,0 +1,233 @@ +--- +- name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.accept_source_route + - net.ipv4.conf.default.accept_source_route + notify: sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_source_route + - net.ipv6.conf.default.accept_source_route + notify: sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_3_1 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.1 + - routed_packets + - sysctl + +- name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.accept_redirects + - net.ipv4.conf.default.accept_redirects + notify: sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_redirects + - net.ipv6.conf.default.accept_redirects + notify: sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.2 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.secure_redirects + - net.ipv4.conf.default.secure_redirects + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.3 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged" + sysctl: + name: "{{ item }}" + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.log_martians + - net.ipv4.conf.default.log_martians + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.4 + - suspicious_packets + - sysctl + +- name: "AUTOMATED | 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.5 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.6 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + sysctl: + name: "{{ item }}" + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.rp_filter + - net.ipv4.conf.default.rp_filter + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.7 + - reverse_path_filtering + - sysctl + +- name: "AUTOMATED | 3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" + sysctl: + name: net.ipv4.tcp_syncookies + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.8 + - tcp_syn_cookies + - sysctl + +- name: "AUTOMATED | 3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_ra + - net.ipv6.conf.default.accept_ra + notify: sysctl flush ipv6 route table + when: + - ubtu20cis_rule_3_3_9 + - ubtu20cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.9 + - ipv6 + - router_advertisements + - sysctl diff --git a/tasks/section_3/cis_3.4.x.yml b/tasks/section_3/cis_3.4.x.yml new file mode 100644 index 00000000..042ee6e9 --- /dev/null +++ b/tasks/section_3/cis_3.4.x.yml @@ -0,0 +1,64 @@ +--- +- name: "AUTOMATED | 3.4.1 | PATCH | Ensure DCCP is disabled" + lineinfile: + path: /etc/modprobe.d/dccp.conf + regexp: '^(#)?install dccp(\\s|$)' + line: 'install dccp /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.1 + - dccp + +- name: "AUTOMATED | 3.4.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + path: /etc/modprobe.d/sctp.conf + regexp: "^(#)?install sctp(\\s|$)" + line: 'install sctp /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.2 + - sctp + +- name: "AUTOMATED | 3.4.3 | PATCH | Ensure RDS is disabled" + lineinfile: + path: /etc/modprobe.d/rds.conf + regexp: '^(#)?install rds(\\s|$)' + line: 'install rds /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.3 + - rds + +- name: "AUTOMATED | 3.4.4 | PATCH | Ensure TIPC is disabled" + lineinfile: + path: /etc/modprobe.d/tipc.conf + regexp: '^(#)?install tipc(\\s|$)' + line: install tipc /bin/true + create: yes + when: + - ubtu20cis_rule_3_4_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.4 + - tipc diff --git a/tasks/section3.yml b/tasks/section_3/cis_3.5.x.yml similarity index 53% rename from tasks/section3.yml rename to tasks/section_3/cis_3.5.x.yml index 6f2c66ad..29938427 100644 --- a/tasks/section3.yml +++ b/tasks/section_3/cis_3.5.x.yml @@ -1,413 +1,5 @@ --- -- name: "3.1.1 | PATCH | Disable IPv6" - block: - - name: "3.1.1 | AUDIT | Disable IPv6 | Get currnet GRUB_CMDLINE_LINUX settings" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: ubtu20cis_3_1_1_grub_cmdline_linux_settings - - - name: "3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"' - when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" - notify: grub update - - - name: "3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" - replace: - path: /etc/default/grub - regexp: 'ipv6\.disable=.' - replace: 'ipv6.disable=1' - when: "'ipv6.disable' in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" - notify: grub update - - - name: "3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.all.disable_ipv6.*' - state: absent - when: - - ubtu20cis_rule_3_1_1 - - not ubtu20cis_ipv6_required - tags: - - level2-server - - level2-workstation - - patch - - rule_3.1.1 - - ipv6 - -- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - shell: dpkg -l | grep network-manager - changed_when: false - failed_when: false - register: ubtu20cis_3_1_2_network_manager_status - - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - command: nmcli radio all off - changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu20cis_3_1_2_nmcli_radio_off - when: ubtu20cis_3_1_2_network_manager_status.stdout != "" - - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - debug: - msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" - when: ubtu20cis_3_1_2_network_manager_status.stdout == "" - when: - - ubtu20cis_rule_3_1_2 - tags: - - level1-server - - level2-workstation - - patch - - rule_3.1.2 - - wireless - -- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.send_redirects - - net.ipv4.conf.default.send_redirects - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_2_1 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - patch - - rule_3.2.1 - - packet_redirect - - sysctl - -- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - sysctl: - name: net.ipv4.ip_forward - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: - - sysctl flush ipv4 route table - - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: - - sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_2_2 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - patch - - rule_3.2.2 - - ip_forwarding - - sysctl - -- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv4.conf.default.accept_source_route - notify: sysctl flush ipv4 route table - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_source_route - - net.ipv6.conf.default.accept_source_route - notify: sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_3_1 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.1 - - routed_packets - - sysctl - -- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - notify: sysctl flush ipv4 route table - - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_redirects - - net.ipv6.conf.default.accept_redirects - notify: sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.2 - - icmp - - sysctl - -- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.secure_redirects - - net.ipv4.conf.default.secure_redirects - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.3 - - icmp - - sysctl - -- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.log_martians - - net.ipv4.conf.default.log_martians - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.4 - - suspicious_packets - - sysctl - -- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.5 - - icmp - - sysctl - -- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.6 - - icmp - - sysctl - -- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.rp_filter - - net.ipv4.conf.default.rp_filter - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.7 - - reverse_path_filtering - - sysctl - -- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - sysctl: - name: net.ipv4.tcp_syncookies - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.8 - - tcp_syn_cookies - - sysctl - -- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_ra - - net.ipv6.conf.default.accept_ra - notify: sysctl flush ipv6 route table - when: - - ubtu20cis_rule_3_3_9 - - ubtu20cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.3.9 - - ipv6 - - router_advertisements - - sysctl - -- name: "3.4.1 | PATCH | Ensure DCCP is disabled" - lineinfile: - path: /etc/modprobe.d/dccp.conf - regexp: '^(#)?install dccp(\\s|$)' - line: 'install dccp /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.1 - - DCCP - -- name: "3.4.2 | PATCH | Ensure SCTP is disabled" - lineinfile: - path: /etc/modprobe.d/sctp.conf - regexp: "^(#)?install sctp(\\s|$)" - line: 'install sctp /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_2 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.2 - - sctp - -- name: "3.4.3 | PATCH | Ensure RDS is disabled" - lineinfile: - path: /etc/modprobe.d/rds.conf - regexp: '^(#)?install rds(\\s|$)' - line: 'install rds /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_3 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.3 - - rds - -- name: "3.4.4 | PATCH | Ensure TIPC is disabled" - lineinfile: - path: /etc/modprobe.d/tipc.conf - regexp: '^(#)?install tipc(\\s|$)' - line: install tipc /bin/true - create: yes - when: - - ubtu20cis_rule_3_4_4 - tags: - - level2-server - - level2-workstation - - patch - - rule_3.4.4 - - tipc - -- name: "3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" +- name: "AUTOMATED | 3.5.1.1 | PATCH | Ensure ufw is installed" apt: name: ufw state: present @@ -417,12 +9,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.1 - apt - ufw -- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed" +- name: "AUTOMATED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" apt: name: iptables-persistent state: absent @@ -432,12 +25,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.2 - ufw # Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling -- name: "3.5.1.3 | PATCH | Ensure ufw service is enabled" +- name: "AUTOMATED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" ufw: rule: allow name: OpenSSH @@ -448,34 +42,35 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.3 - ufw -- name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured" +- name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured" block: - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" ufw: rule: allow direction: in interface: lo notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" ufw: rule: allow direction: out interface: lo notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" ufw: rule: deny direction: in from_ip: 127.0.0.0/8 notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" ufw: rule: deny direction: in @@ -488,13 +83,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.4 - ufw -- name: "3.5.1.5 | PATCH | Ensure outbound connections are configured" +- name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" block: - - name: "3.5.1.5 | PATCH | Ensure outbound connections are configured | Custom ports" + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" ufw: rule: allow direction: out @@ -504,7 +100,7 @@ notify: reload ufw when: ubtu20cis_ufw_allow_out_ports != "all" - - name: "3.5.1.5 | PATCH | Ensure outbound connections are configured | Allow all" + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" ufw: rule: allow direction: out @@ -522,21 +118,23 @@ - rule_3.5.1.5 - ufw -- name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports" +- name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" block: - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Get list of open ports" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_1_6_open_listen_ports - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Get list of firewall rules" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" command: ufw status changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_1_6_firewall_rules - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Message out settings" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" debug: msg: - "ALERT!!!!Below are the listening ports and firewall rules" @@ -556,7 +154,7 @@ - rule_3.5.1.6 - ufw -- name: "3.5.1.7 | PATCH | Ensure default deny firewall policy" +- name: "AUTOMATED | 3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" ufw: default: deny direction: "{{ item }}" @@ -571,6 +169,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.7 - ufw @@ -580,7 +179,7 @@ # NFTables is unsupported with this role. However I have the actions commented out as a guide # --------------- # --------------- -- name: "3.5.2.1 | AUDIT | Ensure nftables is installed" +- name: "AUTOMATED | 3.5.2.1 | AUDIT | Ensure nftables is installed" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # apt: @@ -592,11 +191,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.1 - nftables -- name: "3.5.2.2 | AUDIT | Ensure Uncomplicated Firewall is not installed or disabled" +- name: "AUTOMATED | 3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # apt: @@ -608,11 +208,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.2 - nftables -- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed" +- name: "MANUAL | 3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # iptables: @@ -628,12 +229,13 @@ - rule_3.5.2.3 - nftables -- name: "3.5.2.4 | AUDIT | Ensure a table exists" +- name: "AUTOMATED | 3.5.2.4 | AUDIT | Ensure a nftables table exists" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # command: "nft create table {{ ubtu20cis_nftables_table_name }}" # changed_when: ubtu20cis_3_5_2_4_new_table.rc == 0 # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_4_new_table when: - ubtu20cis_rule_3_5_2_4 @@ -641,27 +243,28 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.2.4 - nftables -- name: "3.5.2.5 | AUDIT | Ensure base chains exist" +- name: "AUTOMATED | 3.5.2.5 | AUDIT | Ensure nftables base chains exist" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Input entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} input { type filter hook input priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_input.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_input - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Forward entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} forward { type filter hook forward priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_forward.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_forward - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Output entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} output { type filter hook output priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_output.rc == 0 # failed_when: false @@ -672,40 +275,44 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.5 - nftables -- name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured" +- name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_iif_status - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_input_drop_status - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback iif lo accept" + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input iif lo accept' # changed_when: ubtu20cis_3_5_2_6_loopback_iif.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_6_loopback_iif # when: "'iif \"lo\" accept' not in ubtu20cis_3_5_2_6_loopback_iif_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback input drop" + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip saddr 127\.0\.0\.0\/8 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_input_drop.rc == 0 # failed_when: false @@ -714,7 +321,7 @@ # - "'ip saddr 127.0.0.0/8' not in ubtu18cis_3_5_3_4_loopback_input_drop_status.stdout" # - "'drop' not in ubtu20cis_3_5_2_6_loopback_input_drop_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback ipv6 drop" + # - name: "3AUTOMATED | .5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip6 saddr ::1 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_ipv6_drop.rc == 0 # failed_when: false @@ -728,11 +335,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.6 - nftables -- name: "3.5.2.7 | AUDIT | Ensure outbound and established connections are configured" +- name: "MANUAL | 3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -746,7 +354,7 @@ - rule_3.5.2.7 - nftables -- name: "3.5.2.8 | AUDIT | Ensure default deny firewall policy" +- name: "AUTOMATED | 3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -755,11 +363,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.8 - nftables -- name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled" +- name: "AUTOMATED | 3.5.2.9 | AUDIT | Ensure nftables service is enabled" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # service: @@ -772,11 +381,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.9 - nftables -- name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent" +- name: "AUTOMATED | 3.5.2.10 | AUDIT | Ensure nftables rules are permanent" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -785,11 +395,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.10 - nftables -- name: "3.5.3.1.1 | PATCH | Ensure iptables packages are installed" +- name: "AUTOMATED | 3.5.3.1.1 | PATCH | Ensure iptables packages are installed" apt: name: ['iptables', 'iptables-persistent'] state: present @@ -799,11 +410,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.1 - iptables -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed" +- name: "AUTOMATED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" apt: name: nftables state: absent @@ -813,11 +425,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.2 - iptables -- name: "3.5.3.1.3 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" +- name: "AUTOMATED | 3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" apt: name: ufw state: absent @@ -827,93 +440,46 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.3 - iptables -# --------- -# --------- -# Unsuer about the _v6 when being there, revisit and confirm if it's needed for all ipv4 iptables tasks -# --------- -# --------- -- name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy" +- name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed in" - iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_2_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.2.1 - - iptables - -- name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured" - block: - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | INPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP when: - - ubtu20cis_rule_3_5_3_2_2 + - ubtu20cis_rule_3_5_3_2_1 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv4_required tags: - level1-server - level1-workstation + - automated - patch - - rule_3.5.3.2.2 + - rule_3.5.3.2.1 - iptables -- name: "3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured" +- name: "MANUAL | 3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -929,7 +495,7 @@ - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } when: - - ubtu20cis_rule_3_5_3_2_3 + - ubtu20cis_rule_3_5_3_2_2 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv4_required tags: @@ -937,24 +503,72 @@ - level1-workstation - manual - patch + - rule_3.5.3.2.2 + - iptables + +- name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" + block: + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_2_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - automated + - patch - rule_3.5.3.2.3 - iptables -- name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports" + +- name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" block: - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Get list of open ports" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_2_4_open_ports - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Get list of rules" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" command: iptables -L INPUT -v -n changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_2_4_current_rules - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Alert about settings" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" @@ -970,6 +584,7 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.3.2.4 - iptables @@ -995,55 +610,15 @@ register: ubtu20cis_iptables_save when: - ubtu20cis_firewall_package == "iptables" - # - not ubtu18cis_iptables_v6 - ubtu20cis_save_iptables_cis_rules - ubtu20cis_rule_3_5_3_2_1 or ubtu20cis_rule_3_5_3_2_2 or ubtu20cis_rule_3_5_3_2_3 or ubtu20cis_rule_3_5_3_2_4 -- name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" - block: - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_3_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.3.1 - - ip6tables - -- name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured" +- name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | INPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT @@ -1051,7 +626,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT @@ -1059,7 +634,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | INPUT loopback drop" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" iptables: action: append chain: INPUT @@ -1067,18 +642,19 @@ jump: DROP ip_version: ipv6 when: - - ubtu20cis_rule_3_5_3_3_2 + - ubtu20cis_rule_3_5_3_3_1 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv6_required - not ubtu20cis_ipv4_required tags: - level1-server - level1-workstation + - automated - patch - - rule_3.5.3.3.2 + - rule_3.5.3.3.1 - ip6tables -- name: "3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured" +- name: "MANUAL | 3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -1095,7 +671,7 @@ - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } when: - - ubtu20cis_rule_3_5_3_3_3 + - ubtu20cis_rule_3_5_3_3_2 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv6_required - not ubtu20cis_ipv4_required @@ -1104,24 +680,66 @@ - level1-workstation - manual - patch + - rule_3.5.3.3.2 + - ip6tables + +- name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" + block: + - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_3_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - patch - rule_3.5.3.3.3 - ip6tables -- name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports" +- name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" block: - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Get list of open ports" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" command: ss -6tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_3_4_open_ports - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Get list of rules" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" command: ip6tables -L INPUT -v -n changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_3_4_current_rules - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Alert about settings" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" @@ -1138,9 +756,9 @@ tags: - level1-server - level1-workstation - - notscored + - automated - audit - - rule_3.5.4.2.3 + - rule_3.5.3.3.4 - ip6tables # --------------- diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml new file mode 100644 index 00000000..20a166d6 --- /dev/null +++ b/tasks/section_3/main.yml @@ -0,0 +1,15 @@ +--- +- name: "SECTION | 3.1 | Disable unused network protocols and devices" + include: cis_3.1.x.yml + +- name: "SECTION | 3.2 | Network Parameters Host Only" + include: cis_3.2.x.yml + +- name: "SECTION | 3.3 | Network Parameters Host and Router" + include: cis_3.3.x.yml + +- name: "SECTION | 3.4 | Uncommon Network Protocols" + include: cis_3.4.x.yml + +- name: "SECTION | 3.5 | Firewall Configuration" + include: cis_3.5.x.yml \ No newline at end of file diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml new file mode 100644 index 00000000..3e743ebc --- /dev/null +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -0,0 +1,100 @@ +--- +- name: "AUTOMATED | 4.1.1.1 | PATCH | Ensure auditd is installed" + apt: + name: ['auditd', 'audispd-plugins'] + state: present + when: + - ubtu20cis_rule_4_1_1_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.1 + - auditd + +- name: "AUTOMATED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: yes + when: + - ubtu20cis_rule_4_1_1_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.2 + - auditd + +- name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + block: + - name: "AUTOMATED | 4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_1_1_3_cmdline_settings + + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' + when: "'audit=' not in ubtu20cis_4_1_1_3_cmdline_settings.stdout" + notify: grub update + + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" + replace: + dest: /etc/default/grub + regexp: 'audit=([0-9]+)' + replace: 'audot=1' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: grub update + when: "'audit=' in ubtu20cis_4_1_1_3_cmdline_settings.stdout" + when: + - ubtu20cis_rule_4_1_1_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4_1_1_3 + - auditd + +- name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" + block: + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_1_1_4_cmdline_settings + + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}"' + notify: grub update + when: "'audit_backlog_limit=' not in ubtu20cis_4_1_1_4_cmdline_settings.stdout" + + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" + replace: + dest: /etc/default/grub + regexp: 'audit_backlog_limit=([0-9]+)' + replace: 'audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: grub update + when: + - ubtu20cis_rule_4_1_1_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.4 + - auditd diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml new file mode 100644 index 00000000..0a833db9 --- /dev/null +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -0,0 +1,53 @@ +--- +- name: "AUTOMATED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = {{ ubtu20cis_max_log_file_size }}" + state: present + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.1 + - auditd + +- name: "AUTOMATED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action' + line: "max_log_file_action = {{ ubtu20cis_auditd['max_log_file_action'] }}" + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.2 + - auditd + +- name: "AUTOMATED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" + lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left_action', line: 'space_left_action = email' } + - { regexp: '^action_mail_acct', line: 'action_mail_acct = root' } + - { regexp: '^admin_space_left_action = halt', line: 'admin_space_left_action = halt' } + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.3 + - auditd diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml new file mode 100644 index 00000000..f6eb574a --- /dev/null +++ b/tasks/section_4/cis_4.1.x.yml @@ -0,0 +1,279 @@ +--- +- name: "AUTOMATED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" + template: + src: audit/ubtu20cis_4_1_3_timechange.rules.j2 + dest: /etc/audit/rules.d/time-change.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.3 + - auditd + +- name: "AUTOMATED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" + template: + src: audit/ubtu20cis_4_1_4_identity.rules.j2 + dest: /etc/audit/rules.d/identity.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.4 + - auditd + +- name: "AUTOMATED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" + template: + src: audit/ubtu20cis_4_1_5_systemlocale.rules.j2 + dest: /etc/audit/rules.d/system-locale.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_5 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.5 + - auditd + +- name: "AUTOMATED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + template: + src: audit/ubtu20cis_4_1_6_macpolicy.rules.j2 + dest: /etc/audit/rules.d/MAC-policy.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.6 + - auditd + +- name: "AUTOMATED | 4.1.7 | PATCH | Ensure login and logout events are collected" + template: + src: audit/ubtu20cis_4_1_7_logins.rules.j2 + dest: /etc/audit/rules.d/logins.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.7 + - auditd + +- name: "AUTOMATED | 4.1.8 | PATCH | Ensure session initiation information is collected" + template: + src: audit/ubtu20cis_4_1_8_session.rules.j2 + dest: /etc/audit/rules.d/session.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_8 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.8 + - auditd + +- name: "AUTOMATED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" + template: + src: audit/ubtu20cis_4_1_9_permmod.rules.j2 + dest: /etc/audit/rules.d/perm_mod.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.9 + - auditd + +- name: "AUTOMATED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + template: + src: audit/ubtu20cis_4_1_10_access.rules.j2 + dest: /etc/audit/rules.d/access.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.10 + - auditd + +- name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" + block: + - name: "AUTOMATED | 4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" + shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + register: priv_procs + changed_when: no + check_mode: false + + - name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" + template: + src: audit/ubtu20cis_4_1_11_privileged.rules.j2 + dest: /etc/audit/rules.d/privileged.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.11 + - auditd + +- name: "AUTOMATED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" + template: + src: audit/ubtu20cis_4_1_12_audit.rules.j2 + dest: /etc/audit/rules.d/audit.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + ubtu20cis_rule_4_1_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.12 + - auditd + +- name: "AUTOMATED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" + template: + src: audit/ubtu20cis_4_1_13_delete.rules.j2 + dest: /etc/audit/rules.d/delete.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_13 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.13 + - auditd + +- name: "AUTOMATED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + template: + src: audit/ubtu20cis_4_1_14_scope.rules.j2 + dest: /etc/audit/rules.d/scope.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.14 + - auditd + +- name: "AUTOMATED | 4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" + template: + src: audit/ubtu20cis_4_1_15_actions.rules.j2 + dest: /etc/audit/rules.d/actions.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_15 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.15 + - auditd + +- name: "AUTOMATED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" + template: + src: audit/ubtu20cis_4_1_16_modules.rules.j2 + dest: /etc/audit/rules.d/modules.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.16 + - auditd + +- name: "AUTOMATED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" + template: + src: audit/ubtu20cis_4_1_17_99finalize.rules.j2 + dest: /etc/audit/rules.d/99-finalize.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_17 + tags: + - level2-server + - level2-workstation + - automated + - scored + - patch + - rule_4.1.17 + - auditd diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml new file mode 100644 index 00000000..4fff92c1 --- /dev/null +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -0,0 +1,153 @@ +--- +- name: "AUTOMATED | 4.2.1.1 | PATCH | Ensure rsyslog is installed" + apt: + name: rsyslog + state: present + when: + - ubtu20cis_rule_4_2_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.1 + - rsyslog + - apt + +- name: "AUTOMATED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" + service: + name: rsyslog + enabled: yes + when: + - ubtu20cis_rule_4_2_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.2 + - rsyslog + +- name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured" + block: + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" + shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_2_1_3_rsyslog_config_path + + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" + command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_2_1_3_rsyslog_config + + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" + debug: + msg: + - "Alert!!!Below is the current logging configurations for rsyslog, please review" + - "{{ ubtu20cis_4_2_1_3_rsyslog_config.stdout_lines }}" + when: not ubtu20cis_rsyslog_ansible_managed + + - name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" + lineinfile: + path: "{{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } + - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/auth.log', insertafter: '^# First some standard log files. Log by facility' } + - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } + - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } + - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } + - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } + - { regexp: '^news.crit|^#news.crit', line: 'news.crit -/var/log/news/news.crit', insertafter: '^# First some standard log files'} + - { regexp: '^news.err|^#news.err', line: 'news.err -/var/log/news/news.err', insertafter: '^# First some standard log files' } + - { regexp: '^news.notice|^#news.notice', line: 'news.notice -/var/log/news/news.notice', insertafter: '^# First some standard log files' } + - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } + - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } + - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } + - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + notify: restart rsyslog + when: ubtu20cis_rsyslog_ansible_managed + when: + - ubtu20cis_rule_4_2_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.3 + - rsyslog + +- name: "AUTOMATED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$FileCreateMode|^#\$FileCreateMode' + line: '$FileCreateMode 0640' + notify: restart rsyslog + when: + - ubtu20cis_rule_4_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.4 + - rsyslog + +- name: "AUTOMATED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" + blockinfile: + path: /etc/rsyslog.conf + block: | + ##Enable sending of logs over TCP add the following line: + *.* @@{{ ubtu20cis_remote_log_server }} + insertafter: EOF + when: + - ubtu20cis_rule_4_2_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.5 + - rsyslog + +- name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" + block: + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" + replace: + path: /etc/rsyslog.conf + regexp: '({{ item }})' + replace: '#\1' + with_items: + - '^(\$ModLoad)' + - '^(\$InputTCPServerRun)' + notify: restart rsyslog + when: not ubtu20cis_system_is_log_server + + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" + lineinfile: + path: /etc/rsyslog.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } + - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } + notify: restart rsyslog + when: ubtu20cis_system_is_log_server + when: + - ubtu20cis_rule_4_2_1_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.6 + - rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml new file mode 100644 index 00000000..891ffb23 --- /dev/null +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -0,0 +1,50 @@ +--- +- name: "AUTOMATED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^ForwardToSyslog|^#ForwardToSyslog' + line: 'ForwardToSyslog=yes' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.2.1 + - rsyslog + - journald + +- name: "4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^Compress|^#Compress' + line: 'Compress=yes' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.2.2.2 + - rsyslog + - journald + +- name: "AUTOMATED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^Storage|^#Storage' + line: 'Storage=persistent' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.2.3 + - rsyslog + - journald diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml new file mode 100644 index 00000000..033fb27d --- /dev/null +++ b/tasks/section_4/cis_4.2.3.yml @@ -0,0 +1,16 @@ +--- +- name: "AUTOMATED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + + changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 + check_mode: false + register: ubtu20cis_4_2_3_logfile_perms_status + when: + - ubtu20cis_rule_4_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.3 + - logfiles + - permissions diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml new file mode 100644 index 00000000..362f6329 --- /dev/null +++ b/tasks/section_4/cis_4.3.yml @@ -0,0 +1,26 @@ +--- +- name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured" + block: + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" + find: + paths: /etc/logrotate.d/ + check_mode: false + register: ubtu20cis_4_3_logrotate_files + + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" + replace: + path: "{{ item.path }}" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ ubtu20cis_logrotate }}" + with_items: + - "{{ ubtu20cis_4_3_logrotate_files.files }}" + - { path: "/etc/logrotate.conf" } + when: + - ubtu20cis_rule_4_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.3 + - logrotate diff --git a/tasks/section_4/cis_4.4.yml b/tasks/section_4/cis_4.4.yml new file mode 100644 index 00000000..448e6408 --- /dev/null +++ b/tasks/section_4/cis_4.4.yml @@ -0,0 +1,15 @@ +--- +- name: "AUTOMATED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" + lineinfile: + path: /etc/logrotate.conf + regexp: '^create' + line: ' create {{ ubtu20cis_logrotate_create_settings }}' + when: + - ubtu20cis_rule_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.4 + - logrotate diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml new file mode 100644 index 00000000..ef82c3a1 --- /dev/null +++ b/tasks/section_4/main.yml @@ -0,0 +1,24 @@ +--- +- name: "SECTION | 4.1.1 | Ensure auditing is enabled" + include: cis_4.1.1.x.yml + +- name: "SECTION | 4.1.2 | Configure Data Retention" + include: cis_4.1.2.x.yml + +- name: "SECTION | 4.1.x | Login Settings" + include: cis_4.1.x.yml + +- name: "SECTION | 4.2.1 | Configure rsyslog" + include: cis_4.2.1.x.yml + +- name: "SECTION | 4.2.2 | Configure journald" + include: cis_4.2.2.x.yml + +- name: "SECTION | 4.2.3 | Ensure permissions on all logfiles are configured" + include: cis_4.2.3.yml + +- name: "SECTION | 4.3 | Ensure logrotate is configured" + include: cis_4.3.yml + +- name: "SECTION | 4.4 | Ensure logrotate assigns appropriate permissions" + include: cis_4.4.yml \ No newline at end of file diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml new file mode 100644 index 00000000..70657990 --- /dev/null +++ b/tasks/section_5/cis_5.1.x.yml @@ -0,0 +1,159 @@ +--- +- name: "AUTOMATED | 5.1.1 | PATCH | Ensure cron daemon is enabled and running" + service: + name: cron + state: started + enabled: yes + when: + - ubtu20cis_rule_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.1 + - cron + +- name: "AUTOMATED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + file: + path: /etc/crontab + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_5_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.2 + - cron + +- name: "AUTOMATED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + file: + path: /etc/cron.hourly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.3 + - cron + +- name: "AUTOMATED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + file: + path: /etc/cron.daily + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.4 + - cron + +- name: "AUTOMATED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + file: + path: /etc/cron.weekly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.5 + - cron + +- name: "AUTOMATED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + file: + path: /etc/cron.monthly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.6 + - cron + +- name: "AUTOMATED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + file: + path: /etc/cron.d + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.7 + - cron + +- name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + block: + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" + file: + path: /etc/cron.deny + state: absent + + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" + file: + path: /etc/cron.allow + owner: root + group: root + mode: 0640 + state: touch + when: + - ubtu20cis_rule_5_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.8 + - cron + +- name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" + block: + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + file: + path: /etc/at.deny + state: absent + + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" + file: + path: /etc/at.allow + owner: root + group: root + mode: 0640 + state: touch + when: + - ubtu20cis_rule_5_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.9 + - cron diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml new file mode 100644 index 00000000..a001e3b4 --- /dev/null +++ b/tasks/section_5/cis_5.2.x.yml @@ -0,0 +1,46 @@ +--- +- name: "AUTOMATED | 5.2.1 | PATCH | Ensure sudo is installed" + apt: + name: "{{ ubtu20cis_sudo_package }}" + state: present + when: + - ubtu20cis_rule_5_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.1 + - sudo + +- name: "AUTOMATED | 5.2.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults use_' + line: 'Defaults use_pty' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.2 + - sudo + +- name: "AUTOMATED | 5.2.3 | PATCH | Ensure sudo log file exists" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults logfile' + line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.3 + - sudo diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml new file mode 100644 index 00000000..3eb9647e --- /dev/null +++ b/tasks/section_5/cis_5.3.x.yml @@ -0,0 +1,413 @@ +--- +- name: "AUTOMATED | 5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + file: + path: /etc/ssh/sshd_config + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_5_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.1 + - ssh + +- name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" + block: + - name: "AUTOMATED | 5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + find: + paths: /etc/ssh + patterns: 'ssh_host_*_key' + register: ubtu20cis_5_3_2_ssh_host_priv_keys + + - name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + file: + path: "{{ item.path }}" + owner: root + group: root + mode: 0600 + with_items: + - "{{ ubtu20cis_5_3_2_ssh_host_priv_keys.files }}" + when: + - ubtu20cis_rule_5_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.2 + - ssh + +- name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" + block: + - name: "AUTOMATED | 5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + find: + paths: /etc/ssh + patterns: 'ssh_host_*_key.pub' + register: ubtu20cis_5_3_3_ssh_host_pub_keys + + - name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + file: + path: "{{ item.path }}" + owner: root + group: root + mode: 0644 + with_items: + - "{{ ubtu20cis_5_3_3_ssh_host_pub_keys.files }}" + when: + - ubtu20cis_rule_5_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.3 + - ssh + +- name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited" + block: + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowUsers|^#AllowUsers' + line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_users']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowGroups|^#AllowGroups' + line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_groups']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyUsers|^#DenyUsers' + line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_users']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyGroups|^#DenyGroups' + line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_groups']|default('') != ''" + when: + - ubtu20cis_rule_5_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.4 + - ssh + +- name: "AUTOMATED | 5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LogLevel|^#LogLevel' + line: 'LogLevel {{ ubtu20cis_sshd.log_level }}' + insertafter: '^# Logging' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.5 + - ssh + +- name: "AUTOMATED | 5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^X11Forwarding|^#X11Forwarding' + line: 'X11Forwarding no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_6 + tags: + - level2-server + - level1-workstation + - automated + - patch + - rule_5.3.6 + - ssh + +- name: "AUTOMATED | 5.3.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxAuthTries|^#MaxAuthTries' + line: 'MaxAuthTries {{ ubtu20cis_sshd.max_auth_tries }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.7 + - ssh + +- name: "AUTOMATED | 5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^IgnoreRhosts|^#IgnoreRhosts' + line: 'IgnoreRhosts yes' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.8 + - ssh + +- name: "AUTOMATED | 5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' + line: 'HostbasedAuthentication no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.9 + - ssh + +- name: "AUTOMATED | 5.3.10 | PATCH | Ensure SSH root login is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin|^#PermitRootLogin' + line: 'PermitRootLogin no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.10 + - ssh + +- name: "AUTOMATED | 5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + insertafter: '# To disable tunneled clear text passwords' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.11 + - ssh + +- name: "AUTOMATED | 5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' + line: 'PermitUserEnvironment no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.12 + - ssh + +- name: "AUTOMATED | 5.3.13 | PATCH | Ensure only strong Ciphers are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Ciphers|^#Ciphers' + line: 'Ciphers {{ ubtu20cis_sshd.ciphers }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_13 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.13 + - ssh + +- name: "AUTOMATED | 5.3.14 | PATCH | Ensure only strong MAC algorithms are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MACs|^#MACs' + line: 'MACs {{ ubtu20cis_sshd.macs }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_14 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.14 + - ssh + +- name: "AUTOMATED | 5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KexAlgorithms|^#KexAlgorithms' + line: 'KexAlgorithms {{ ubtu20cis_sshd.kex_algorithms }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_15 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.15 + - ssh + +- name: "AUTOMATED | 5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu20cis_sshd.client_alive_interval }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu20cis_sshd.client_alive_count_max }}' } + notify: restart sshd + when: + - ubtu20cis_rule_5_3_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.16 + - sshd + +- name: "AUTOMATED | 5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LoginGraceTime|^#LoginGraceTime' + line: 'LoginGraceTime {{ ubtu20cis_sshd.login_grace_time }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_17 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.17 + - ssh + +- name: "AUTOMATED | 5.3.18 | PATCH | Ensure SSH warning banner is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Banner|^#Banner' + line: Banner /etc/issue.net + insertafter: '^# no default banner path' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_18 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.18 + - ssh + +- name: "AUTOMATED | 5.3.19 | PATCH | Ensure SSH PAM is enabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^UsePAM|^#UsePAM' + line: 'UsePAM yes' + insertafter: '^# and ChallengeResponseAuthentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.19 + - ssh + - pam + +- name: "AUTOMATED | 5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' + line: 'AllowTcpForwarding no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_5.3.20 + - ssh + +- name: "AUTOMATED | 5.3.21 | PATCH | Ensure SSH MaxStartups is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxStartups|^#MaxStartups' + line: 'MaxStartups 10:30:60' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_21 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.21 + - ssh + +- name: "AUTOMATED | 5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxSessions|^#MaxSessions' + line: 'MaxSessions {{ ubtu20cis_sshd.max_sessions }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_22 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.22 + - ssh diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml new file mode 100644 index 00000000..8780279c --- /dev/null +++ b/tasks/section_5/cis_5.4.x.yml @@ -0,0 +1,199 @@ +--- +- name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured" + block: + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" + apt: + name: libpam-pwquality + state: present + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^minlen|^# minlen' + line: minlen = 14 + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^minclass|^# minclass' + line: 'minclass = 4' + + - name: "AUTOMATED | 5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" + command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_1_pam_pwquality_state + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" + pamd: + name: common-password + type: password + control: requisite + module_path: pam_pwquality.so + module_arguments: 'retry=3' + state: args_present + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" + pamd: + name: common-password + type: password + control: required + module_path: pam_permit.so + new_type: password + new_control: requisite + new_module_path: pam_pwquality.so + module_arguments: 'retry=3' + state: after + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.1 + - pam + +# ------------- +# ------------- +# There is a bug in pam_tally2.so where the use of the audit keyword may log credentials in the case of user error during authentication. +# To work around this bug the CIS documentation has you setting pam_tally2 to the account section. +# Once bug is fixed please set pam_tally2 to the auth sections. We have those commented out in the task +# ------------- +# ------------- + +# ------------- +# ------------- +# figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items +# ------------- +# ------------- +- name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + # block: + # - name: "AUTOMATED | 5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" + # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth + # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account + # changed_when: false + # failed_when: false + # check_mode: false + # register: ubtu20cis_5_4_2_pam_tally2_state + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" + # pamd: + # # name: common-auth + # name: common-account + # # type: auth + # type: account + # control: required + # module_path: pam_tally2.so + # module_arguments: 'onerr=fail + # audit + # silent + # deny=5 + # unlock_time=900' + # when: ubtu20cis_5_4_2_pam_tally2_state.stdout != "" + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" + # lineinfile: + # # path: /etc/pam.d/common-auth + # path: /etc/pam.d/common-account + # # line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' + # line: 'account required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' + # insertafter: '^# end of pam-auth-update config' + # when: ubtu20cis_5_4_2_pam_tally2_state == "" + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" + # lineinfile: + # path: /etc/pam.d/common-account + # regexp: "{{ item.regexp }}" + # line: "{{ item.line }}" + # insertafter: '^# end of pam-auth-update config' + # with_items: + # # - { regexp: '^accout.*requisite.*pam_deny.so', line: 'account requisite pam_george.so' } + # - { regexp: '^account.*required.*pam_tally.so', line: 'account required pam_tally.so' } + when: + - ubtu20cis_rule_5_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.2 + - pamd + - notimplemented + +- name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "AUTOMATED | 5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" + command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_3_pam_pwhistory_state + + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" + pamd: + name: common-password + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' + state: args_present + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" + lineinfile: + path: /etc/pam.d/common-password + line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' + insertafter: '^# end of pam-auth-update config' + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.3 + - pamd + +- name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" + block: + - name: "AUTOMATED | 5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" + shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_4_pam_unix_state + + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" + pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" + lineinfile: + path: /etc/pam.d/common-password + line: 'password [success=1 default=ignore] pam_unix.so sha512' + insertafter: '^# end of pam-auth-update config' + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.4 + - pamd diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml new file mode 100644 index 00000000..aa775b7f --- /dev/null +++ b/tasks/section_5/cis_5.5.x.yml @@ -0,0 +1,258 @@ +--- +- name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" + block: + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' + + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" + command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.1 + - user + - login + +- name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" + block: + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' + insertafter: '# Password aging controls' + + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.2 + - user + - login + +- name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + block: + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' + line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' + + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" + command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.3 + - user + - login + +- name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + block: + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" + command: useradd -D -f {{ ubtu20cis_pass.inactive }} + failed_when: false + + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" + command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.4 + - user + - login + +- name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past" + block: + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_1_5_current_time + + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_5_1_5_current_time.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_1_5_user_list + + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" + debug: + msg: + - "WARNING!!!!The following accounts have the last PW change date in the future" + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" + when: ubtu20cis_5_5_1_5_user_list.stdout | length > 0 + + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" + command: passwd --expire {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_5_5_1_5_user_list.stdout | length > 0 + when: + - ubtu20cis_rule_5_5_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.5 + - user + - login + +- name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured" + block: + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" + user: + name: "{{ item }}" + shell: /sbin/nologin + with_items: + - "{{ ubtu20cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" + when: + - item != "root" + - item != "sync" + - item != "shutdown" + - item != "halt" + + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" + user: + name: "{{ item }}" + password_lock: true + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '<', 1000) | map(attribute='id') | list }}" + when: + - item != "root" + when: + - ubtu20cis_rule_5_5_2 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.2 + - user + - system + +- name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0" + block: + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" + group: + name: root + gid: 0 + + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" + user: + name: root + group: root + when: + - ubtu20cis_rule_5_5_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.3 + - user + - system + +- name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + block: + - name: "AUTOMATED | 5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" + shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_4_umask_pam_status + + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + lineinfile: + path: /etc/pam.d/common-session + line: 'session optional pam_umask.so' + insertbefore: '^# end of pam-auth-update config' + when: ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0 + + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + replace: + path: "{{ item }}" + regexp: '(^\s+umask) 002' + replace: '\1 027' + with_items: + - /etc/bash.bashrc + - /etc/profile + - /etc/login.defs + when: + - ubtu20cis_rule_5_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.4 + - user + +- name: "AUTOMATED | 5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" + blockinfile: + create: yes + mode: 0644 + dest: "{{ item.dest }}" + state: "{{ item.state }}" + marker: "# {mark} ANSIBLE MANAGED" + block: | + # Set session timeout - CIS ID 5.5.5 + TMOUT={{ ubtu20cis_shell_session_timeout.timeout }} + readonly TMOUT + export TMOUT + with_items: + - { dest: "{{ ubtu20cis_shell_session_timeout.file }}", state: present } + - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { dest: /etc/bash.bashrc, state: present } + when: + - ubtu20cis_rule_5_5_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.5 + - user diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml new file mode 100644 index 00000000..6af98a46 --- /dev/null +++ b/tasks/section_5/cis_5.6.yml @@ -0,0 +1,25 @@ +--- +- name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console" + block: + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" + command: cat /etc/securetty + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_6_terminal_list + + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" + debug: + msg: + - "WARNING!!!! Below is the list of consoles with root login access" + - "Please review for any conoles that are not in a physically secure location" + - "{{ ubtu20cis_5_6_terminal_list.stdout_lines }}" + when: + - ubtu20cis_rule_5_6 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_5.6 + - user diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml new file mode 100644 index 00000000..c60264a3 --- /dev/null +++ b/tasks/section_5/cis_5.7.yml @@ -0,0 +1,38 @@ +--- +- name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted" + block: + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" + command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_7_pam_wheel_status + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" + group: + name: "{{ ubtu20cis_su_group }}" + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" + pamd: + name: su + type: auth + control: required + module_path: pam_wheel.so + module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' + when: ubtu20cis_5_7_pam_wheel_status.stdout | length > 0 + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" + lineinfile: + path: /etc/pam.d/su + line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' + create: yes + when: ubtu20cis_5_7_pam_wheel_status.stdout | length == 0 + when: + - ubtu20cis_rule_5_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.7 + - user diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml new file mode 100644 index 00000000..7259f3e6 --- /dev/null +++ b/tasks/section_5/main.yml @@ -0,0 +1,21 @@ +--- +- name: "SECTION | 5.1 | Configure time-based job schedulers" + include: cis_5.1.x.yml + +- name: "SECTION | 5.2 | Configure sudo" + include: cis_5.2.x.yml + +- name: "SECTION | 5.3 | Configure SSH Server" + include: cis_5.3.x.yml + +- name: "SECTION | 5.4.x | User PAM" + include: cis_5.4.x.yml + +- name: "SECTION | 5.5.x | User Accounts and Environment" + include: cis_5.5.x.yml + +- name: "SECTION | 5.6 | Ensure root login is restricted to system console" + include: cis_5.6.yml + +- name: "SECTION | 5.7 | Ensure access to the su command is restricted" + include: cis_5.7.yml \ No newline at end of file diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml new file mode 100644 index 00000000..07e1fdb4 --- /dev/null +++ b/tasks/section_6/cis_6.1.x.yml @@ -0,0 +1,355 @@ +--- +- name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions" + block: + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Register package list" + command: ls -a /bin/ + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_1_packages + + # - name: "NOTSCORED | 6.1.1 | AUDIT | Audit system file permissions | Audit the packages" + # command: dpkg --verify {{ item }} + # changed_when: false + # failed_when: false + # check_mode: false + # with_items: + # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" + # register: ubtu18cis_6_1_1_packages_audited + + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" + debug: + msg: + - "ALERT!!!! Below are the packages that need to be reviewed." + - "You can run dpkg --verify and if nothing is returned the package is installed correctly" + - "{{ ubtu20cis_6_1_1_packages.stdout_lines }}" + when: + - ubtu20cis_rule_6_1_1 + tags: + - level2-server + - level2-workstation + - manual + - audit + - rule_6.1.1 + - permissions + +- name: "AUTOMATED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" + file: + path: /etc/passwd + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.2 + - permissions + +- name: "AUTOMATED | 6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" + file: + path: /etc/passwd- + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.3 + - permissions + +- name: "AUTOMATED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" + file: + path: /etc/group + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.4 + - permissions + +- name: "AUTOMATED | 6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" + file: + path: /etc/group- + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.5 + - permissions + +- name: "AUTOMATED | 6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" + file: + path: /etc/shadow + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.6 + - permissions + +- name: "AUTOMATED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" + file: + path: /etc/shadow- + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.7 + - permissions + +- name: "AUTOMATED | 6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" + file: + path: /etc/gshadow + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.8 + - permissions + +- name: "AUTOMATED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + path: /etc/gshadow- + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.9 + - permissions + +- name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist" + block: + - name: "AUTOMATED | 6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + shell: find {{ item.mount }} -xdev -type f -perm -0002 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_10_wwf + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" + file: + path: "{{ item }}" + mode: o-w + with_items: + - "{{ ubtu20cis_6_1_10_wwf.results | map(attribute='stdout_lines') | flatten }}" + when: ubtu20cis_no_world_write_adjust + when: + - ubtu20cis_rule_6_1_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.10 + - permissions + +- name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" + block: + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" + shell: find {{ item.mount }} -xdev -nouser + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_11_no_user_items + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" + set_fact: + ubtu20cis_6_1_11_no_user_items_flatten: "{{ ubtu20cis_6_1_11_no_user_items.results | map(attribute='stdout_lines') | flatten }}" + + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" + debug: + msg: + - "ALERT!!!You have unowned files and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign an owner" + - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" + when: + - not ubtu20cis_no_owner_adjust + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 + + - name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" + file: + path: "{{ item }}" + owner: "{{ ubtu20cis_unowned_owner }}" + with_items: + - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" + when: + - ubtu20cis_no_owner_adjust + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.11 + - permissions + +- name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" + block: + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" + shell: find {{ item.mount }} -xdev -nogroup + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_12_ungrouped_items + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" + set_fact: + ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" + + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" + debug: + msg: + - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign a group" + - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" + when: + - not ubtu20cis_no_group_adjust + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 + + - name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" + file: + path: "{{ item }}" + group: "{{ ubtu20cis_ungrouped_group }}" + with_items: + - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" + when: + - ubtu20cis_no_group_adjust + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.12 + - permissions + +- name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables" + block: + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" + # shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + shell: find {{ item.mount }} -xdev -type f -perm -4000 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_13_suid_executables + with_items: + - "{{ ansible_mounts }}" + + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + set_fact: + ubtu20cis_6_1_13_suid_executables_flatten: "{{ ubtu20cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + debug: + msg: + - "ALERT!!!!You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" + when: + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 + - not ubtu20cis_suid_adjust + + - name: "MANUAL | 6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + file: + path: "{{ item }}" + mode: 'u-s' + with_items: + - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" + when: + - ubtu20cis_suid_adjust + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_13 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_6.1.13 + - permissions + +- name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables" + block: + - name: "MANUAL |6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" + shell: find {{ item }} -xdev -type f -perm -2000 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_14_sgid_executables + with_items: + - "{{ ansible_mounts }}" + + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" + set_fact: + ubtu20cis_6_1_14_sgid_executables_flatten: "{{ ubtu20cis_6_1_14_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + debug: + msg: + - "ALERT!!!!You have SGID executables" + - "The files are listed below, please review the integrity of these binaries" + - "{{ ubtu20cis_6_1_14_sgid_executables_flatten }}" + when: ubtu20cis_6_1_14_sgid_executables_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_14 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_6.1.14 + - permissions diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml new file mode 100644 index 00000000..51bafb6e --- /dev/null +++ b/tasks/section_6/cis_6.2.x.yml @@ -0,0 +1,566 @@ +--- +- name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + block: + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + command: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: ubtu20cis_6_2_1_nonshadowed_users + + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Alert on findings" + debug: + msg: + - "ALERT! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" + when: + - ubtu20cis_6_2_1_nonshadowed_users.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_1 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.1 + - user_accounts + +- name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty" + block: + - name: "AUTOMATED | 6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" + shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: no + check_mode: false + register: ubtu20cis_6_2_2_empty_password_acct + + - name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ ubtu20cis_6_2_2_empty_password_acct.stdout_lines }}" + when: ubtu20cis_6_2_2_empty_password_acct.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.2 + - user + - permissions + +- name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_3_passwd_gid_check + + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_3 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.3 + - groups + +- name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist" + block: + - name: capture audit task for missing homedirs + block: &u20s_homedir_audit + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" + shell: pwck -r | grep -P {{ ld_regex | quote }} + check_mode: false + register: ubtu20cis_users_missing_home + changed_when: ubtu20cis_6_2_4_audit | length > 0 + # failed_when: 0: success, 1: no grep match, 2: pwck found something + failed_when: ubtu20cis_users_missing_home.rc not in [0,1,2] + + ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" + command: "mkhomedir_helper {{ item }}" + # check_mode: "{{ ubtu20cis_disruptive_check_mode }}" + with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='id') | list }}" + when: + - ubtu20cis_users_missing_home is changed + - ubtu20cis_disruption_high + + ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, I need to confirm if that user is removed in an earlier task. + ### ^ Likely doesn't matter as 6.2.7 defines "local interactive users" as those w/ uid 1000-4999 + - name: replay audit task + block: *u20s_homedir_audit + + # CAUTION: debug loops don't show changed since 2.4: + # Fix: https://github.com/ansible/ansible/pull/59958 + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" + debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." + with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='dir') | list }}" + changed_when: ubtu20cis_audit_complex + when: + - ubtu20cis_users_missing_home is changed + vars: + ld_regex: >- + ^user '(?P.*)': directory '(?P.*)' does not exist$ + ld_users: "{{ ubtu20cis_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" + ubtu20cis_6_2_4_audit: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('id', 'in', ld_users) | list }}" + when: + - ubtu20cis_rule_6_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.4 + - user + +- name: "AUTOMATED | 6.2.5 | PATCH | Ensure users own their home directories" + file: + path: "{{ item.dir }}" + owner: "{{ item.id }}" + state: directory + with_items: + - "{{ ubtu20cis_passwd }}" + loop_control: + label: "{{ ubtu20cis_passwd_label }}" + when: + - ubtu20cis_rule_6_2_5 + - item.uid >= 1000 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.5 + - user + +- name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + block: + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" + stat: + path: "{{ item }}" + with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + check_mode: false + register: ubtu20cis_6_2_6_audit + + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 + register: ubtu20cis_6_2_6_patch_audit + changed_when: ubtu20cis_6_2_6_patch_audit.stdout | length > 0 + check_mode: false + when: + - item.1.exists + with_together: + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" + + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" + file: + path: "{{ item.0 }}" + recurse: yes + mode: a-st,g-w,o-rwx + register: ubtu20cis_6_2_6_patch + when: + - ubtu20cis_disruption_high + - item.1.exists + with_together: + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" + + # set default ACLs so the homedir has an effective umask of 0027 + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" + acl: + path: "{{ item.0 }}" + default: yes + state: present + recursive: yes + etype: "{{ item.1.etype }}" + permissions: "{{ item.1.mode }}" + when: not ubtu20cis_system_is_container + with_nested: + - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_6_patch_audit, ubtu20cis_6_2_6_patch)).results | + rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" + - + - etype: group + mode: rx + - etype: other + mode: '0' + when: + - ubtu20cis_rule_6_2_6 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.6 + - user + +- name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" + block: + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + shell: find /home/ -name "\.*" -perm /g+w,o+w + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_7_audit + + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + failed_when: false + changed_when: false + when: + - ubtu20cis_6_2_7_audit.stdout | length == 0 + + - name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + file: + path: '{{ item }}' + mode: go-w + with_items: "{{ ubtu20cis_6_2_7_audit.stdout_lines }}" + when: + - ubtu20cis_6_2_7_audit.stdout | length > 0 + - ubtu20cis_dotperm_ansibleManaged + when: + - ubtu20cis_rule_6_2_7 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.7 + - user + +- name: "AUTOMATED | 6.2.8 | PATCH | Ensure no users have .netrc files" + file: + dest: "~{{ item }}/.netrc" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_8 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.8 + - user + +- name: "AUTOMATED | 6.2.9 | PATCH | Ensure no users have .forward files" + file: + dest: "~{{ item }}/.forward" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_9 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.9 + - user + +- name: "AUTOMATED | 6.2.10 | PATCH | Ensure no users have .rhosts files" + file: + dest: "~{{ item }}/.rhosts" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_10 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.10 + - user + +- name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account" + block: + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" + shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_11_uid_0_notroot + + - name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" + - "This means the following accounts were password locked and will need to have the UID's manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" + - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - not ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_11 + tags: + - level1-server + - level1-workstation + - automated + - scored + - rule_6.2.11 + - user + - root + +- name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + # block: + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" + # shell: 'echo $PATH | grep ::' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" + # shell: 'echo $PATH | grep :$' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon_end.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon_end + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" + # shell: echo "$PATH" + # changed_when: False + # failed_when: '"." in ubtu20cis_6_2_12_working_dir.stdout_lines' + # check_mode: false + # register: ubtu20cis_6_2_12_working_dir + # - debug: var=ubtu20cis_6_2_12_working_dir + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" + # stat: + # path: "{{ item }}" + # check_mode: false + # register: ubtu20cis_6_2_12_path_stat + # with_items: + # - "{{ ubtu20cis_6_2_12_working_dir.stdout.split(':') }}" + + # - debug: var=ubtu20cis_6_2_12_path_stat + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" + # debug: + # msg: + # - "The following paths have no working directory: {{ ubtu20cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" + + # # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" + # # file: + # # path: "{{ item }}" + # # owner: root + # # mode: 'o-w,g-w' + # # follow: yes + # # state: directory + # # with_items: + # # - "{{ ubtu18cis_6_2_12_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" + when: + - ubtu20cis_rule_6_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.12 + - user + - root + - notimplemented + +- name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist" + block: + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_13_user_uid_check + + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + debug: + msg: "Good News! There are no duplicate UID's in the system" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + debug: + msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_13 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.13 + - user + +- name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist" + block: + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_14_user_user_check + + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: ubtu20cis_6_2_14_user_user_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + debug: + msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" + when: ubtu20cis_6_2_14_user_user_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_14 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.14 + - groups + +- name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist" + block: + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_15_user_username_check + + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + debug: + msg: "Good News! There are no duplicate user names in the system" + when: ubtu20cis_6_2_15_user_username_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + debug: + msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" + when: ubtu20cis_6_2_15_user_username_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_15 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.15 + - user + +- name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist" + block: + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_16_group_group_check + + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + debug: + msg: "Good News! There are no duplicate group names in the system" + when: ubtu20cis_6_2_16_group_group_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + debug: + msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" + when: ubtu20cis_6_2_16_group_group_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_16 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.16 + - groups + +- name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty" + block: + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" + shell: grep ^shadow /etc/group | cut -f3 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_17_shadow_gid + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" + shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_17_users_shadow_gid + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" + debug: + msg: "Good News! There are no users with the Shado GID on your system" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length == 0 + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" + debug: + msg: + - "WARNING!!!! There are users that are in the Shadow group" + - "To conform to CIS standards no users should be in this group" + - "Please move the users below into another group" + - "{{ ubtu20cis_6_2_17_users_shadow_gid.stdout_lines }}" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_17 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.17 + - groups + - user diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml new file mode 100644 index 00000000..6849f497 --- /dev/null +++ b/tasks/section_6/main.yml @@ -0,0 +1,6 @@ +--- +- name: "SECTION | 6.1 | System File Permissions" + include: cis_6.1.x.yml + +- name: "SECTION | 6.2 | User and Group Settings" + include: cis_6.2.x.yml \ No newline at end of file