Initial commit

README.md

@@ -1,2 +1,123 @@
 # egida-role-cis
-EGIDA Ansible CIS Benchmarks Role
+
+[EGIDA](https://github.com/antonioalfa22/egida) Ansible CIS Benchmarks Role.
+
+## Lynis scores
+
+Initial Lynis score: 62%
+
+> With All + Extras
+
+Lynis score: 83%
+
+## Exclusions
+
+### 1 Initial setup
+
+#### 1.1 Filesystem Configuration
+
+* 1.1.2
+* 1.1.5
+* 1.1.6
+* 1.1.7
+* 1.1.8
+* 1.1.9
+* 1.1.10
+* 1.1.11
+* 1.1.12
+* 1.1.13
+* 1.1.14
+* 1.1.15
+* 1.1.16
+* 1.1.17
+* 1.1.18
+* 1.1.19
+* 1.1.20
+* 1.1.21
+* 1.1.22
+* 1.1.23
+
+#### 1.2 Configure software updates
+
+* 1.2.2
+
+#### 1.3 Configure sudo
+
+* 1.3.1
+* 1.3.2
+* 1.3.3
+
+#### 1.5 Secure Boot Settings
+
+* 1.5.4
+
+#### 1.7 Mandatory Access Control
+
+* 1.7.1.1
+* 1.7.1.2
+* 1.7.1.3
+* 1.7.1.4
+
+### 3 Network Configuration
+
+#### 3.7 Disable IPv6
+
+* 3.7
+
+### 4 Logging and auditing
+
+#### 4.1 Configure System accouting
+
+* 4.1.1.4
+* 4.1.2.1
+* 4.1.2.2
+* 4.1.2.3
+* 4.1.11
+
+#### 4.2 Configure Logging
+
+* 4.2.1.2
+* 4.2.1.3
+* 4.2.1.4
+* 4.2.1.5
+* 4.2.1.6
+* 4.2.2.1
+* 4.2.2.2
+* 4.2.2.3
+* 4.2.3
+* 4.3
+
+### 5 Access Autentication and Authorization
+
+#### 5.2 SSH Server configuration
+
+* 5.2.2
+* 5.2.3
+* 5.2.13
+* 5.2.15
+* 5.2.20
+* 5.2.21
+* 5.2.22
+* 5.2.23
+
+#### 5.4 User Accounts and environment
+
+* 5.4.1.5
+* 5.4.2
+* 5.5
+* 5.6
+
+### 6 System file permissions
+
+#### 6.1 System file permissions
+
+* 6.1.1
+* 6.1.10
+* 6.1.11
+* 6.1.12
+* 6.1.13
+* 6.1.14
+
+#### 6.2 User Accounts and environment
+
+* All

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path = ../

defaults/main.yml

@@ -0,0 +1,89 @@
+---
+# defaults file for Ubuntu-18.04-CIS-Hardering
+
+###############################################
+# Values which modify the behaviour of the role
+###############################################
+
+run_all_level_1: true    # Whether Level 1 of the benchmark should be applied
+run_all_level_2: true    # Whether Level 2 of the benchmark should be applied
+extras: true              # Check if want extras
+
+cis_level_1_exclusions: []         # A list of Level 1 recommendations to exclude (i.e. ['1.1.1.1'])
+#cis_level_1_exclusions: ['1.2.3','1.8']
+cis_level_2_exclusions: []         # A list of Level 2 recommendations to exclude
+
+
+###############################################
+# Check specific values which can be overridden
+###############################################
+
+# ======== 1. Initial Setup ===================
+
+# 1.3.2 AIDE cron settings
+aide_cron:
+  cron_user: root
+  cron_file: /etc/crontab
+  aide_job: '/usr/bin/aide.wrapper --check'
+  aide_minute: 0
+  aide_hour: 5
+  aide_day: '*'
+  aide_month: '*'
+  aide_weekday: '*'
+
+# 1.4.2 GRUB Password
+grub_pass: antonio
+
+# 1.4.3 root Password
+root_pass: antonio
+
+# ======== 3. Network configuration ===================
+
+# 3.4.2 Host allow
+host_allow:
+  - "10.0.0.0/255.0.0.0"
+  - "172.16.0.0/255.240.0.0"
+  - "192.168.0.0/255.255.0.0"
+
+# 3.5.2.1 UFW
+
+ufw_ports_allow: ['22']
+ufw_deny_outgoing: false
+
+# ======== 4. Logging and auditing ===================
+default_auditd: true  # Copy auditd template
+
+
+# ======== 5. SSH Server Configuration ===================
+
+sshd_access:
+  ssh_port: 372
+  allowusers: antonio
+  # allowgroups: systems dba
+  # denyusers:
+  # denygroups:
+
+# 5.3.1  Ensure password creation
+pwquality:
+  - key: 'minlen'
+    value: '14'
+  - key: 'dcredit'
+    value: '-1'
+  - key: 'ucredit'
+    value: '-1'
+  - key: 'ocredit'
+    value: '-1'
+  - key: 'lcredit'
+    value: '-1'
+
+# 5.4.1.1 Password
+
+password:
+  max_days: 365
+  min_days: 7
+  warn_age: 7
+  inactive: 30
+
+
+# ======== EXTRAS ===================
+nameservers: [8.8.8.8, 8.8.4.4]

handlers/main.yml

@@ -0,0 +1,71 @@
+---
+# handlers file for Ubuntu-18.04-CIS-Hardering
+
+# 1.1.2
+- name: systemd restart tmp.mount
+  become: true
+  systemd:
+      name: tmp.mount
+      daemon_reload: true
+      enabled: true
+      masked: false
+      state: reloaded
+  ignore_errors: true
+
+
+# 2.1.1
+- name: restart xinetd
+  become: true
+  service:
+      name: xinetd
+      state: restarted
+
+# 3.1.1
+- name: sysctl flush ipv4 route table
+  become: true
+  sysctl:
+      name: net.ipv4.route.flush
+      value: "1"
+      sysctl_set: true
+
+- name: sysctl flush ipv6 route table
+  become: true
+  sysctl:
+      name: net.ipv6.route.flush
+      value: "1"
+      sysctl_set: true
+
+# 4.1
+- name: restart auditd
+  become: true
+  service:
+      name: auditd
+      state: restarted
+
+- name: load audit rules
+  become: true
+  command: /sbin/augenrules --load
+
+- name: update grub
+  command: update-grub
+
+# 4.1.3
+- name: generate new grub config
+  become: true
+  command: grub-mkconfig -o "{{ grub_cfg.stat.path }}"
+  notify: fix permissions after generate new grub config handler
+
+- name: fix permissions after generate new grub config handler
+  become: true
+  file:
+    path: "/boot/grub/grub.cfg"
+    owner: root
+    group: root
+    mode: 0600
+
+# 5.2
+- name: restart sshd
+  become: true
+  service:
+      name: sshd
+      state: restarted

meta/main.yml

@@ -0,0 +1,18 @@
+galaxy_info:
+  author: Antonio Paya Gonzalez
+  description: Ubuntu 18.04 LTS CIS Benchmarks
+  company: Universidad de Oviedo
+
+
+  license: MIT
+
+  min_ansible_version: 1.2
+
+  galaxy_tags:
+    - Ubuntu
+    - CIS
+    - hardering
+    - security
+    - Ubuntu18.04
+
+dependencies: []

playbook.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Harden Server
+  hosts: localhost
+  connection: local
+  become: yes
+
+  roles:
+    - Ubuntu-18.04-CIS-Hardering

tasks/extras/apt-listchanges.yml

@@ -0,0 +1,11 @@
+---
+
+# EXTRAS - Install apt-listchanges
+
+- name: "EXTRAS - Install apt-listchanges"
+  apt:
+    name: apt-listchanges
+    state: present
+  tags:
+      - extras
+      - apt-listchanges

tasks/extras/clamav.yml

@@ -0,0 +1,14 @@
+---
+
+# EXTRAS - Install clamav
+
+- name: "EXTRAS - Install clamav"
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+      - clamav
+      - clamav-daemon
+  tags:
+      - extras
+      - clamav

tasks/extras/debian-goodies.yml

@@ -0,0 +1,11 @@
+---
+
+# EXTRAS - Install debian-goodies
+
+- name: "EXTRAS - Install debian-goodies"
+  apt:
+    name: debian-goodies
+    state: present
+  tags:
+      - extras
+      - debian-goodies

tasks/extras/debsecan.yml

@@ -0,0 +1,11 @@
+---
+
+# EXTRAS - Install debsecan
+
+- name: "EXTRAS - Install debsecan"
+  apt:
+    name: debsecan
+    state: present
+  tags:
+      - extras
+      - debsecan

tasks/extras/debsums.yml

@@ -0,0 +1,11 @@
+---
+
+# EXTRAS - Install debsums
+
+- name: "EXTRAS - Install debsums"
+  apt:
+    name: debsums
+    state: present
+  tags:
+      - extras
+      - debsums