Ubuntu 20.04 LTS Support

.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "3.8"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python3-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -1,9 +1,9 @@
 # egida-role-cis
 
 <!-- PROJECT SHIELDS -->
-[![EGIDA VERSION](https://img.shields.io/badge/egida-v0.0.1-blue?style=for-the-badge&logo=ansible&color=ff69b4)](https://github.com/egida-kassandra/egida)
+[![EGIDA VERSION](https://img.shields.io/badge/egida-v2.0.0-blue?style=for-the-badge&logo=ansible&color=ff69b4)](https://github.com/egida-kassandra/egida)
 [![GitHub license](https://img.shields.io/badge/license-Apache-blue?style=for-the-badge)](https://github.com/egida-kassandra/egida-role-cis/blob/master/LICENSE)
-[![GitHub release](https://img.shields.io/badge/release-v.0.0.1-yellowgreen?style=for-the-badge)](https://github.com/egida-kassandra/egida-role-cis/releases)
+[![GitHub release](https://img.shields.io/badge/release-v.2.0.0-yellowgreen?style=for-the-badge)](https://github.com/egida-kassandra/egida-role-cis/releases)
 
 <!-- PROJECT LOGO -->
 
@@ -45,7 +45,7 @@
 <!-- ABOUT THE PROJECT -->
 ## About the Project
 
-This role was developed and tested against Ubuntu Linux 16.04 LTS and 18.04 LTS.
+This role was developed and tested against Ubuntu Linux 20.04 LTS.
 
 The CIS Benchmarks used for this repository can be found at [CIS Center for Intenet Security](https://www.cisecurity.org/cis-benchmarks/).
 

defaults/main.yml

@@ -20,6 +20,16 @@ cis_level_2_exclusions: []         # A list of Level 2 recommendations to exclud
 
 # ======== 1. Initial Setup ===================
 
+# 1.1 Filesystem configuration
+disable_cramfs: yes
+disable_freevxfs: yes
+disable_jffs2: yes
+disable_hfs: yes
+disable_hfsplus: yes
+disable_udf: yes
+disable_fat: yes
+temp_dir_size: 1G
+
 # 1.3.2 AIDE cron settings
 aide_cron:
   cron_user: root
@@ -31,11 +41,13 @@ aide_cron:
   aide_month: '*'
   aide_weekday: '*'
 
-# 1.4.2 GRUB Password
-grub_pass: antonio
-
-# 1.4.3 root Password
-root_pass: antonio
+## 1.5.1 Ensure bootloader password is set (using grub): default is no
+set_bootloader_credentials: no
+### Update the default bootloader user and password
+bootloader_credentials: { user: "root", password: "admin1234$" }
+# 1.5.3 Ensure authentication required for single user mode
+set_root_password: yes
+root_password: admin1234$
 
 # ======== 3. Network configuration ===================
 

meta/main.yml

@@ -3,6 +3,11 @@ galaxy_info:
   description: Ubuntu 18.04 LTS CIS Benchmarks
   company: Universidad de Oviedo
 
+  platforms:
+    - name: ubuntu
+      versions:
+        - focal
+        - bionic
 
   license: MIT
 

tasks/level-1.yml

@@ -28,32 +28,58 @@
 - include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.5.yml"
   when: "'1.1.1.5' not in cis_level_1_exclusions"
 
-# 1.1.1.6 (Added)
+# 1.1.1.6
 - include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.6.yml"
   when: "'1.1.1.6' not in cis_level_1_exclusions"
 
 # 1.1.1.7
 - include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.7.yml"
   when: "'1.1.1.7' not in cis_level_1_exclusions"
 
-# 1.1.1.9 (Added)
+# 1.1.1.8
 - include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.8.yml"
   when: "'1.1.1.8' not in cis_level_1_exclusions"
 
-# 1.1.3
-- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.3.yml"
-  when: "'1.1.3' not in cis_level_1_exclusions"
+# 1.1.2, 1.1.3, 1.1.4 & 1.1.5
+- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.2_5.yml"
+  when: "'1.1.2' not in cis_level_1_exclusions"
 
-# 1.1.4 (Only if 1.1.3 in exclusions)
-- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.4.yml"
-  when: "'1.1.4' in cis_level_1_exclusions"
+# 1.1.6, 1.1.7, 1.1.8, 1.1.9
+- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.6_9.yml"
+  when: "'1.1.6' not in cis_level_1_exclusions"
+
+# 1.1.10
+- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.10.yml"
+  when: "'1.1.10' not in cis_level_1_exclusions"
+
+# 1.1.24
+- include: "tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.24.yml"
+  when: "'1.1.24' not in cis_level_1_exclusions"
 
 # ======================= 1.2 Configure software updates =================================
 
 # 1.2.1
 - include: "tasks/level-1/1-initial_setup/1.2-Configure_software_updates/1.2.1.yml"
   when: "'1.2.1' in cis_level_1_exclusions"
 
+# 1.2.2
+- include: "tasks/level-1/1-initial_setup/1.2-Configure_software_updates/1.2.2.yml"
+  when: "'1.2.2' in cis_level_1_exclusions"
+
+# ======================= 1.3 Configure sudo =================================
+
+# 1.3.1
+- include: "tasks/level-1/1-initial_setup/1.2-Configure_sudo/1.3.1.yml"
+  when: "'1.3.1' in cis_level_1_exclusions"
+
+# 1.3.2
+- include: "tasks/level-1/1-initial_setup/1.2-Configure_sudo/1.3.2.yml"
+  when: "'1.3.2' in cis_level_1_exclusions"
+
+# 1.3.3
+- include: "tasks/level-1/1-initial_setup/1.2-Configure_sudo/1.3.3.yml"
+  when: "'1.3.3' in cis_level_1_exclusions"
+
 # ======================= 1.4 Filesystem integrity checking ==============================
 - include: "tasks/level-1/1-initial_setup/1.4-Filesystem_integrity/1.4.1.yml"
   when: "'1.4.1' not in cis_level_1_exclusions"

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.1.yml

@@ -3,20 +3,28 @@
 # 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled
 
 - name: "1.1.1.1 -> Ensure mounting of cramfs filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install cramfs(\\s|$)"
-      line: "install cramfs /bin/true"
-      state: present
-      owner: root
-      group: root
-      mode: 0644
-      create: true
+  block:
+    - name: "1.1.1.1 -> Ensure mounting of cramfs filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install cramfs(\\s|$)"
+        line: "install cramfs /bin/true"
+        state: present
+        owner: root
+        group: root
+        mode: 0644
+        create: true
+    - name: "1.1.1.1 -> Ensure mounting of cramfs filesystems is disabled (2/2) | modprobe"
+      modprobe:
+        name: cramfs
+        state: absent
+  when: disable_cramfs
   tags:
       - level1
       - scored
       - mount
       - cramfs
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.1

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.2.yml

@@ -3,16 +3,24 @@
 # 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled
 
 - name: "1.1.1.2 -> Ensure mounting of freevxfs filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install freevxfs"
-      line: "install freevxfs /bin/true"
-      state: present
-      create: true
+  block:
+    - name: "1.1.1.2 -> Ensure mounting of freevxfs filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install freevxfs"
+        line: "install freevxfs /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.2 -> Ensure mounting of freevxfs filesystems is disabled (1/2) | modprobe"
+      modprobe:
+        name: freevxfs
+        state: absent
+  when: disable_freevxfs
   tags:
       - level1
       - scored
       - freevxfs
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.2

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.3.yml

@@ -3,16 +3,24 @@
 # 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
 
 - name: "1.1.1.3 -> Ensure mounting of jffs2 filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install jffs2(\\s|$)"
-      line: "install jffs2 /bin/true"
-      state: present
-      create: true
+  block:
+    - name: "1.1.1.3 -> Ensure mounting of jffs2 filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install jffs2(\\s|$)"
+        line: "install jffs2 /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.3 -> Ensure mounting of jffs2 filesystems is disabled (2/2) | modprobe"
+      modprobe:
+        name: jffs2
+        state: absent
+  when: disable_jffs2
   tags:
       - level1
       - scored
       - jffs2
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.3

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.4.yml

@@ -3,16 +3,24 @@
 # 1.1.1.4 Ensure mounting of hfs filesystems is disabled
 
 - name: "1.1.1.4 -> Ensure mounting of hfs filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install hfs(\\s|$)"
-      line: "install hfs /bin/true"
-      state: present
-      create: true
+  block:
+    - name: "1.1.1.4 -> Ensure mounting of hfs filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install hfs(\\s|$)"
+        line: "install hfs /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.4 -> Ensure mounting of hfs filesystems is disabled (2/2) | modprobe"
+      modprobe:
+        name: hfs
+        state: absent
+  when: disable_hfs
   tags:
       - level1
       - scored
       - hfs
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.4

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.5.yml

@@ -3,16 +3,24 @@
 # 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
 
 - name: "1.1.1.5 -> Ensure mounting of hfsplus filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install hfsplus(\\s|$)"
-      line: "install hfsplus /bin/true"
-      state: present
-      create: true
+  block:
+    - name: "1.1.1.5 -> Ensure mounting of hfsplus filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install hfsplus(\\s|$)"
+        line: "install hfsplus /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.5 -> Ensure mounting of hfsplus filesystems is disabled (2/2) | modprobe"
+      modprobe:
+        name: hfsplus
+        state: absent
+  when: disable_hfsplus
   tags:
       - level1
       - scored
       - hfsplus
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.5

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.6.yml

@@ -1,18 +1,26 @@
 ---
 
-# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
+# 1.1.1.6 Ensure mounting of udf filesystems is disabled (1/2)
 
-- name: "1.1.1.6 -> Ensure mounting of squashfs filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install squashfs(\\s|$)"
-      line: "install squashfs /bin/true"
-      state: present
-      create: true
+- name: "1.1.1.6 -> Ensure mounting of udf filesystems is disabled (1/2)"
+  block:
+    - name: "1.1.1.6 -> Ensure mounting of udf filesystems is disabled (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install udf(\\s|$)"
+        line: "install udf /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.6 -> Ensure mounting of udf filesystems is disabled (2/2) | modprobe"
+      modprobe:
+        name: udf
+        state: absent
+  when: disable_udf
   tags:
       - level1
       - scored
-      - squashfs
+      - udf
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.6

tasks/level-1/1-initial_setup/1.1-Filesystem_configuration/1.1.1.7.yml

@@ -2,17 +2,25 @@
 
 # 1.1.1.7 Ensure mounting of udf filesystems is disabled
 
-- name: "1.1.1.7 -> Ensure mounting of udf filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install udf(\\s|$)"
-      line: "install udf /bin/true"
-      state: present
-      create: true
+- name: "1.1.1.7 -> Ensure mounting of FAT filesystems is limited"
+  block:
+    - name: "1.1.1.7 -> Ensure mounting of FAT filesystems is limited (1/2)"
+      lineinfile:
+        dest: /etc/modprobe.d/CIS.conf
+        regexp: "^(#)?install vfat(\\s|$)"
+        line: "install vfat /bin/true"
+        state: present
+        create: true
+    - name: "1.1.1.7 -> Ensure mounting of FAT filesystems is limited (2/2) | modprobe"
+      modprobe:
+        name: vfat
+        state: absent
+  when: disable_fat
   tags:
       - level1
       - scored
-      - udf
+      - fat
+      - modprobe
       - filesystems
       - control_5.1
       - rule_1.1.1.7