diff --git a/.ansible-lint b/.ansible-lint index c7095e24..3b7c3738 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,21 +3,7 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - 'yaml[line-length]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'package-latest' + - 'risky-shell-pipe' use_default_rules: true verbosity: 0 diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 45fd9960..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-20T07:45:19Z" -} diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e02fe1f0..afe85e03 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a471d22c..acdd8963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,8 +2,8 @@ ##### CI for use by github no need for action to be added ##### Inherited ci: - autofix_prs: false - skip: [detect-aws-credentials, ansible-lint ] + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -11,12 +11,17 @@ repos: hooks: # Safety - id: detect-aws-credentials + name: Detect AWS Credentials - id: detect-private-key + name: Detect Private Keys # git checks - id: check-merge-conflict + name: Check for merge conflicts - id: check-added-large-files + name: Check for Large files - id: check-case-conflict + name: Check case conflict # General checks - id: trailing-whitespace @@ -27,19 +32,18 @@ repos: types: [text] args: [--markdown-linebreak-ext=md] - id: end-of-file-fixer + name: Ensure line at end of file # Scan for passwords - repo: https://github.com/Yelp/detect-secrets rev: v1.5.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.21.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.10.0 @@ -53,14 +57,15 @@ repos: # https://github.com/ansible/ansible-lint/issues/611 pass_filenames: false always_run: true - additional_dependencies: + # additional_dependencies: # https://github.com/pre-commit/pre-commit/issues/1526 # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag hooks: - id: yamllint + name: Check YAML Lint diff --git a/.yamllint b/.yamllint index db1b7584..fa7b6971 100755 --- a/.yamllint +++ b/.yamllint @@ -1,34 +1,38 @@ --- - extends: default - ignore: | tests/ molecule/ .github/ .gitlab-ci.yml *molecule.yml - rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - empty-lines: - max: 1 - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + comments: + ignore-shebangs: true + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enable + empty-lines: + max: 1 + indentation: + # Requiring 2 space indentation + spaces: 2 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + octal-values: + forbid-implicit-octal: true # yamllint defaults to false + forbid-explicit-octal: true + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/Changelog.md b/Changelog.md index 798a150f..78f1f010 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,21 @@ # Ubuntu22CIS +## Based on CIS v2.0.0 + +### Do not migrate + +CIS have rewritten with a full release including but not limited to + +- reordering +- new sections and controls in differing sections + +This is a rewrite off approx 75% of controls + +- New variables +- improved audit related checks +- greater options on some controls +- linting improvements and updated to latest + ## Based on CIS V1.0.0 ### 1.1.1 diff --git a/LICENSE b/LICENSE index e9cb70f0..7e51eb7d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index af7225cc..3345dfd6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Ubuntu 22 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 [Release](https://learn.cisecurity.org/l/799323/2022-09-15/3l9d2k) +### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0 [Release](https://downloads.cisecurity.org/#/) ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) ![Stars](https://img.shields.io/github/stars/ansible-lockdown/ubuntu22-cis?label=Repo%20Stars&style=social) diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ebc6180..810c9afc 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,14 +1,14 @@ --- collections: - - name: community.general - source: https://github.com/ansible-collections/community.general - type: git + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - - name: community.crypto - source: https://github.com/ansible-collections/community.crypto - type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - - name: ansible.posix - source: https://github.com/ansible-collections/ansible.posix - type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index a7e6665b..69871962 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,7 @@ ubtu22cis_section3: true ubtu22cis_section4: true ubtu22cis_section5: true ubtu22cis_section6: true +ubtu22cis_section7: true ## Reboot system before audit # System will reboot if false, can give better audit results @@ -18,7 +19,7 @@ skip_reboot: true ## Benchmark name and profiles used by auditing control role # The audit variable found at the base benchmark: UBUNTU22-CIS -benchmark_version: v1.0.0 +benchmark_version: v2.0.0 # Used for audit ubtu22cis_level_1: true ubtu22cis_level_2: true @@ -33,7 +34,7 @@ ubtu22cis_disruption_high: true ## Unrestricted boot # Setting this variable to false enables the system to # boot *without* querying for the bootloader password. -ubtu22cis_ask_passwd_to_boot: false +ubtu22cis_ask_passwd_to_boot: false # pragma: allowlist secret ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it @@ -118,124 +119,173 @@ system_is_ec2: false ## Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules ubtu22cis_rule_1_1_1_1: true ubtu22cis_rule_1_1_1_2: true ubtu22cis_rule_1_1_1_3: true -ubtu22cis_rule_1_1_2_1: true -ubtu22cis_rule_1_1_2_2: true -ubtu22cis_rule_1_1_2_3: true -ubtu22cis_rule_1_1_2_4: true -ubtu22cis_rule_1_1_3_1: true -ubtu22cis_rule_1_1_3_2: true -ubtu22cis_rule_1_1_3_3: true -ubtu22cis_rule_1_1_4_1: true -ubtu22cis_rule_1_1_4_2: true -ubtu22cis_rule_1_1_4_3: true -ubtu22cis_rule_1_1_4_4: true -ubtu22cis_rule_1_1_5_1: true -ubtu22cis_rule_1_1_5_2: true -ubtu22cis_rule_1_1_5_3: true -ubtu22cis_rule_1_1_5_4: true -ubtu22cis_rule_1_1_6_1: true -ubtu22cis_rule_1_1_6_2: true -ubtu22cis_rule_1_1_6_3: true -ubtu22cis_rule_1_1_6_4: true -ubtu22cis_rule_1_1_7_1: true -ubtu22cis_rule_1_1_7_2: true -ubtu22cis_rule_1_1_7_3: true -ubtu22cis_rule_1_1_8_1: true -ubtu22cis_rule_1_1_8_2: true -ubtu22cis_rule_1_1_8_3: true -ubtu22cis_rule_1_1_9: true -ubtu22cis_rule_1_1_10: true -ubtu22cis_rule_1_2_1: true -ubtu22cis_rule_1_2_2: true -ubtu22cis_rule_1_3_1: true -ubtu22cis_rule_1_3_2: true +ubtu22cis_rule_1_1_1_4: true +ubtu22cis_rule_1_1_1_5: true +ubtu22cis_rule_1_1_1_6: true +ubtu22cis_rule_1_1_1_7: true +ubtu22cis_rule_1_1_1_8: true + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu22cis_rule_1_1_2_1_1: true +ubtu22cis_rule_1_1_2_1_2: true +ubtu22cis_rule_1_1_2_1_3: true +ubtu22cis_rule_1_1_2_1_4: true + +# /dev/shm +ubtu22cis_rule_1_1_2_2_1: true +ubtu22cis_rule_1_1_2_2_2: true +ubtu22cis_rule_1_1_2_2_3: true +ubtu22cis_rule_1_1_2_2_4: true + +# /home +ubtu22cis_rule_1_1_2_3_1: true +ubtu22cis_rule_1_1_2_3_2: true +ubtu22cis_rule_1_1_2_3_3: true + +# /var +ubtu22cis_rule_1_1_2_4_1: true +ubtu22cis_rule_1_1_2_4_2: true +ubtu22cis_rule_1_1_2_4_3: true + +# /var/tmp +ubtu22cis_rule_1_1_2_5_1: true +ubtu22cis_rule_1_1_2_5_2: true +ubtu22cis_rule_1_1_2_5_3: true +ubtu22cis_rule_1_1_2_5_4: true + +# /var/log +ubtu22cis_rule_1_1_2_6_1: true +ubtu22cis_rule_1_1_2_6_2: true +ubtu22cis_rule_1_1_2_6_3: true +ubtu22cis_rule_1_1_2_6_4: true + +# /var/log/audit +ubtu22cis_rule_1_1_2_7_1: true +ubtu22cis_rule_1_1_2_7_2: true +ubtu22cis_rule_1_1_2_7_3: true +ubtu22cis_rule_1_1_2_7_4: true + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu22cis_rule_1_2_1_1: true +ubtu22cis_rule_1_2_1_2: true +# 1.2.2 Configure Package updates +ubtu22cis_rule_1_2_2_1: true + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu22cis_rule_1_3_1_1: true +ubtu22cis_rule_1_3_1_2: true +ubtu22cis_rule_1_3_1_3: true +ubtu22cis_rule_1_3_1_4: true + +# 1.4 Configure Bootloader ubtu22cis_rule_1_4_1: true ubtu22cis_rule_1_4_2: true -ubtu22cis_rule_1_4_3: true + +# 1.5 Configure additional Process Hardening ubtu22cis_rule_1_5_1: true ubtu22cis_rule_1_5_2: true ubtu22cis_rule_1_5_3: true ubtu22cis_rule_1_5_4: true -ubtu22cis_rule_1_6_1_1: true -ubtu22cis_rule_1_6_1_2: true -ubtu22cis_rule_1_6_1_3: true -ubtu22cis_rule_1_6_1_4: true +ubtu22cis_rule_1_5_5: true + +# 1.6 Configure Command Line Warning Banners +ubtu22cis_rule_1_6_1: true +ubtu22cis_rule_1_6_2: true +ubtu22cis_rule_1_6_3: true +ubtu22cis_rule_1_6_4: true +ubtu22cis_rule_1_6_5: true +ubtu22cis_rule_1_6_6: true + +# 1.7 Configure GNOME Display Manager ubtu22cis_rule_1_7_1: true ubtu22cis_rule_1_7_2: true ubtu22cis_rule_1_7_3: true ubtu22cis_rule_1_7_4: true ubtu22cis_rule_1_7_5: true ubtu22cis_rule_1_7_6: true -ubtu22cis_rule_1_8_1: true -ubtu22cis_rule_1_8_2: true -ubtu22cis_rule_1_8_3: true -ubtu22cis_rule_1_8_4: true -ubtu22cis_rule_1_8_5: true -ubtu22cis_rule_1_8_6: true -ubtu22cis_rule_1_8_7: true -ubtu22cis_rule_1_8_8: true -ubtu22cis_rule_1_8_9: true -ubtu22cis_rule_1_8_10: true -ubtu22cis_rule_1_9: true +ubtu22cis_rule_1_7_7: true +ubtu22cis_rule_1_7_8: true +ubtu22cis_rule_1_7_9: true +ubtu22cis_rule_1_7_10: true ## Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -ubtu22cis_rule_2_1_1_1: true -ubtu22cis_rule_2_1_1_2: true -ubtu22cis_rule_2_1_1_3: true -ubtu22cis_rule_2_1_1_4: true -# Chrony -ubtu22cis_rule_2_1_2_1: true -ubtu22cis_rule_2_1_2_2: true -ubtu22cis_rule_2_1_2_3: true -# systemd-timesyncd -ubtu22cis_rule_2_1_3_1: true -ubtu22cis_rule_2_1_3_2: true - -# ntp -ubtu22cis_rule_2_1_4_1: true -ubtu22cis_rule_2_1_4_2: true -ubtu22cis_rule_2_1_4_3: true -ubtu22cis_rule_2_1_4_4: true -# Services + +# 2.1 Configure Server Services +ubtu22cis_rule_2_1_1: true +ubtu22cis_rule_2_1_2: true +ubtu22cis_rule_2_1_3: true +ubtu22cis_rule_2_1_4: true +ubtu22cis_rule_2_1_5: true +ubtu22cis_rule_2_1_6: true +ubtu22cis_rule_2_1_7: true +ubtu22cis_rule_2_1_8: true +ubtu22cis_rule_2_1_9: true +ubtu22cis_rule_2_1_10: true +ubtu22cis_rule_2_1_11: true +ubtu22cis_rule_2_1_12: true +ubtu22cis_rule_2_1_13: true +ubtu22cis_rule_2_1_14: true +ubtu22cis_rule_2_1_15: true +ubtu22cis_rule_2_1_16: true +ubtu22cis_rule_2_1_17: true +ubtu22cis_rule_2_1_18: true +ubtu22cis_rule_2_1_19: true +ubtu22cis_rule_2_1_20: true +ubtu22cis_rule_2_1_21: true +ubtu22cis_rule_2_1_22: true + +# 2.2 Configure client services ubtu22cis_rule_2_2_1: true ubtu22cis_rule_2_2_2: true ubtu22cis_rule_2_2_3: true ubtu22cis_rule_2_2_4: true ubtu22cis_rule_2_2_5: true ubtu22cis_rule_2_2_6: true -ubtu22cis_rule_2_2_7: true -ubtu22cis_rule_2_2_8: true -ubtu22cis_rule_2_2_9: true -ubtu22cis_rule_2_2_10: true -ubtu22cis_rule_2_2_11: true -ubtu22cis_rule_2_2_12: true -ubtu22cis_rule_2_2_13: true -ubtu22cis_rule_2_2_14: true -ubtu22cis_rule_2_2_15: true -ubtu22cis_rule_2_2_16: true -ubtu22cis_rule_2_2_17: true -# Service Client -ubtu22cis_rule_2_3_1: true -ubtu22cis_rule_2_3_2: true -ubtu22cis_rule_2_3_3: true -ubtu22cis_rule_2_3_4: true -ubtu22cis_rule_2_3_5: true -ubtu22cis_rule_2_3_6: true -# Non-essential services -ubtu22cis_rule_2_4: true + +# Ensure time synchronization is in use +ubtu22cis_rule_2_3_1_1: true +# Configure systemd-timesyncd +ubtu22cis_rule_2_3_2_1: true +ubtu22cis_rule_2_3_2_2: true +# Configure Chrony +ubtu22cis_rule_2_3_3_1: true +ubtu22cis_rule_2_3_3_2: true +ubtu22cis_rule_2_3_3_3: true + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu22cis_rule_2_4_1_1: true +ubtu22cis_rule_2_4_1_2: true +ubtu22cis_rule_2_4_1_3: true +ubtu22cis_rule_2_4_1_4: true +ubtu22cis_rule_2_4_1_5: true +ubtu22cis_rule_2_4_1_6: true +ubtu22cis_rule_2_4_1_7: true +ubtu22cis_rule_2_4_1_8: true +# Configure At +ubtu22cis_rule_2_4_2_1: true ## Section 3 Network Configuration -# Disable Unused Network +# 3.1 Configure Network Devices ubtu22cis_rule_3_1_1: true ubtu22cis_rule_3_1_2: true -# Network Parameters (Host Only) +ubtu22cis_rule_3_1_3: true +# 3.2 Configure Network Kernel Modules (Host Only) ubtu22cis_rule_3_2_1: true ubtu22cis_rule_3_2_2: true -# Network Parameters (Host and Router) +ubtu22cis_rule_3_2_3: true +ubtu22cis_rule_3_2_4: true +# 3.3 Configure Network Kernel Parameters (Host and Router) ubtu22cis_rule_3_3_1: true ubtu22cis_rule_3_3_2: true ubtu22cis_rule_3_3_3: true @@ -245,115 +295,47 @@ ubtu22cis_rule_3_3_6: true ubtu22cis_rule_3_3_7: true ubtu22cis_rule_3_3_8: true ubtu22cis_rule_3_3_9: true -# Uncommon Network Protocols -ubtu22cis_rule_3_4_1: true -ubtu22cis_rule_3_4_2: true -ubtu22cis_rule_3_4_3: true -ubtu22cis_rule_3_4_4: true -# Firewall Configuration -# UFW -ubtu22cis_rule_3_5_1_1: true -ubtu22cis_rule_3_5_1_2: true -ubtu22cis_rule_3_5_1_3: true -ubtu22cis_rule_3_5_1_4: true -ubtu22cis_rule_3_5_1_5: true -ubtu22cis_rule_3_5_1_6: true -ubtu22cis_rule_3_5_1_7: true -# nftables -ubtu22cis_rule_3_5_2_1: true -ubtu22cis_rule_3_5_2_2: true -ubtu22cis_rule_3_5_2_3: true -ubtu22cis_rule_3_5_2_4: true -ubtu22cis_rule_3_5_2_5: true -ubtu22cis_rule_3_5_2_6: true -ubtu22cis_rule_3_5_2_7: true -ubtu22cis_rule_3_5_2_8: true -ubtu22cis_rule_3_5_2_9: true -ubtu22cis_rule_3_5_2_10: true -# iptables -ubtu22cis_rule_3_5_3_1_1: true -ubtu22cis_rule_3_5_3_1_2: true -ubtu22cis_rule_3_5_3_1_3: true -ubtu22cis_rule_3_5_3_2_1: true -ubtu22cis_rule_3_5_3_2_2: true -ubtu22cis_rule_3_5_3_2_3: true -ubtu22cis_rule_3_5_3_2_4: true -ubtu22cis_rule_3_5_3_3_1: true -ubtu22cis_rule_3_5_3_3_2: true -ubtu22cis_rule_3_5_3_3_3: true -ubtu22cis_rule_3_5_3_3_4: true - -## Section 4 Fixes -# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) -ubtu22cis_rule_4_1_1_1: true -ubtu22cis_rule_4_1_1_2: true -ubtu22cis_rule_4_1_1_3: true -ubtu22cis_rule_4_1_1_4: true -ubtu22cis_rule_4_1_2_1: true -ubtu22cis_rule_4_1_2_2: true -ubtu22cis_rule_4_1_2_3: true -# Auditd rules -ubtu22cis_rule_4_1_3_1: true -ubtu22cis_rule_4_1_3_2: true -ubtu22cis_rule_4_1_3_3: true -ubtu22cis_rule_4_1_3_4: true -ubtu22cis_rule_4_1_3_5: true -ubtu22cis_rule_4_1_3_6: true -ubtu22cis_rule_4_1_3_7: true -ubtu22cis_rule_4_1_3_8: true -ubtu22cis_rule_4_1_3_9: true -ubtu22cis_rule_4_1_3_10: true -ubtu22cis_rule_4_1_3_11: true -ubtu22cis_rule_4_1_3_12: true -ubtu22cis_rule_4_1_3_13: true -ubtu22cis_rule_4_1_3_14: true -ubtu22cis_rule_4_1_3_15: true -ubtu22cis_rule_4_1_3_16: true -ubtu22cis_rule_4_1_3_17: true -ubtu22cis_rule_4_1_3_18: true -ubtu22cis_rule_4_1_3_19: true -ubtu22cis_rule_4_1_3_20: true -ubtu22cis_rule_4_1_3_21: true -# Auditd file access -ubtu22cis_rule_4_1_4_1: true -ubtu22cis_rule_4_1_4_2: true -ubtu22cis_rule_4_1_4_3: true -ubtu22cis_rule_4_1_4_4: true -ubtu22cis_rule_4_1_4_5: true -ubtu22cis_rule_4_1_4_6: true -ubtu22cis_rule_4_1_4_7: true -ubtu22cis_rule_4_1_4_8: true -ubtu22cis_rule_4_1_4_9: true -ubtu22cis_rule_4_1_4_10: true -ubtu22cis_rule_4_1_4_11: true -# Configure Logging -## journald -ubtu22cis_rule_4_2_1_1_1: true -ubtu22cis_rule_4_2_1_1_2: true -ubtu22cis_rule_4_2_1_1_3: true -ubtu22cis_rule_4_2_1_1_4: true -ubtu22cis_rule_4_2_1_1: true -ubtu22cis_rule_4_2_1_2: true -ubtu22cis_rule_4_2_1_3: true -ubtu22cis_rule_4_2_1_4: true -ubtu22cis_rule_4_2_1_5: true -ubtu22cis_rule_4_2_1_6: true -ubtu22cis_rule_4_2_1_7: true -# rsyslog -ubtu22cis_rule_4_2_2_1: true -ubtu22cis_rule_4_2_2_2: true -ubtu22cis_rule_4_2_2_3: true -ubtu22cis_rule_4_2_2_4: true -ubtu22cis_rule_4_2_2_5: true -ubtu22cis_rule_4_2_2_6: true -ubtu22cis_rule_4_2_2_7: true +ubtu22cis_rule_3_3_10: true +ubtu22cis_rule_3_3_11: true + +## Section 4 Host Based Firewall +# 4.1 Configure UncomplicatedFirewall +ubtu22cis_rule_4_1_1: true +ubtu22cis_rule_4_1_2: true +ubtu22cis_rule_4_1_3: true +ubtu22cis_rule_4_1_4: true +ubtu22cis_rule_4_1_5: true +ubtu22cis_rule_4_1_6: true +ubtu22cis_rule_4_1_7: true +# 4.2 Configure nftables +ubtu22cis_rule_4_2_1: true +ubtu22cis_rule_4_2_2: true ubtu22cis_rule_4_2_3: true -ubtu22cis_rule_4_3: true -ubtu22cis_rule_4_4: true - -## Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM -# and User Accounts and Environment) +ubtu22cis_rule_4_2_4: true +ubtu22cis_rule_4_2_5: true +ubtu22cis_rule_4_2_6: true +ubtu22cis_rule_4_2_7: true +ubtu22cis_rule_4_2_8: true +ubtu22cis_rule_4_2_9: true +ubtu22cis_rule_4_2_10: true +# Configure iptables software +ubtu22cis_rule_4_3_1_1: true +ubtu22cis_rule_4_3_1_2: true +ubtu22cis_rule_4_3_1_3: true + +# Configure IPv4 iptables +ubtu22cis_rule_4_3_2_1: true +ubtu22cis_rule_4_3_2_2: true +ubtu22cis_rule_4_3_2_3: true +ubtu22cis_rule_4_3_2_4: true +# Configure IPv5 iptables +ubtu22cis_rule_4_3_3_1: true +ubtu22cis_rule_4_3_3_2: true +ubtu22cis_rule_4_3_3_3: true +ubtu22cis_rule_4_3_3_4: true + +## Section 5 Access Control +# 5.1 Configure SSH Server ubtu22cis_rule_5_1_1: true ubtu22cis_rule_5_1_2: true ubtu22cis_rule_5_1_3: true @@ -363,7 +345,20 @@ ubtu22cis_rule_5_1_6: true ubtu22cis_rule_5_1_7: true ubtu22cis_rule_5_1_8: true ubtu22cis_rule_5_1_9: true - +ubtu22cis_rule_5_1_10: true +ubtu22cis_rule_5_1_11: true +ubtu22cis_rule_5_1_12: true +ubtu22cis_rule_5_1_13: true +ubtu22cis_rule_5_1_14: true +ubtu22cis_rule_5_1_15: true +ubtu22cis_rule_5_1_16: true +ubtu22cis_rule_5_1_17: true +ubtu22cis_rule_5_1_18: true +ubtu22cis_rule_5_1_19: true +ubtu22cis_rule_5_1_20: true +ubtu22cis_rule_5_1_21: true +ubtu22cis_rule_5_1_22: true +# 5.2 Configure privilege escalation ubtu22cis_rule_5_2_1: true ubtu22cis_rule_5_2_2: true ubtu22cis_rule_5_2_3: true @@ -371,77 +366,149 @@ ubtu22cis_rule_5_2_4: true ubtu22cis_rule_5_2_5: true ubtu22cis_rule_5_2_6: true ubtu22cis_rule_5_2_7: true -ubtu22cis_rule_5_2_8: true -ubtu22cis_rule_5_2_9: true -ubtu22cis_rule_5_2_10: true -ubtu22cis_rule_5_2_11: true -ubtu22cis_rule_5_2_12: true -ubtu22cis_rule_5_2_13: true -ubtu22cis_rule_5_2_14: true -ubtu22cis_rule_5_2_15: true -ubtu22cis_rule_5_2_16: true -ubtu22cis_rule_5_2_17: true -ubtu22cis_rule_5_2_18: true -ubtu22cis_rule_5_2_19: true -ubtu22cis_rule_5_2_20: true -ubtu22cis_rule_5_2_21: true -ubtu22cis_rule_5_2_22: true -ubtu22cis_rule_5_3_1: true -ubtu22cis_rule_5_3_2: true -ubtu22cis_rule_5_3_3: true -ubtu22cis_rule_5_3_4: true -ubtu22cis_rule_5_3_5: true -ubtu22cis_rule_5_3_6: true -ubtu22cis_rule_5_3_7: true -ubtu22cis_rule_5_4_1: true -ubtu22cis_rule_5_4_2: true -ubtu22cis_rule_5_4_3: true -ubtu22cis_rule_5_4_4: true -ubtu22cis_rule_5_4_5: true -ubtu22cis_rule_5_5_1_1: true -ubtu22cis_rule_5_5_1_2: true -ubtu22cis_rule_5_5_1_3: true -ubtu22cis_rule_5_5_1_4: true -ubtu22cis_rule_5_5_1_5: true -ubtu22cis_rule_5_5_2: true -ubtu22cis_rule_5_5_3: true -ubtu22cis_rule_5_5_4: true -ubtu22cis_rule_5_5_5: true -ubtu22cis_rule_5_6: true -ubtu22cis_rule_5_7: true - -## Section 6 Fixes -# Section is System Maintenance (System File Permissions and User and Group Settings) +# 5.3.1 Configure PAM software packages +ubtu22cis_rule_5_3_1_1: true +ubtu22cis_rule_5_3_1_2: true +ubtu22cis_rule_5_3_1_3: true +# 5.3.2 Configure pam-auth-update profiles +ubtu22cis_rule_5_3_2_1: true +ubtu22cis_rule_5_3_2_2: true +ubtu22cis_rule_5_3_2_3: true +ubtu22cis_rule_5_3_2_4: true +# 5.3.3.1 Configure pam_faillock module +ubtu22cis_rule_5_3_3_1_1: true +ubtu22cis_rule_5_3_3_1_2: true +ubtu22cis_rule_5_3_3_1_3: true +# 5.3.3.2 Configure pam_quality module +ubtu22cis_rule_5_3_3_2_1: true +ubtu22cis_rule_5_3_3_2_2: true +ubtu22cis_rule_5_3_3_2_3: true +ubtu22cis_rule_5_3_3_2_4: true +ubtu22cis_rule_5_3_3_2_5: true +ubtu22cis_rule_5_3_3_2_6: true +ubtu22cis_rule_5_3_3_2_7: true +ubtu22cis_rule_5_3_3_2_8: true +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu22cis_rule_5_3_3_3_1: true +ubtu22cis_rule_5_3_3_3_2: true +ubtu22cis_rule_5_3_3_3_3: true +# 5.3.3.4 Configure pam_unix module +ubtu22cis_rule_5_3_3_4_1: true +ubtu22cis_rule_5_3_3_4_2: true +ubtu22cis_rule_5_3_3_4_3: true +ubtu22cis_rule_5_3_3_4_4: true +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu22cis_rule_5_4_1_1: true +ubtu22cis_rule_5_4_1_2: true +ubtu22cis_rule_5_4_1_3: true +ubtu22cis_rule_5_4_1_4: true +ubtu22cis_rule_5_4_1_5: true +ubtu22cis_rule_5_4_1_6: true +# 5.4.2 Configure root and system accounts and environment +ubtu22cis_rule_5_4_2_1: true +ubtu22cis_rule_5_4_2_2: true +ubtu22cis_rule_5_4_2_3: true +ubtu22cis_rule_5_4_2_4: true +ubtu22cis_rule_5_4_2_5: true +ubtu22cis_rule_5_4_2_6: true +ubtu22cis_rule_5_4_2_7: true +ubtu22cis_rule_5_4_2_8: true +# 5.4.2 Configure user default environment +ubtu22cis_rule_5_4_3_1: true +ubtu22cis_rule_5_4_3_2: true +ubtu22cis_rule_5_4_3_3: true + +## Section 6 +# 6.1 Configure Filesystem Integrity Checking ubtu22cis_rule_6_1_1: true ubtu22cis_rule_6_1_2: true ubtu22cis_rule_6_1_3: true -ubtu22cis_rule_6_1_4: true -ubtu22cis_rule_6_1_5: true -ubtu22cis_rule_6_1_6: true -ubtu22cis_rule_6_1_7: true -ubtu22cis_rule_6_1_8: true -ubtu22cis_rule_6_1_9: true -ubtu22cis_rule_6_1_10: true -ubtu22cis_rule_6_1_11: true -ubtu22cis_rule_6_1_12: true -ubtu22cis_rule_6_1_13: true -ubtu22cis_rule_6_2_1: true -ubtu22cis_rule_6_2_2: true -ubtu22cis_rule_6_2_3: true -ubtu22cis_rule_6_2_4: true -ubtu22cis_rule_6_2_5: true -ubtu22cis_rule_6_2_6: true -ubtu22cis_rule_6_2_7: true -ubtu22cis_rule_6_2_8: true -ubtu22cis_rule_6_2_9: true -ubtu22cis_rule_6_2_10: true -ubtu22cis_rule_6_2_11: true -ubtu22cis_rule_6_2_12: true -ubtu22cis_rule_6_2_13: true -ubtu22cis_rule_6_2_14: true -ubtu22cis_rule_6_2_15: true -ubtu22cis_rule_6_2_16: true -ubtu22cis_rule_6_2_17: true +# 6.2.1.1 Configure systemd-journald service +ubtu22cis_rule_6_2_1_1_1: true +ubtu22cis_rule_6_2_1_1_2: true +ubtu22cis_rule_6_2_1_1_3: true +ubtu22cis_rule_6_2_1_1_4: true +ubtu22cis_rule_6_2_1_1_5: true +ubtu22cis_rule_6_2_1_1_6: true +# 6.2.1.2 Configure systemd-journald service +ubtu22cis_rule_6_2_1_2_1: true +ubtu22cis_rule_6_2_1_2_2: true +ubtu22cis_rule_6_2_1_2_3: true +ubtu22cis_rule_6_2_1_2_4: true +# 6.2.2 Configure Logfiles +ubtu22cis_rule_6_2_2_1: true +# 6.3.1 Configure auditd Service +ubtu22cis_rule_6_3_1_1: true +ubtu22cis_rule_6_3_1_2: true +ubtu22cis_rule_6_3_1_3: true +ubtu22cis_rule_6_3_1_4: true +# 6.3.2 Configure data retention +ubtu22cis_rule_6_3_2_1: true +ubtu22cis_rule_6_3_2_2: true +ubtu22cis_rule_6_3_2_3: true +ubtu22cis_rule_6_3_2_4: true +# 6.3.3 Configure auditd rules +ubtu22cis_rule_6_3_3_1: true +ubtu22cis_rule_6_3_3_2: true +ubtu22cis_rule_6_3_3_3: true +ubtu22cis_rule_6_3_3_4: true +ubtu22cis_rule_6_3_3_5: true +ubtu22cis_rule_6_3_3_6: true +ubtu22cis_rule_6_3_3_7: true +ubtu22cis_rule_6_3_3_8: true +ubtu22cis_rule_6_3_3_9: true +ubtu22cis_rule_6_3_3_10: true +ubtu22cis_rule_6_3_3_11: true +ubtu22cis_rule_6_3_3_12: true +ubtu22cis_rule_6_3_3_13: true +ubtu22cis_rule_6_3_3_14: true +ubtu22cis_rule_6_3_3_15: true +ubtu22cis_rule_6_3_3_16: true +ubtu22cis_rule_6_3_3_17: true +ubtu22cis_rule_6_3_3_18: true +ubtu22cis_rule_6_3_3_19: true +ubtu22cis_rule_6_3_3_20: true +ubtu22cis_rule_6_3_3_21: true +# 6.3.4 Configure audit file access +ubtu22cis_rule_6_3_4_1: true +ubtu22cis_rule_6_3_4_2: true +ubtu22cis_rule_6_3_4_3: true +ubtu22cis_rule_6_3_4_4: true +ubtu22cis_rule_6_3_4_5: true +ubtu22cis_rule_6_3_4_6: true +ubtu22cis_rule_6_3_4_7: true +ubtu22cis_rule_6_3_4_8: true +ubtu22cis_rule_6_3_4_9: true +ubtu22cis_rule_6_3_4_10: true + +## Section 7 +# 7.1 System File Permissions +ubtu22cis_rule_7_1_1: true +ubtu22cis_rule_7_1_2: true +ubtu22cis_rule_7_1_3: true +ubtu22cis_rule_7_1_4: true +ubtu22cis_rule_7_1_5: true +ubtu22cis_rule_7_1_6: true +ubtu22cis_rule_7_1_7: true +ubtu22cis_rule_7_1_8: true +ubtu22cis_rule_7_1_9: true +ubtu22cis_rule_7_1_10: true +ubtu22cis_rule_7_1_11: true +ubtu22cis_rule_7_1_12: true +ubtu22cis_rule_7_1_13: true +# 7.2 Local User and Group Settings +ubtu22cis_rule_7_2_1: true +ubtu22cis_rule_7_2_2: true +ubtu22cis_rule_7_2_3: true +ubtu22cis_rule_7_2_4: true +ubtu22cis_rule_7_2_5: true +ubtu22cis_rule_7_2_6: true +ubtu22cis_rule_7_2_7: true +ubtu22cis_rule_7_2_8: true +ubtu22cis_rule_7_2_9: true +ubtu22cis_rule_7_2_10: true ## ## Service configuration variables. @@ -449,44 +516,65 @@ ubtu22cis_rule_6_2_17: true ## Set the respective variable to true to keep the service. ## otherwise the service is stopped and disabled ## - -ubtu22cis_allow_autofs: false -ubtu22cis_allow_usb_storage: false +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu22cis_autofs_services: false +ubtu22cis_autofs_mask: true ubtu22cis_avahi_server: false -ubtu22cis_cups_server: false +ubtu22cis_avahi_mask: false ubtu22cis_dhcp_server: false -ubtu22cis_ldap_server: false -ubtu22cis_nfs_server: false +ubtu22cis_dhcp_mask: false ubtu22cis_dns_server: false -ubtu22cis_vsftpd_server: false -ubtu22cis_httpd_server: false -ubtu22cis_dovecot_server: false -ubtu22cis_smb_server: false -ubtu22cis_squid_server: false +ubtu22cis_dns_mask: false +ubtu22cis_dnsmasq_server: false +ubtu22cis_dnsmasq_mask: false +ubtu22cis_ftp_server: false +ubtu22cis_ftp_mask: false +ubtu22cis_ldap_server: false +ubtu22cis_ldap_mask: false +ubtu22cis_message_server: false # This is for messaging dovecot and cyrus-imap +ubtu22cis_message_mask: false +ubtu22cis_nfs_server: true +ubtu22cis_nfs_mask: true +ubtu22cis_nis_server: true # set to mask if nis client required +ubtu22cis_nis_mask: false +ubtu22cis_print_server: false # replaces cups +ubtu22cis_print_mask: false +ubtu22cis_rpc_server: true +ubtu22cis_rpc_mask: true +ubtu22cis_rsync_server: false +ubtu22cis_rsync_mask: false +ubtu22cis_samba_server: false +ubtu22cis_samba_mask: false ubtu22cis_snmp_server: false -ubtu22cis_rsync_server: mask # Can be set to true, mask or remove depending on requirements -ubtu22cis_nis_server: false -ubtu22cis_nfs_client: false - -# rpcbind is required by nfs-common which is required on client and server -# The value of the variable is determined automatically, based on the variables -# for NFS server and NFS client. -ubtu22cis_rpc_required: "{{ ubtu22cis_nfs_server or ubtu22cis_nfs_client }}" - -## -## Client package configuration variables. -## -## Set the respective variable to `true` to keep the -## client package, otherwise it is uninstalled. -## +ubtu22cis_snmp_mask: false +ubtu22cis_telnet_server: false +ubtu22cis_telnet_mask: false +ubtu22cis_tftp_server: false +ubtu22cis_tftp_mask: false +ubtu22cis_squid_server: false +ubtu22cis_squid_mask: false +ubtu22cis_apache2_server: false +ubtu22cis_apache2_mask: false +ubtu22cis_nginx_server: false +ubtu22cis_nginx_mask: false +ubtu22cis_xinetd_server: false +ubtu22cis_xinetd_mask: false +ubtu22cis_xwindow_server: false # will remove mask not an option +ubtu22cis_is_mail_server: false -ubtu22cis_nis_required: false -ubtu22cis_rsh_required: false -ubtu22cis_talk_required: false +# Client Services +ubtu22cis_nis_client_required: false # Same package as NIS server +ubtu22cis_rsh_client: false +ubtu22cis_talk_client: false ubtu22cis_telnet_required: false ubtu22cis_ldap_clients_required: false +ubtu22cis_ftp_client: false -## ## System functionality configuration variables ## ## There are certain functionalities of a system @@ -508,9 +596,12 @@ ubtu22cis_ipv4_required: true # This variable governs whether ipv6 is enabled or disabled. ubtu22cis_ipv6_required: false -## Desktop requirement toggle # This variable governs, whether CIS rules regarding GDM # and X-Windows are carried out. +## Graphical/Gnome interface required +ubtu22cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" + +# If desktop is required this will set the relevant controls but not remove ubtu22cis_desktop_required: false ## Purge apt packages @@ -522,66 +613,33 @@ ubtu22cis_purge_apt: false ## Section 1 Control Variables ## -## tmp mount type -# This variable determines, to which mount type -# the tmp mount type will be set, if it cannot be -# correctly discovered. will force the tmp_mnt type -# if not correctly discovered. -# Possible values are `tmp_systemd` or `fstab`- -expected_tmp_mnt: fstab +## Ability to enabe debug on mounts to assist in troubleshooting +# Mount point changes are set based upon facts created in Prelim +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. +ubtu22cis_debug_mount_data: false -## Control 1.3.1 - allow aide to be configured -# AIDE is a file integrity checking tool, similar in nature to Tripwire. -# While it cannot prevent intrusions, it can detect unauthorized changes -# to configuration files by alerting when the files are changed. Review -# the AIDE quick start guide and AIDE documentation before proceeding. -# By setting this variable to `true`, all of the settings related to AIDE will be applied! -ubtu22cis_config_aide: true +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. +ubtu22cis_tmp_svc: false -## When Initializing aide this can take longer on some systems -# changing the values enables user to change to thier own requirements -ubtu22cis_aide_init: - # Maximum Time in seconds - async: 45 - # Polling Interval in seconds - poll: 0 +## Controls 1.3.1.x - apparmor +# AppArmor security policies define what system resources applications can access and their privileges. +# This automatically limits the damage that the software can do to files accessible by the calling user. +# The following variables are related to the set of rules from section 1.6.1.x -## Control 1.3.2 -# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. -# The sub-settings of this variable provide the parameters required to configure -# the cron job on the target system. -# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled -# and executed automatically at a certain point in time. -ubtu22cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode +ubtu22cis_apparmor_disable: false + +# This variable specifies whether enforce mode or complain mode is set in Control 1.3.1.3. +# Possible values are `enforce` and `complain`. +# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3 +# and sets `enforce` mode, no matter what this variable's value is. +ubtu22cis_apparmor_mode: complain ## Controls 1.4.x - Boot password # @@ -601,25 +659,8 @@ ubtu22cis_grub_file: /boot/grub/grub.cfg # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf -## Controls 1.6.1.x - apparmor -# AppArmor security policies define what system resources applications can access and their privileges. -# This automatically limits the damage that the software can do to files accessible by the calling user. -# The following variables are related to the set of rules from section 1.6.1.x - -## Controls 1.6.1.3 and 1.6.1.4 Ensure all AppArmor Profiles are in enforce (1.6.1.3/4) or complain (1.6.1.3) mode - -# This variable disables the implementation of rules 1.6.1.3 and 1.6.1.4 -# regarding enforcing profiles or putting them in complain mode -ubtu22cis_apparmor_disable: false - -# This variable specifies whether enforce mode or complain mode is set in Control 1.6.1.3. -# Possible values are `enforce` and `complain`. -# ATTENTION: if Control 1.6.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.6.1.3 -# and sets `enforce` mode, no matter what this variable's value is. -ubtu22cis_apparmor_mode: complain - -## Controls 1.7.x - Warning banners -# The controls 1.7.x set various warning banners and protect the respective files +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files # by tightening the access rights. # This variable specifies the warning banner displayed to the user @@ -632,11 +673,11 @@ ubtu22cis_warning_banner: | # This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) ubtu22cis_disable_dynamic_motd: true -## Controls 1.8.x - Settings for GDM +## Controls 1.7.x - Settings for GDM # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. -ubtu22cis_dconf_db_name: local +ubtu22cis_dconf_db_name: "{{ prelim_dconf_db_user | default('local') }}" # This variable governs the number of seconds of inactivity before the screen goes blank. ubtu22cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. @@ -646,39 +687,32 @@ ubtu22cis_screensaver_lock_delay: 5 ## Section 2 Control Variables ## -## Control 2.1.1.1 +## Control 2.3.1.1 # This variable choses the tool used for time synchronization -# The three options are `chrony`, `ntp`, and `systemd-timesyncd`. -ubtu22cis_time_sync_tool: "ntp" +# The two options are `chrony`and `systemd-timesyncd`. +ubtu22cis_time_sync_tool: "systemd-timesyncd" -## Controls 2.1.2.1 2.1.3.1, 2.1.4.1 - Configure time pools & servers for chrony, timesyncd, and ntp +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used -# for configuring chrony, timesyncd, and ntp. +# for configuring chrony and timesyncd. # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_pool: - - name: time.nist.gov - options: iburst maxsources 4 + - name: time.nist.gov + options: iburst maxsources 4 # The following variable represents a list of of time servers used -# for configuring chrony, timesyncd, and ntp. +# for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_servers: - - name: time-a-g.nist.gov - options: iburst - - name: time-b-g.nist.gov - options: iburst - - name: time-c-g.nist.gov - options: iburst - -## Control 2.2.15 - Local only mode for mail server -# This variable is used to determine whether you intend to use your machine as a mail server or not. -# If you do not intend to use it as such, the mail transfer agent (MTA) will be configured to only -# process local mail, in order to reduce chances of security risks. Set to `false` if your machine -# is not a mail server or to `true` if it is! -ubtu22cis_is_mail_server: false + - name: time-a-g.nist.gov + options: iburst + - name: time-b-g.nist.gov + options: iburst + - name: time-c-g.nist.gov + options: iburst ## ## Section 3 Control Variables @@ -696,12 +730,25 @@ ubtu22cis_ipv6_disable: grub # it, ensuring that wireless interfaces are disabled will not be possible! ubtu22cis_install_network_manager: true +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu22cis_bluetooth_service: false +ubtu22cis_bluetooth_mask: false + ## Control 3.3.x - Networking configuration # This variable contains the path to the file in which, sysctl saves its configurations. # Its default value is `/etc/sysctl.conf`. ubtu22cis_sysctl_network_conf: /etc/sysctl.conf -## Controls 3.5.1.x, 3.5.2.x, and 3.5.3.x - Firewall configuration +## +## Section 4 Control Variables +## + +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration # This variable represents the toggle for which firewall package is used. # The options that have an effect on the system are `ufw` and `iptables`. # The option `nftables` is also possible, but will only result in a message, @@ -713,16 +760,16 @@ ubtu22cis_firewall_package: "ufw" # settings. If set to "true" the task will get done in the prelim section of the role. ubtu22cis_ufw_use_sysctl: true -## Control 3.5.1.5 - Ensure ufw outbound connections are configured +## Control 4.1.5 - Ensure ufw outbound connections are configured # The value of this variable represents the ports for the firewall to allow oubound traffic from. # If you want to allow outbound traffic on all ports, set the variable to `all`, e.g., # `ubtu22cis_ufw_allow_out_ports: "all"`. ubtu22cis_ufw_allow_out_ports: - - 53 - - 80 - - 443 + - 53 + - 80 + - 443 -## Controls 3.5.2.x - nftables +## Controls 4.2.x - nftables # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example # of such a task. # "ubtu22cis_nftables_table_name" is the name of the table in nftables you want to create. @@ -731,68 +778,339 @@ ubtu22cis_ufw_allow_out_ports: # ubtu22cis_nftables_table_name: "inet filter" ## -## Section 4 Control Variables +## Section 5 Control Variables ## +## Controls 5.1.x -- various sshd settings +ubtu22cis_sshd_default_log_level: "INFO" +ubtu22cis_sshd_default_max_auth_tries: 4 +ubtu22cis_sshd_default_max_sessions: 8 +ubtu22cis_sshd_default_login_grace_time: 60 +ubtu22cis_sshd_default_client_alive_interval: 300 +ubtu22cis_sshd_default_client_alive_count_max: 3 +# Removed chacha20-poly1305 due to cve2023-48795 +# all Ciphers, KEX and Macs set to FIPS 140 +# This will nee dto be adjusted according to your site requirements +ubtu22cis_sshd_default_ciphers: + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +ubtu22cis_sshd_default_macs: + - hmac-sha1 + - hmac-sha2-256 + # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC + - hmac-sha2-512 +ubtu22cis_sshd_default_kex_algorithms: + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group14-sha256 + +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +ubtu22cis_sshd_log_level: "{{ ubtu22cis_sshd_default_log_level }}" +# This variable specifies the maximum number of authentication attempts that are +# allowed for a single SSH session. +ubtu22cis_sshd_max_auth_tries: "{{ ubtu22cis_sshd_default_max_auth_tries }}" +# This variable specifies the encryption algorithms that can be used for securing +# data transmission. +ubtu22cis_sshd_ciphers: "{{ ubtu22cis_sshd_default_ciphers }}" +# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying +# the integrity of data exchanged. +ubtu22cis_sshd_macs: "{{ ubtu22cis_sshd_default_macs }}" +# This variable is used to state the key exchange algorithms used to establish secure encryption +# keys during the initial connection setup. +ubtu22cis_sshd_kex_algorithms: "{{ ubtu22cis_sshd_default_kex_algorithms }}" +# This variable sets the time interval in seconds between sending "keep-alive" +# messages from the server to the client. These types of messages are intended to +# keep the connection alive and prevent it being terminated due to inactivity. +ubtu22cis_sshd_client_alive_interval: "{{ ubtu22cis_sshd_default_client_alive_interval }}" +# This variable sets the maximum number of unresponsive "keep-alive" messages +# that can be sent from the server to the client before the connection is considered +# inactive and thus, closed. +ubtu22cis_sshd_client_alive_count_max: "{{ ubtu22cis_sshd_default_client_alive_count_max }}" +# This variable specifies the amount of seconds allowed for successful authentication to +# the SSH server. +ubtu22cis_sshd_login_grace_time: "{{ ubtu22cis_sshd_default_login_grace_time }}" +# This variables is used to set the maximum number of open sessions per connection. +ubtu22cis_sshd_max_sessions: "{{ ubtu22cis_sshd_default_max_sessions }}" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH +# access for users whose user name matches one of the patterns. This is done +# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be allowed only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_users: "" +# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_groups: "" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access +# for users whose user name matches one of the patterns. This is done +# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be restricted only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_users: "" +# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_groups: "" + +## Control 5.2.1 +# This variable represents the name of the sudo package to install +# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`. +ubtu22cis_sudo_package: "sudo" -## Control 4.1.1.4 - Ensure audit_backlog_limit is sufficient -# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the -# system can buffer in memory, if the audit subsystem is unable to process them in real-time. -# Buffering in memory is useful in situations, where the audit system is overwhelmed -# with incoming audit events, and needs to temporarily store them until they can be processed. -# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. -ubtu22cis_audit_back_log_limit: 8192 +## Control 5.2.3 +# This variable defines the path and file name of the sudo log file. +ubtu22cis_sudo_logfile: "/var/log/sudo.log" +## Control 5.2.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. +ubtu22cis_sudo_timestamp_timeout: 15 +## Control 5.2.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. +ubtu22cis_sugroup: nosugroup -## Control 4.1.2.1 - Ensure audit log storage size is configured -# This variable specifies the maximum size in MB that an audit log file can reach -# before it is archived or deleted to make space for the new audit data. -# This should be set based on your sites policy. CIS does not provide a specific value. -ubtu22cis_max_log_file_size: 10 +## 5.3.2.x +# Path to find templates and where to put file for pam-auth +ubtu22cis_pam_confd_dir: 'usr/share/pam-configs/' +### Note: controls also managed with disruption high due to the nature of pam changes +# Create file will create/replace with the name + +# Controls 5.3.2.1 - pam_unix +# Name of file for the pam unix configuration +ubtu22cis_pam_pwunix_file: 'pam_unix' +# Should NOT be enabled if allowing custom config that enabled pam_faillock +ubtu22cis_pam_create_pamunix_file: false +# Allow pam-auth-update --enable ubtu22cis_pam_pwunix_file to run +ubtu22cis_pam_auth_unix: true + +# 5.3.2.2 - pam_faillock +# Name of files for pam +ubtu22cis_pam_faillock_file: 'faillock' +ubtu22cis_pam_faillock_notify_file: 'faillock_notify' +# Allow pam-auth-update --enable ubtu22cis_pam_faillock_file +# and +# Allow pam-auth-update --enable ubtu22cis_pam_faillock_notify_file +ubtu22cis_pam_auth_faillock: true +# Allow new file to be created or overwrite existing with same name +ubtu22cis_pam_create_faillock_files: true + +# 5.3.2.3 - pam_pwquality +# Name of file for pwquality +ubtu22cis_pam_pwquality_file: 'pwquality' +# Allow new file to be created or overwrite existing with same name +ubtu22cis_pam_create_pwquality_files: true +# Allow pam-auth-update --enable ubtu22cis_pam_pwquality_file +ubtu22cis_pam_auth_pwquality: true + +# 5.3.2.4 - pam_pwhistory +# Name of file for the pam history file +ubtu22cis_pam_pwhistory_file: 'pwhistory' +# Allow new file to be created or overwrite existing with same name +# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3 +ubtu22cis_pam_create_pwhistory_files: true +# Allow pam-auth-update --enable ubtu22cis_pam_pwhistory_file +ubtu22cis_pam_auth_pwhistory: true + +# 5.3.3.1.1 - faillock_deny +# Lock systen using faillock fate 3 bad tries +ubtu22cis_faillock_deny: 3 + +# 5.3.3.1.2 - faillock unlock time +# Timeout before releasing the faillock on an account +ubtu22cis_faillock_unlock_time: 900 + +# 5.3.3.1.3 - lock root +# This gives the ablity to even_deny_root and or add a root_unlock_time in the options +# Option is used for the regexp to be amended and stirng is what to replace with. +ubtu22cis_pamroot_lock_option: even_deny_root +ubtu22cis_pamroot_lock_string: even_deny_root + +# 5.3.3.2.1 - password difok +# Pam difok settings - file and number of difference that must take place in the file +# difok = the minimum number of characters that must be different from the old password +ubtu22cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret +ubtu22cis_passwd_difok_value: 2 + +# 5.3.3.2.2 - password minlength +# minlen = minimum password length +ubtu22cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf # pragma: allowlist secret +ubtu22cis_passwd_minlen_value: 14 + +# 5.3.3.2.3 - password complex +ubtu22cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # pragma: allowlist secret +ubtu22cis_passwd_minclass: 3 # minclass = the minimum number of character types that must be used (i.e., uppercase, lowercase, digits, other) +ubtu22cis_passwd_dcredit: -1 # dcredit = maximum number of digits that will generate a credit +ubtu22cis_passwd_ucredit: -2 # ucredit = maximum number of uppercase characters that will generate a credit +ubtu22cis_passwd_ocredit: 0 # ocredit = maximum number of other characters that will generate a credit +ubtu22cis_passwd_lcredit: -2 # lcredit = maximum number of lowercase characters that will generate a credit + +# 5.3.3.2.4 - password maxrepeat +# maxrepeat = the maximum number of times a single character may be repeated +ubtu22cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf # pragma: allowlist secret +ubtu22cis_passwd_maxrepeat_value: 3 + +# 5.3.3.2.5 - password maxsequence +ubtu22cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf # pragma: allowlist secret +ubtu22cis_passwd_maxsequence_value: 3 + +# 5.3.3.2.6 - password dictcheck +# dictcheck = whether to check for the words from the cracklib dictionary (enabled if the value is not 0) +ubtu22cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret +ubtu22cis_passwd_dictcheck_value: 1 + +# 5.3.3.2.7 - password quality enforce +# enforcing = new password is rejected if it fails the check and the value is not 0 +ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret +ubtu22cis_passwd_quality_enforce_value: 1 + +# 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 +# enforce_for_root: This ensures that the password policies are adhered to even if its the root user configuring the passwords. +ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret +ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret + +## 5.3.3.3 Configure pam_pwhistory module +# Uses value for ubtu22cis_pam_pwhistory_file in 5.3.2.4 +# Control 5.3.3.3.1 +# This variable represents the number of password change cycles, after which +# a user can re-use a password. # CIS requires a value of 24 or more. +ubtu22cis_pamd_pwhistory_remember: 24 + +## Controls 5.4.1.x - Password settings +## Control 5.4.1.1 +# This variable governs after how many days a password expires. +# CIS requires a value of 365 or less. +ubtu22cis_pass_max_days: 365 +## Control 5.4.1.2 +# This variable specifies the minimum number of days allowed between changing passwords. +# CIS requires a value of at least 1. +ubtu22cis_pass_min_days: 1 +## Control 5.5.1.3 +# This variable governs, how many days before a password expires, the user will be warned. +# CIS requires a value of at least 7. +ubtu22cis_pass_warn_age: 7 +## Control 5.4.1.5 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 45 days or less. +ubtu22cis_pass_inactive: 45 + +# 5.4.2.6 root umask +ubtu22cis_root_umask: '0027' # 0027 or more restrictive +## Control 5.4.4 +# ubtu22cis_passwd_hash_algo is the hashing algorithm used +ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret +# Set pam as well as login defs if PAM is required +ubtu22cis_passwd_setpam_hash_algo: false # pragma: allowlist secret -## Controls 4.1.3.x - Audit template -# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the -# audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above -# to `false`. -update_audit_template: false +## Control 5.4.3 - Default user mask +# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. +# The value needs to be `027` or more restrictive to comply with CIS standards +ubtu22cis_bash_umask: '027' + +## Control 5.4.3.2 - Configuring user shell timeout +# This dictionary is related to ensuring the rule about user shell timeout +# This variable represents the amount of seconds a command or process is allowed to +# run before being forcefully terminated. +# CIS requires a value of at most 900 seconds. +ubtu22cis_shell_session_timeout: 900 +# This variable specifies the path of the timeout setting file. +# (TMOUT setting can be set in multiple files, but only one is required for the +# rule to pass. Options are: +# - a file in `/etc/profile.d/` ending in `.s`, +# - `/etc/profile`, or +# - `/etc/bash.bashrc`. +ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh + +## +## Section 6 Control Variables +## +## Control 6.1.x - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! +ubtu22cis_config_aide: true + +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +ubtu22cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +ubtu22cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +ubtu22cis_aide_db_file: /var/lib/aide/aide.db + +## When Initializing aide this can take longer on some systems +# changing the values enables user to change to thier own requirements +# Maximum Time in seconds +ubtu22cis_aide_init_async: 600 +# Polling Interval in seconds +ubtu22cis_aide_init_poll: 15 + +## Control 6.1.2 +# Set how aide is scanned either cron or timer +ubtu22cis_aide_scan: cron +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. + +# This variable represents the user account under which the cron job for AIDE will run. +ubtu22cis_aide_cron_user: root +# This variable represents the path to the AIDE crontab file. +ubtu22cis_aide_cron_file: /etc/cron.d/aide_cron +# This variable represents the actual command or script that the cron job +# will execute for running AIDE. +ubtu22cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' +# These variables define the schedule for the cron job +# This variable governs the minute of the time of day when the AIDE cronjob is run. +# It must be in the range `0-59`. +ubtu22cis_aide_cron_minute: 0 +# This variable governs the hour of the time of day when the AIDE cronjob is run. +# It must be in the range `0-23`. +ubtu22cis_aide_cron_hour: 5 +# This variable governs the day of the month when the AIDE cronjob is run. +# `*` signifies that the job is run on all days; furthermore, specific days +# can be given in the range `1-31`; several days can be concatenated with a comma. +# The specified day(s) can must be in the range `1-31`. +ubtu22cis_aide_cron_day: '*' +# This variable governs months when the AIDE cronjob is run. +# `*` signifies that the job is run in every month; furthermore, specific months +# can be given in the range `1-12`; several months can be concatenated with commas. +# The specified month(s) can must be in the range `1-12`. +ubtu22cis_aide_cron_month: '*' +# This variable governs the weekdays, when the AIDE cronjob is run. +# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays +# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays +# can be concatenated with commas. +ubtu22cis_aide_cron_weekday: '*' + +## Controls 6.2.1.x journald -## Advanced option found in auditd post -## users whose actions are not logged by auditd -ubtu22cis_allow_auditd_uid_user_exclusions: false -# add a list of uids -ubtu22cis_auditd_uid_exclude: - - 1999 - -## Controls 4.1.2.2 and 4.1.2.3 - What to do when log files fill up -# This variable controls how the audit system behaves when -# log files are getting too full and space is getting too low. -ubtu22cis_auditd: - action_mail_acct: root - space_left_action: email - # This variable determines the action the audit system should take when disk - # space runs low. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when presented with the aforementioned issue; - # - `syslog`: a message is sent to the system log about disk space running low; - # - `suspend`: the system suspends recording audit events until more space is available; - # - `halt`: the system is halted when disk space is critically low. - # - `single`: the audit daemon will put the computer system in single user mode - # CIS prescribes either `halt` or `single`. - admin_space_left_action: halt - # This variable determines what action the audit system should take when the maximum - # size of a log file is reached. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when the size of a log file is full; - # - `syslog`: a message is sent to the system log indicating the problem; - # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; - # - `rotate`: the log file is rotated (archived) and a new empty log file is created; - # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. - # CIS prescribes the value `keep_logs`. - max_log_file_action: keep_logs - -## Controls 4.2.1.x (`journald`) and 4.2.2.x (`rsyslog`) -# This variable governs which logging system is used. -# The options for this variable are `rsyslog` or `journald`. -ubtu22cis_syslog_service: rsyslog # This variable specifies the address of the remote log host where logs are being sent. ubtu22cis_remote_log_server: 192.168.2.100 # This variable expresses whether the system is used as a log server or not. @@ -800,7 +1118,7 @@ ubtu22cis_remote_log_server: 192.168.2.100 # require that own system logs be sent to some other log server are skipped. ubtu22cis_system_is_log_server: false -## Controls 4.2.1.1.x & 4.2.1.x journald +## Controls 6.2.1.2.x & 6.2.1.x journald # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. @@ -812,6 +1130,8 @@ ubtu22cis_journal_servercertificatefile: # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. ubtu22cis_journal_trustedcertificatefile: + +# 6.2.1.1.3 # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. @@ -827,211 +1147,75 @@ ubtu22cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu22cis_journald_maxfilesec: "#MaxFileSec=" -## Controls 4.2.2.x Rsyslog -# This variable governs whether the rsyslog configuration is to be set by this Ansible role. -# Set it to `true` to configure via Ansible and to `false` otherwise. -ubtu22cis_rsyslog_ansible_managed: true +## Controls 6.3.3.x - Audit template +# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above +# to `false`. +update_audit_template: false -## -## Section 5 Control Variables -## +## Advanced option found in auditd post +## users whose actions are not logged by auditd +ubtu22cis_allow_auditd_uid_user_exclusions: false -## Controls 5.2.4/5/13/14/15/18/20/21/22 -- various sshd settings -ubtu22cis_sshd_default_log_level: "INFO" -ubtu22cis_sshd_default_ciphers: - - chacha20-poly1305@openssh.com - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr -ubtu22cis_sshd_default_macs: - - hmac-sha2-512-etm@openssh.com - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-512 - - hmac-sha2-256 -ubtu22cis_sshd_default_kex_algorithms: - - curve25519-sha256 - - curve25519-sha256@libssh.org - - diffie-hellman-group14-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - ecdh-sha2-nistp521 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp256 - - diffie-hellman-group-exchange-sha256 -ubtu22cis_sshd_default_max_auth_tries: 4 -ubtu22cis_sshd_default_max_sessions: 8 -ubtu22cis_sshd_default_login_grace_time: 60 -ubtu22cis_sshd_default_client_alive_interval: 300 -ubtu22cis_sshd_default_client_alive_count_max: 3 +# add a list of uids +ubtu22cis_auditd_uid_exclude: + - 1999 -ubtu22cis_sshd: - # This variable is used to control the verbosity of the logging produced by the SSH server. - # The options for setting it are as follows: - # - `QUIET`: Minimal logging; - # - `FATAL`: logs only fatal errors; - # - `ERROR`: logs error messages; - # - `INFO`: logs informational messages in addition to errors; - # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; - # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "{{ubtu22cis_sshd_default_log_level}}" - # This variable specifies the maximum number of authentication attempts that are - # allowed for a single SSH session. - max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" - # This variable specifies the encryption algorithms that can be used for securing - # data transmission. - ciphers: "{{ubtu22cis_sshd_default_ciphers}}" - # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying - # the integrity of data exchanged. - macs: "{{ubtu22cis_sshd_default_macs}}" - # This variable is used to state the key exchange algorithms used to establish secure encryption - # keys during the initial connection setup. - kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" - # This variable sets the time interval in seconds between sending "keep-alive" - # messages from the server to the client. These types of messages are intended to - # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" - # This variable specifies the amount of seconds allowed for successful authentication to - # the SSH server. - login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" - # This variables is used to set the maximum number of open sessions per connection. - max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH - # access for users whose user name matches one of the patterns. This is done - # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" - -## Control 5.3.1 -# This variable represents the name of the sudo package to install -# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`. -ubtu22cis_sudo_package: "sudo" +## Control 6.3.1.4 - Ensure audit_backlog_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. +ubtu22cis_audit_back_log_limit: 8192 -## Control 5.3.3 -# This variable defines the path and file name of the sudo log file. -ubtu22cis_sudo_logfile: "/var/log/sudo.log" -## Control 5.3.6 -# This variable sets the duration (in minutes) during which a user's authentication credentials -# are cached after successfully authenticating using "sudo". This allows the user to execute -# multiple commands with elevated privileges without needing to re-enter their password for each -# command within the specified time period. CIS requires a value of at most 15 minutes. -ubtu22cis_sudo_timestamp_timeout: 15 -## Control 5.3.7 -# This variable determines the group of users that are allowed to use the su command. -# one to specify a user group that is allowed to use the "su" command. -# CIS requires that such a group be created (named according to site policy) and be kept empty. -ubtu22cis_sugroup: nosugroup +## Controls 6.3.2.x - What to do when log files fill up +## Control 6.3.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +ubtu22cis_max_log_file_size: 10 -## Control 5.4.1 -# This variable allows us to use either +## Control 6.2.3.2 +# This variable determines what action the audit system should take when the maximum +# size of a log file is reached. +# The options for setting this variable are as follows: +# - `ignore`: the system does nothing when the size of a log file is full; +# - `syslog`: a message is sent to the system log indicating the problem; +# - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; +# - `rotate`: the log file is rotated (archived) and a new empty log file is created; +# - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. +# CIS prescribes the value `keep_logs`. +ubtu22cis_auditd_max_log_file_action: keep_logs + +## Control 6.2.3.3 +# This variable determines how the system should act in case of issues with disk +# The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. +# Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. # - -ubtu22cis_pwquality_minclass: true -ubtu22cis_pwquality_minclass_value: '4' -ubtu22cis_pwquality: - - key: '#minclass' - value: "{{ ubtu22cis_pwquality_minclass_value }}" - - key: 'minlen' - value: '14' - - key: 'dcredit' - value: '-1' - - key: 'ucredit' - value: '-1' - - key: 'ocredit' - value: '-1' - - key: 'lcredit' - value: '-1' - -## Control 5.4.3 -# This variable represents the number of password change cycles, after which -# a user can re-use a password. -# CIS requires a value of 5 or more. -ubtu22cis_pamd_pwhistory_remember: 5 - -## Control 5.4.2 -# This can seriously break access to a system -## The end state the file /etc/pam.d/common-auth need to be understood -## If using external auth providers this will be very different -ubtu22cis_allow_common_auth_rewrite: false -ubtu22cis_rule_5_4_2_faillock_config: | - auth required pam_faillock.so preauth - auth [success=1 default=ignore] pam_unix.so nullok - auth [default=die] pam_faillock.so authfail - auth sufficient pam_faillock.so authsucc - -## Control 5.4.4 -# ubtu22cis_passwd_hash_algo is the hashing algorithm used -ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret -# Set pam as well as login defs if PAM is required -ubtu22cis_passwd_setpam_hash_algo: false - -## Controls 5.5.1.x - Password settings -ubtu22cis_pass: - ## Control 5.5.1.2 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.5.1.1 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.5.1.4 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 30 days or less. - inactive: 30 - -## Control 5.5.4 - Default user mask -# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. -# The value needs to be `027` or more restrictive to comply with CIS standards -ubtu22cis_bash_umask: '027' - -## Control 5.5.5 - Configuring user shell timeout -# This dictionary is related to ensuring the rule about user shell timeout -ubtu22cis_shell_session_timeout: - # This variable specifies the path of the timeout setting file. - # (TMOUT setting can be set in multiple files, but only one is required for the - # rule to pass. Options are: - # - a file in `/etc/profile.d/` ending in `.s`, - # - `/etc/profile`, or - # - `/etc/bash.bashrc`. - file: /etc/profile.d/tmout.sh - # This variable represents the amount of seconds a command or process is allowed to - # run before being forcefully terminated. - # CIS requires a value of at most 900 seconds. - timeout: 900 +# The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. +# Valid values are ignore, syslog, exec, suspend, single, and halt. +# +# CIS prescribes +# disk_full_action parameter: +# Set to halt - the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full. +# Set to single - the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full. +# +# disk_error_action parameter: +# Set to halt - the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files. +# Set to single - the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files. +# Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files. +ubtu22cis_auditd_disk_full_action: halt +ubtu22cis_auditd_disk_error_action: syslog + +# Control 6.3.2.4 +# Wait to do when space left is low. +ubtu22cis_auditd_space_left_action: email +ubtu22cis_auditd_admin_space_left_action: halt ## -## Section 6 Control Variables +## Section 7 Control Variables ## ## Controls 6.2.11 & 6.2.12 @@ -1058,38 +1242,29 @@ max_int_uid: 65533 # Possible values are `true` and `false`. ubtu22cis_no_world_write_adjust: true -# Control 6.1.10 +## Control 6.2.7 +# This variable is a toggle foe enabling/disabling the automated modification of +# permissions on dot files. +# Possible values are `true` and `false`. +ubtu22cis_dotperm_ansiblemanaged: true + +## Section 7 + +# 7.1.12 Ensure no files or directories without an owner and a group exist +ubtu22cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*") + +# Control 7.1.12 # The value of this variable specifies the owner that will be set for unowned files and directories. ubtu22cis_unowned_owner: root +ubtu22cis_ungrouped_group: root # This variable is a toggle for enabling/disabling the automated # setting of an owner (specified in variable `ubtu22cis_unowned_owner`) # for all unowned files and directories. # Possible values are `true` and `false`. -ubtu22cis_no_owner_adjust: true +ubtu22cis_ownership_adjust: true -## Control 6.1.11 -# This variable represents the group that will be set for files without group. -ubtu22cis_ungrouped_group: root -# This variable is a toggle for enabling/disabling the automated -# assignment of a group (specified in variable `ubtu22cis_unowned_group`) -# for all group-less files and directories. -# Possible values are `true` and `false`. -ubtu22cis_no_group_adjust: true - -## Control 6.1.12 +## Control 7.1.13 # This variable is a toggle for enabling/disabling the automated removal # of the SUID bit from all files on all mounts. # Possible values are `true` and `false`. -ubtu22cis_suid_adjust: false - -## Control 6.1.13 -# This variable is a toggle for enabling/disabling the automated removal the SGID -# bit from all files on all mounts -# Possible values are `true` and `false`. -ubtu22cis_sgid_adjust: false - -## Control 6.2.7 -# This variable is a toggle foe enabling/disabling the automated modification of -# permissions on dot files. -# Possible values are `true` and `false`. -ubtu22cis_dotperm_ansiblemanaged: true +ubtu22cis_suid_sgid_adjust: false diff --git a/handlers/main.yml b/handlers/main.yml index 6499d4b7..dc6bf653 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,177 +1,270 @@ --- -- name: Writing the tmp file | tmp_systemd - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: '0644' - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - listen: Writing and remounting tmp +- name: "Adding options for /tmp" + when: not ubtu22cis_tmp_svc + vars: + mount_point: '/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /tmp" -- name: Writing the tmp file | fstab +- name: "Remounting /tmp" + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" - listen: Writing and remounting tmp + path: "{{ mount_point }}" + state: remounted + listen: "Remount /tmp" -- name: Update_Initramfs - ansible.builtin.shell: update-initramfs -u - notify: set_reboot_required +- name: "Remounting /tmp systemd" + vars: + mount_point: '/tmp' + ansible.builtin.systemd: + name: tmp.mount + state: restarted + daemon_reload: true + listen: "Remount /tmp" -- name: Remount tmp +- name: "Adding options for /dev/shm" + vars: + mount_point: '/dev/shm' ansible.posix.mount: - path: /tmp - state: remounted - when: - - "'/tmp' in mount_names" - listen: Writing and remounting tmp + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /dev/shm" + +- name: "Remounting /dev/shm" + vars: + mount_point: '/dev/shm' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /dev/shm" + +- name: "Adding options for /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /home" + +- name: "Remounting /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /home" + +- name: "Adding options for /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var" + +- name: "Remounting /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var" -- name: Remount var +- name: "Adding options for /var/tmp" + vars: + mount_point: '/var/tmp' ansible.posix.mount: - path: /var - state: remounted + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/tmp" -- name: Remount var_tmp +- name: "Remounting /var/tmp" + vars: + mount_point: '/var/tmp' ansible.posix.mount: - path: /var/tmp - state: remounted + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/tmp" -- name: Remount var_log +- name: "Adding options for /var/log" + vars: + mount_point: '/var/log' ansible.posix.mount: - path: /var/log - state: remounted + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log" -- name: Remount var_log_audit +- name: "Remounting /var/log" + vars: + mount_point: '/var/log' ansible.posix.mount: - path: /var/log/audit - state: remounted + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log" -- name: Remount home +- name: "Adding options for /var/log/audit" + vars: + mount_point: '/var/log/audit' ansible.posix.mount: - path: /home - state: remounted + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log/audit" -- name: Remount dev_shm +- name: "Remounting /var/log/audit" + vars: + mount_point: '/var/log/audit' ansible.posix.mount: - path: /dev/shm - src: /dev/shm - state: remounted + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log/audit" + +- name: Update_Initramfs + ansible.builtin.command: update-initramfs -u + changed_when: true + notify: Set_reboot_required - name: Grub update - ansible.builtin.shell: update-grub + ansible.builtin.command: update-grub + changed_when: true failed_when: false - notify: set_reboot_required + notify: Set_reboot_required - name: Restart timeservice ansible.builtin.systemd: - name: "{{ ubtu22cis_time_sync_tool }}" - state: restarted + name: "{{ ubtu22cis_time_sync_tool }}" + state: restarted - name: Reload systemctl ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true - name: Update dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true failed_when: false - name: Restart postfix ansible.builtin.service: - name: postfix - state: restarted + name: postfix + state: restarted - name: Restart syslog service ansible.builtin.systemd: - name: "{{ ubtu22cis_syslog_service }}" - state: restarted + name: "{{ ubtu22cis_syslog_service }}" + state: restarted - name: Restart journald ansible.builtin.systemd: - name: systemd-journald - state: restarted + name: systemd-journald + state: restarted - name: Restart exim4 ansible.builtin.systemd: - name: exim4 - state: restarted + name: exim4 + state: restarted - name: Flush ipv4 route table - ansible.posix.sysctl: - name: net.ipv4.route.flush - value: '1' - sysctl_set: true when: ansible_facts.virtualization_type != "docker" + ansible.posix.sysctl: + name: net.ipv4.route.flush + value: '1' + sysctl_set: true - name: Flush ipv6 route table - ansible.posix.sysctl: - name: net.ipv6.route.flush - value: '1' - sysctl_set: true when: - - ansible_facts.virtualization_type != "docker" - - ubtu22cis_ipv6_required + - ansible_facts.virtualization_type != "docker" + - ubtu22cis_ipv6_required + ansible.posix.sysctl: + name: net.ipv6.route.flush + value: '1' + sysctl_set: true - name: Reload ufw community.general.ufw: - state: reloaded + state: reloaded - name: Iptables persistent - ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" - changed_when: ubtu22cis_iptables_save.rc == 0 - failed_when: ubtu22cis_iptables_save.rc > 0 - register: ubtu22cis_iptables_save + ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4" + changed_when: discovered_ip4tables_save.rc == 0 + failed_when: discovered_ip4tables_save.rc > 0 + register: discovered_ip4tables_save - name: Ip6tables persistent - ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" - changed_when: ubtu22cis_ip6tables_save.rc == 0 - failed_when: ubtu22cis_ip6tables_save.rc > 0 - register: ubtu22cis_ip6tables_save + ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6" + changed_when: discovered_ip6tables_save.rc == 0 + failed_when: discovered_ip6tables_save.rc > 0 + register: discovered_ip6tables_save + +- name: Pam_auth_update_pwunix + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwunix_file }} + changed_when: true + +- name: Pam_auth_update_pwfaillock + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} + changed_when: true + +- name: Pam_auth_update_pwfaillock_notify + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_faillock_notify_file }} + changed_when: true + +- name: Pam_auth_update_pwquality + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} + changed_when: true + +- name: Pam_auth_update_pwhistory + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} + changed_when: true - name: Auditd rules reload - ansible.builtin.shell: augenrules --load when: - - not auditd_immutable_check or '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' + - not prelim_auditd_immutable_check or + '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' + ansible.builtin.command: augenrules --load + changed_when: true - name: Audit_immutable_fact - ansible.builtin.debug: - msg: "Reboot required for auditd to apply new rules as immutable set" - notify: set_reboot_required when: - - audit_rules_updated.changed - - auditd_immutable_check is defined + - discovered_audit_rules_updated.changed + - auditd_immutable_check is defined + ansible.builtin.debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: Set_reboot_required - name: Restart auditd - ansible.builtin.shell: service auditd restart - when: - - audit_rules_updated is defined - tags: - - skip_ansible_lint + when: discovered_audit_rules_updated is defined + ansible.builtin.command: service auditd restart # noqa command-instead-of-module + changed_when: true - name: Restart sshd ansible.builtin.systemd: - name: sshd - state: restarted + name: sshd + state: restarted -- name: set_reboot_required +- name: Set_reboot_required ansible.builtin.set_fact: - change_requires_reboot: true + change_requires_reboot: true diff --git a/meta/main.yml b/meta/main.yml index 514dc705..059d32f9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,28 +1,28 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, and DFed" - description: "Apply the Ubuntu 22 CIS benchmarks" - company: "MindPoint Group" - license: MIT - namespace: mindpointgroup - role_name: ubuntu22_cis - min_ansible_version: 2.12.1 - platforms: - - name: Ubuntu - versions: - - jammy - galaxy_tags: - - system - - security - - cis - - hardening - - benchmark - - compliance - - complianceascode - - ubuntu22 + author: George Nalen, Mark Bolwell, and DFed + description: Apply the Ubuntu 22 CIS benchmarks + company: MindPoint Group + license: MIT + namespace: mindpointgroup + role_name: ubuntu22_cis + min_ansible_version: 2.12.1 + platforms: + - name: Ubuntu + versions: + - jammy + galaxy_tags: + - system + - security + - cis + - hardening + - benchmark + - compliance + - complianceascode + - ubuntu22 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/site.yml b/site.yml index 0358dc36..f3f0fae7 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,7 @@ --- -- hosts: all +- name: Apply ansible-lockdown hardening + hosts: all become: true - roles: - - - role: "{{ playbook_dir }}" + - role: "{{ playbook_dir }}" diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..ffbb324a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -2,33 +2,31 @@ - name: Pre Audit Setup | Set audit package name block: - - name: Pre Audit Setup | Set audit package name | 64bit - ansible.builtin.set_fact: - audit_pkg_arch_name: AMD64 - when: ansible_facts.machine == "x86_64" + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 - - name: Pre Audit Setup | Set audit package name | ARM64 - ansible.builtin.set_fact: - audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 - name: Pre Audit Setup | Download audit binary + when: get_audit_binary_method == 'download' ansible.builtin.get_url: - url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" - dest: "{{ audit_bin }}" - owner: root - group: root - checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' - when: - - get_audit_binary_method == 'download' + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" + dest: "{{ audit_bin }}" + owner: root + group: root + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' - name: Pre Audit Setup | Copy audit binary + when: get_audit_binary_method == 'copy' ansible.builtin.copy: - src: "{{ audit_bin_copy_location }}" - dest: "{{ audit_bin }}" - mode: '0555' - owner: root - group: root - when: - - get_audit_binary_method == 'copy' + src: "{{ audit_bin_copy_location }}" + dest: "{{ audit_bin }}" + mode: '0555' + owner: root + group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 4f60834c..a8e81e20 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,30 +1,28 @@ --- -- name: Audit_Only | Create local Directories for hosts - ansible.builtin.file: - path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" - mode: '0755' - recurse: true - state: directory +- name: Audit_only | Create local Directories for hosts when: fetch_audit_files delegate_to: localhost become: false + ansible.builtin.file: + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + mode: '0755' + recurse: true + state: directory - name: Audit_only | Get audits from systems and put in group dir - ansible.builtin.fetch: - dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" - src: "{{ pre_audit_outfile }}" - flat: true - mode: '0644' when: fetch_audit_files + ansible.builtin.fetch: + src: "{{ pre_audit_outfile }}" + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: - msg: "{{ audit_results.split('\n') }}" + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 4078d858..fca7a096 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,27 +1,29 @@ --- -- name: "POST | AUDITD | Apply auditd template for section 4.1.3.x" +- name: POST | Apply auditd template for section 4.1.3.x + when: update_audit_template ansible.builtin.template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: '0640' - register: audit_rules_updated + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: '0640' + register: discovered_audit_rules_updated notify: - - Auditd rules reload - - Audit_immutable_fact - - Restart auditd - - set_reboot_required - when: update_audit_template + - Auditd rules reload + - Audit_immutable_fact + - Restart auditd + - Set_reboot_required - name: POST | Set up auditd user logging exceptions + when: ubtu22cis_allow_auditd_uid_user_exclusions ansible.builtin.template: - src: audit/98_auditd_exception.rules.j2 - dest: /etc/audit/rules.d/98_auditd_exceptions.rules - owner: root - group: root - mode: '0600' + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: '0600' notify: Restart auditd - when: - - ubtu22cis_allow_auditd_uid_user_exclusions + +- name: POST | Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/tasks/main.yml b/tasks/main.yml index 5d138b4e..065dd87e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,225 +1,223 @@ --- - name: Check OS version and family - ansible.builtin.fail: - msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." when: - - ansible_facts.distribution == 'Ubuntu' - - ansible_facts.distribution_major_version is version_compare('22', '!=') - tags: - - always + - ansible_facts.distribution == 'Ubuntu' + - ansible_facts.distribution_major_version is version_compare('22', '!=') + tags: always + ansible.builtin.fail: + msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." - name: Check ansible version + tags: always ansible.builtin.assert: - that: ansible_version.full is version_compare(min_ansible_version, '>=') - fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" - success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" # This control should always run as this can pass on unintended issues. - name: "Check password set for connecting user" - block: - - name: Capture current password state of connecting user" - ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" - changed_when: false - failed_when: false - check_mode: false - register: ansible_user_password_set - - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" - ansible.builtin.assert: - that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" - vars: - sudo_password_rule: ubtu22cis_rule_5_3_4 # pragma: allowlist secret when: - - ubtu22cis_rule_5_3_4 - - ansible_env.SUDO_USER is defined - tags: - - always + - ubtu22cis_rule_5_2_4 + - ansible_env.SUDO_USER is defined + tags: always + block: + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: prelim_ansible_user_password_set + + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" # noqa name[template] + ansible.builtin.assert: + that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10 + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" + vars: + sudo_password_rule: ubtu22cis_rule_5_2_4 # pragma: allowlist secret + +- name: Ensure root password is set + when: ubtu22cis_rule_5_4_2_4 + tags: always + block: + - name: Ensure root password is set + ansible.builtin.shell: passwd -S root | grep -E "root P" + changed_when: false + failed_when: false + register: prelim_root_passwd_set + + - name: Ensure root password is set + ansible.builtin.assert: + that: prelim_root_passwd_set.rc == 0 + fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password" + success_msg: "You have a root password set" - name: Check ubtu22cis_bootloader_password_hash variable has been changed - ansible.builtin.assert: - that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" when: - - ubtu22cis_set_boot_pass - - ubtu22cis_rule_1_4_1 - tags: - - always + - ubtu22cis_set_boot_pass + - ubtu22cis_rule_1_4_1 + tags: always + ansible.builtin.assert: + that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed + when: ubtu22cis_rule_1_4_1 + tags: always block: - - name: Check ubtu22cis_grub_user password variable has been changed | check password is set - ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" - changed_when: false - register: ubtu22cis_password_set_grub_user - - - name: Check ubtu22cis_grub_user password variable has been changed | check password is set - ansible.builtin.assert: - that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' - msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" - when: - - "'$y$' in ubtu22cis_password_set_grub_user.stdout" - - ubtu22cis_set_grub_user_pass - - ubtu22cis_rule_1_4_3 - - - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set - ansible.builtin.assert: - that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout - fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" - success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" - when: - - not ubtu22cis_set_grub_user_pass - when: ubtu22cis_rule_1_4_3 - tags: - - always + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set + ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" + changed_when: false + register: prelim_password_set_grub_user + + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set + when: + - "'$y$' in prelim_password_set_grub_user.stdout" + - ubtu22cis_set_grub_user_pass + - ubtu22cis_rule_1_4_1 + ansible.builtin.assert: + that: prelim_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' + msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" + + - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set + when: + - not ubtu22cis_set_grub_user_pass + ansible.builtin.assert: + that: ( prelim_password_set_grub_user.stdout | length > 10 ) and '$y$' in prelim_password_set_grub_user.stdout + fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" + success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" - name: Setup rules if container - block: - - name: Discover and set container variable if required - ansible.builtin.set_fact: - system_is_container: true - - - name: Load variable for container - ansible.builtin.include_vars: - file: "{{ container_vars_file }}" - - - name: Output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container - when: - - system_is_container when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_connection == 'docker' or + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - - container_discovery - - always + - container_discovery + - always + block: + - name: Discover and set container variable if required + ansible.builtin.set_fact: + system_is_container: true + + - name: Load variable for container + ansible.builtin.include_vars: + file: "{{ container_vars_file }}" + + - name: Output if discovered is a container + when: system_is_container + ansible.builtin.debug: + msg: system has been discovered as a container - name: Gather the package facts before prelim + tags: always ansible.builtin.package_facts: - manager: auto - tags: - - always + manager: auto - name: Run prelim tasks - ansible.builtin.import_tasks: - file: prelim.yml tags: - - prelim_tasks - - run_audit - - always + - prelim_tasks + - run_audit + - always + ansible.builtin.import_tasks: + file: prelim.yml - name: Gather the package facts after prelim + tags: always ansible.builtin.package_facts: - manager: auto - tags: - - always + manager: auto - name: Run parse /etc/passwd - ansible.builtin.import_tasks: - file: parse_etc_password.yml when: - - ubtu22cis_section5 or - ubtu22cis_section6 - tags: - - always - -- name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - tags: - - always + - ubtu22cis_section5 or + ubtu22cis_section6 or + ubtu22cis_section7 + tags: always + ansible.builtin.import_tasks: + file: parse_etc_password.yml - name: Include section 1 patches - ansible.builtin.import_tasks: - file: section_1/main.yml when: ubtu22cis_section1 - tags: - - section1 + tags: section1 + ansible.builtin.import_tasks: + file: section_1/main.yml - name: Include section 2 patches - ansible.builtin.import_tasks: - file: section_2/main.yml when: ubtu22cis_section2 - tags: - - section2 + tags: section2 + ansible.builtin.import_tasks: + file: section_2/main.yml - name: Include section 3 patches - ansible.builtin.import_tasks: - file: section_3/main.yml when: ubtu22cis_section3 - tags: - - section3 + tags: section3 + ansible.builtin.import_tasks: + file: section_3/main.yml - name: Include section 4 patches - ansible.builtin.import_tasks: - file: section_4/main.yml when: ubtu22cis_section4 - tags: - - section4 + tags: section4 + ansible.builtin.import_tasks: + file: section_4/main.yml - name: Include section 5 patches - ansible.builtin.import_tasks: section_5/main.yml when: ubtu22cis_section5 - tags: - - section5 + tags: section5 + ansible.builtin.import_tasks: + file: section_5/main.yml - name: Include section 6 patches - ansible.builtin.import_tasks: - file: section_6/main.yml when: ubtu22cis_section6 - tags: - - section6 + tags: section6 + ansible.builtin.import_tasks: + file: section_6/main.yml -- name: Run auditd logic +- name: Include section 7 patches + when: ubtu22cis_section7 + tags: section7 ansible.builtin.import_tasks: - file: auditd.yml + file: section_7/main.yml + +- name: Run auditd logic when: update_audit_template - tags: - - always + tags: always + ansible.builtin.import_tasks: + file: auditd.yml - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Reboot system + tags: always block: - - name: Reboot system if not skipped - ansible.builtin.reboot: - when: - - not skip_reboot - - change_requires_reboot - - - name: Warning a reboot required but skip option set - ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - skip_reboot - - change_requires_reboot + - name: Reboot system if not skipped + when: + - not skip_reboot + - change_requires_reboot + ansible.builtin.reboot: + + - name: Warning a reboot required but skip option set + when: + - skip_reboot + - change_requires_reboot + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true - name: Run post remediation audit + when: run_audit + tags: run_audit ansible.builtin.import_tasks: - file: post_remediation_audit.yml - when: - - run_audit - tags: - - run_audit + file: post_remediation_audit.yml - name: Show Audit Summary + when: run_audit + tags: run_audit ansible.builtin.debug: - msg: "{{ audit_results.split('\n') }}" - when: - - run_audit - tags: - - run_audit + msg: "{{ audit_results.split('\n') }}" - name: If Warnings found Output count and control IDs affected - ansible.builtin.debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 - tags: - - always + tags: always + ansible.builtin.debug: + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 76a72b03..5da43e2d 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -1,33 +1,33 @@ --- - name: "PRELIM | Parse /etc/passwd" + tags: + - always block: - - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd - changed_when: false - check_mode: false - register: ubtu22cis_passwd_file_audit + - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" + ansible.builtin.command: cat /etc/passwd + changed_when: false + check_mode: false + register: prelim_passwd_file_audit - - name: "PRELIM | Parse /etc/passwd | Split passwd entries" - ansible.builtin.set_fact: - ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + - name: "PRELIM | Parse /etc/passwd | Split passwd entries" + ansible.builtin.set_fact: + ubtu22cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" - vars: - ld_passwd_regex: >- - ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g - tags: - - always + with_items: "{{ prelim_passwd_file_audit.stdout_lines }}" + vars: + ld_passwd_regex: >- + ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) + ld_passwd_yaml: | # pragma: allowlist secret + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58e9217..54d57852 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,44 +1,42 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" - AUDIT_FILE: goss.yml + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file + path: "{{ item }}" + mode: '0644' + state: file loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - - name: Post Audit | Capture audit data if json format - ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary - changed_when: false + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + changed_when: false + register: post_audit_summary - - name: Post Audit | Set Fact for audit summary - ansible.builtin.set_fact: - post_audit_results: "{{ post_audit_summary.stdout }}" + - name: Post Audit | Set Fact for audit summary + ansible.builtin.set_fact: + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" - register: post_audit_summary - changed_when: false + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + changed_when: false + register: post_audit_summary - - name: Post Audit | Set Fact for audit summary - ansible.builtin.set_fact: - post_audit_results: "{{ post_audit_summary.stdout }}" + - name: Post Audit | Set Fact for audit summary + ansible.builtin.set_fact: + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a745826f..3b4990cb 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,120 +1,108 @@ --- - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: - file: LE_audit_setup.yml + file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template] ansible.builtin.file: - path: "{{ audit_conf_dir }}" - state: directory - mode: '0755' + path: "{{ audit_conf_dir }}" + mode: '0755' + state: directory - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - - name: Pre Audit Setup | Install git - ansible.builtin.package: - name: git - state: present + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present - - name: Pre Audit Setup | Retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | Retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}" - mode: preserve + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - - name: Pre Audit Setup | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: prelim_goss_available - - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists - ansible.builtin.assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + - name: Pre Audit Setup | If audit ensure goss is available + when: not prelim_goss_available.stat.exists + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: run_audit tags: - - goss_template - - run_audit - when: - - run_audit + - goss_template + - run_audit ansible.builtin.template: - src: ansible_vars_goss.yml.j2 - dest: "{{ audit_vars_path }}" - mode: '0600' + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" + mode: '0600' -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" - AUDIT_FILE: goss.yml + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - - name: Pre Audit | Capture audit data if json format - ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary - changed_when: false + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + changed_when: false + register: pre_audit_summary - - name: Pre Audit | Set Fact for audit summary - ansible.builtin.set_fact: - pre_audit_results: "{{ pre_audit_summary.stdout }}" + - name: Pre Audit | Set Fact for audit summary + ansible.builtin.set_fact: + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - - name: Pre Audit | Capture audit data if documentation format - ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary - changed_when: false + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + changed_when: false + register: pre_audit_summary - - name: Pre Audit | Set Fact for audit summary - ansible.builtin.set_fact: - pre_audit_results: "{{ pre_audit_summary.stdout }}" + - name: Pre Audit | Set Fact for audit summary + ansible.builtin.set_fact: + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: - file: audit_only.yml + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 50d73e0e..2bd30871 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,272 +1,312 @@ --- -- name: "PRELIM | AUDIT | Set default values for facts" + +- name: PRELIM | AUDIT | Set default values for facts ansible.builtin.set_fact: - control_1_6_1_4_was_run: false - ubtu22cis_apparmor_enforce_only: false + control_1_6_1_4_was_run: false + ubtu22cis_apparmor_enforce_only: false changed_when: false -- name: "PRELIM | AUDIT | Register if snap being used" +- name: PRELIM | AUDIT | Register if snap being used + when: ubtu22cis_rule_1_1_1_6 + tags: + - rule_1.1.1.2 + - always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false - failed_when: snap_pkg_mgr.rc not in [ 0, 1 ] - register: snap_pkg_mgr - tags: - - rule_1.1.1.2 - - always - when: - - ubtu22cis_rule_1_1_1_2 + failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] + register: prelim_snap_pkg_mgr -- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" - ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" +- name: PRELIM | AUDIT | Register if squashfs is built into the kernel + when: ubtu22cis_rule_1_1_1_6 + tags: always + ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false - failed_when: squashfs_builtin.rc not in [ 0, 1 ] - register: squashfs_builtin - tags: - - rule_1.1.1.2 - - always - when: - - ubtu22cis_rule_1_1_1_2 + failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] + register: prelim_squashfs_builtin -- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" +- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points + tags: always ansible.builtin.set_fact: - mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - tags: - - always + mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" -- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type +- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options + tags: always block: - - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - ansible.builtin.shell: systemctl is-enabled tmp.mount - register: discover_tmp_mnt_type - changed_when: false - failed_when: discover_tmp_mnt_type.rc not in [ 0, 1 ] - - - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - ansible.builtin.set_fact: - tmp_mnt_type: "{{ expected_tmp_mnt }}" - when: "'generated' in discover_tmp_mnt_type.stdout" - - - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - ansible.builtin.set_fact: - tmp_mnt_type: tmp_systemd - when: "'generated' not in discover_tmp_mnt_type.stdout" - when: - - "'/tmp' in mount_names" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: - - always + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module + ansible.builtin.shell: | + mount | awk '{print $1, $3, $5, $6}' + changed_when: false + register: prelim_mount_output -- name: PRELIM | Initialize the mount options variable - block: - - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact - ansible.builtin.set_fact: - tmp_partition_mount_options: [] - when: "'/tmp' not in mount_names" - - - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ item.options.split(',') }}" - loop: "{{ ansible_facts.mounts }}" - when: - - item.mount == "/tmp" - - "'/tmp' in mount_names" - tags: - - always + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact + ansible.builtin.set_fact: + prelim_mount_point_fs_and_options: >- + {%- set prelim_mount_point_fs_and_options = {} -%} + {%- for line in prelim_mount_output.stdout_lines -%} + {%- set fields = line.split() -%} + {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- endfor -%} + {{ prelim_mount_point_fs_and_options }} -- name: "PRELIM | AUDIT | Check for autofs service" - ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" - register: ubtu22cis_autofs_service_status - changed_when: false - check_mode: false - when: - - ubtu22cis_rule_1_1_9 - tags: - - skip_ansible_lint - - section1 - - always + - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" + when: ubtu22cis_debug_mount_data + ansible.builtin.debug: + msg: "{{ prelim_mount_point_fs_and_options }}" -- name: "PRELIM | AUDIT | Check for avahi-daemon service" - ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" - register: avahi_service_status - changed_when: false - check_mode: false +- name: Include audit specific variables when: - - ubtu22cis_rule_2_2_2 + - run_audit or audit_only + - setup_audit tags: - - skip_ansible_lint - - always + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml -- name: "PRELIM | Include audit specific variables" - ansible.builtin.include_vars: audit.yml +- name: Include pre-remediation audit tasks when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit + - run_audit or audit_only + - setup_audit + tags: run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml -- name: "PRELIM | Include pre-remediation audit tasks" - ansible.builtin.import_tasks: pre_remediation_audit.yml +- name: PRELIM | PATCH | Run apt update when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - -- name: "PRELIM | PATCH | Run apt update" + - ubtu22cis_rule_1_2_1_1 or + ubtu22cis_rule_1_2_2_1 + tags: always ansible.builtin.package: - update_cache: true - when: - - ubtu22cis_rule_1_3_1 or - ubtu22cis_rule_1_9 - tags: - - always + update_cache: true -- name: "PRELIM | PATCH | Install Network-Manager" - ansible.builtin.package: - name: network-manager - state: present - when: - - ubtu22cis_rule_3_1_2 - - ubtu22cis_install_network_manager - - not system_is_container - - "'network-manager' not in ansible_facts.packages" - tags: - - always +- name: PRELIM | AUDIT | Discover Gnome Desktop Environment + tags: always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + +- name: PRELIM | AUDIT | Discover dconf systemdb + when: ubtu22cis_gui + ansible.builtin.shell: grep system-db /etc/dconf/profile/user | cut -d ':' -f2 + changed_when: false + failed_when: prelim_dconf_system_db.rc not in [ 0, 1 ] + register: prelim_dconf_system_db -- name: "PRELIM | PATCH | Ensure auditd is installed" +- name: PRELIM | PATCH | Install cron if required + when: ubtu22cis_rule_2_4_1_1 + tags: always ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present + name: cron + state: present + +- name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - - ubtu22cis_rule_4_1_1_1 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - always + - ubtu22cis_rule_3_1_2 + - not system_is_container + tags: always + block: + - name: PRELIM | AUDIT | Discover is wirelss adapter on system + ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + changed_when: false + failed_when: prelim_wireless_adapters_exist.rc not in [ 0, 1 ] + register: prelim_wireless_adapters_exist -- name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: auditd_conf_files - tags: - - patch - - auditd - - always + - name: PRELIM | PATCH | Install Network-Manager | if wireless adapter present + when: + - ubtu22cis_install_network_manager + - prelim_wireless_adapters_exist.rc == 0 + - "'network-manager' not in ansible_facts.packages" + ansible.builtin.package: + name: network-manager + state: present -- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" - ansible.builtin.shell: auditctl -l | grep -c '-e 2' - changed_when: false - failed_when: auditd_immutable_check.rc not in [ 0, 1 ] - register: auditd_immutable_check - when: "'auditd' in ansible_facts.packages" +- name: PRELIM | PATCH | Ensure ufw is installed + when: + - ubtu22cis_rule_4_1_1 + - ubtu22cis_ufw_use_sysctl + - "'ufw' not in ansible_facts.packages" tags: - - always + - level1-server + - level1-workstation + - patch + - rule_4.1.1 + - apt + - ufw + ansible.builtin.package: + name: ufw + state: present -- name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." +- name: PRELIM | PATCH | Find all sudoers files. + when: + - ubtu22cis_rule_5_2_4 or + ubtu22cis_rule_5_2_5 + tags: always ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false - register: ubtu22cis_sudoers_files + register: prelim_sudoers_files + +- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x when: - - ubtu22cis_rule_5_3_4 or - ubtu22cis_rule_5_3_5 - tags: - - always + - ubtu22cis_rule_5_3_3_2_1 or + ubtu22cis_rule_5_3_3_2_2 or + ubtu22cis_rule_5_3_3_2_3 or + ubtu22cis_rule_5_3_3_2_4 or + ubtu22cis_rule_5_3_3_2_5 or + ubtu22cis_rule_5_3_3_2_6 + tags: always + ansible.builtin.file: + path: '/etc/security/pwquality.conf.d' + state: directory + owner: root + group: root + mode: 'g-w,o-rwx' -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def + when: not discover_int_uid + tags: always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: uid_min_id - - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: uid_max_id - - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: gid_min_id - - - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" - ansible.builtin.set_fact: - min_int_uid: "{{ uid_min_id.stdout }}" - max_int_uid: "{{ uid_max_id.stdout }}" - min_int_gid: "{{ gid_min_id.stdout }}" - when: - - not discover_int_uid - tags: - - always + - name: PRELIM | AUDIT | Capture UID_MIN information from logins.def + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: prelim_uid_min_id + + - name: PRELIM | AUDIT | Capture UID_MAX information from logins.def + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: prelim_uid_max_id -- name: "PRELIM | AUDIT | Interactive User accounts" + - name: PRELIM | AUDIT | Capture GID_MIN information from logins.def + ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: prelim_gid_min_id + + - name: PRELIM | AUDIT | Set_facts for interactive uid/gid + ansible.builtin.set_fact: + min_int_uid: "{{ prelim_uid_min_id.stdout }}" + max_int_uid: "{{ prelim_uid_max_id.stdout }}" + min_int_gid: "{{ prelim_gid_min_id.stdout }}" + +- name: PRELIM | AUDIT | Interactive Users + tags: always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false - register: interactive_users_home - when: - - ubtu22cis_rule_6_2_11 or - ubtu22cis_rule_6_2_13 or - ubtu22cis_rule_6_2_14 or - ubtu22cis_rule_6_2_15 or - ubtu22cis_rule_6_2_16 - tags: - - always + register: prelim_interactive_usernames -- name: "PRELIM | PATCH | Install ACL" - ansible.builtin.package: - name: acl - state: present - when: - - ubtu22cis_rule_6_2_6 - - "'acl' not in ansible_facts.packages" - tags: - - always +- name: PRELIM | AUDIT | Interactive User accounts home directories + tags: always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' + changed_when: false + register: prelim_interactive_users_home -- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" +- name: PRELIM | AUDIT | Interactive UIDs + tags: always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' + changed_when: false + register: prelim_interactive_uids + +- name: PRELIM | AUDIT | Gather UID 0 accounts other than root + when: ubtu22cis_rule_5_4_2_1 + tags: + - rule_5.4.2.1 + - level1-server + - level1-workstation + - users + - always ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false - register: ubtu22cis_uid_zero_accounts_except_root + register: prelim_uid_zero_accounts_except_root + +- name: PRELIM | PATCH | Create journald conf.d directory when: - - ubtu22cis_rule_6_2_10 + - ubtu22cis_rule_6_2_1_1_3 or + ubtu22cis_rule_6_2_1_1_5 or + ubtu22cis_rule_6_2_1_1_6 + tags: always + ansible.builtin.file: + path: /etc/systemd/journald.conf.d + state: directory + owner: root + group: root + mode: 'go-w' + +- name: PRELIM | PATCH | Ensure auditd is installed + when: + - ubtu22cis_rule_6_3_1_1 + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" + tags: + - level2-server + - level2-workstation + - patch + - auditd + - always + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present + +- name: PRELIM | AUDIT | Audit conf and rules files | list files tags: - - rule_6.2.10 - - level1-server - - level1-workstation - - users - - always - -- name: "PRELIM | AUDIT | List users accounts" - ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" + - patch + - auditd + - always + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: prelim_auditd_conf_files + +- name: PRELIM | AUDIT | Check if auditd is immutable before changes + when: "'auditd' in ansible_facts.packages" + tags: always + ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false - check_mode: false - register: ubtu22cis_users + failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] + register: prelim_auditd_immutable_check + +- name: PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file + when: + - ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_2 or + ubtu22cis_rule_6_3_4_3 or + ubtu22cis_rule_6_3_4_4 tags: - - always + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 + - rule_6.3.4.4 + ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" + changed_when: false + failed_when: prelim_auditd_logfile.rc not in [0, 1] + register: prelim_auditd_logfile + +- name: PRELIM | PATCH | Install ACL + when: + - ubtu22cis_rule_7_2_9 + - "'acl' not in ansible_facts.packages" + tags: always + ansible.builtin.package: + name: acl + state: present ## Optional - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" - ansible.builtin.lineinfile: - path: /etc/default/ufw - regexp: ^IPT_SYSCTL=.* - line: IPT_SYSCTL=/etc/sysctl.conf when: - - ubtu22cis_firewall_package == "ufw" - - ubtu22cis_ufw_use_sysctl - tags: - - always + - ubtu22cis_firewall_package == "ufw" + - ubtu22cis_ufw_use_sysctl + tags: always + ansible.builtin.lineinfile: + path: /etc/default/ufw + regexp: ^IPT_SYSCTL=.* + line: IPT_SYSCTL=/etc/sysctl.conf diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 5c3d41e7..a6319458 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,102 +1,260 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" + when: ubtu22cis_rule_1_1_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.1 + - cramfs + - NIST800-53R5_CM-7 block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/cramfs.conf - regexp: '^(#)?install cramfs(\\s|$)' - line: install cramfs /bin/true - create: true - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist cramfs(\\s|$)" - line: "blacklist cramfs" - create: true - mode: '0600' - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - community.general.modprobe: - name: cramfs - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs - when: - - ubtu22cis_rule_1_1_1_1 + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install cramfs(\\s|$)" + line: "install cramfs /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: 'go-rwx' + + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" + when: not system_is_container + community.general.modprobe: + name: cramfs + state: absent + +- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" + when: ubtu22cis_rule_1_1_1_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" + - level1-server + - level1-workstation + - patch + - rule_1.1.1.2 + - freevxfs + - NIST800-53R5_CM-7 block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/squashfs.conf - regexp: '^(#)?install squashfs(\\s|$)' - line: install squashfs /bin/true - create: true - - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist squashfs(\\s|$)" - line: "blacklist squashfs" - create: true - mode: '0600' - - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - community.general.modprobe: - name: squashfs - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs - when: - - ubtu22cis_rule_1_1_1_2 - - snap_pkg_mgr.stdout == "0" - - squashfs_builtin.stdout == "0" + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: "install freevxfs /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist freevxfs(\\s|$)" + line: "blacklist freevxfs" + create: true + mode: 'go-rwx' + + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" + when: not system_is_container + community.general.modprobe: + name: freevxfs + state: absent + +- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" + when: ubtu22cis_rule_1_1_1_3 tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.2 - - squashfs - -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" + - level1-server + - level1-workstation + - patch + - rule_1.1.1.3 + - hfs + - NIST800-53R5_CM-7 block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/udf.conf - regexp: '^(#)?install udf(\\s|$)' - line: install udf /bin/true - create: true - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist udf(\\s|$)" - line: "blacklist udf" - create: true - mode: '0600' - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" - community.general.modprobe: - name: udf - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfs(\\s|$)" + line: "install hfs /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfs(\\s|$)" + line: "blacklist hfs" + create: true + mode: 'go-rwx' + + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" + when: not system_is_container + community.general.modprobe: + name: hfs + state: absent + +- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" + when: ubtu22cis_rule_1_1_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.4 + - hfsplus + - NIST800-53R5_CM-7 + block: + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: "install hfsplus /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfsplus(\\s|$)" + line: "blacklist hfsplus" + create: true + mode: 'go-rwx' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" + when: not system_is_container + community.general.modprobe: + name: hfsplus + state: absent + +- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" + when: ubtu22cis_rule_1_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.5 + - jffs2 + - NIST800-53R5_CM-7 + block: + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: "install jffs2 /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist jffs2(\\s|$)" + line: "blacklist jffs2" + create: true + mode: 'go-rwx' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" + when: not system_is_container + community.general.modprobe: + name: jffs2 + state: absent + +- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" when: - - ubtu22cis_rule_1_1_1_3 + - ubtu22cis_rule_1_1_1_6 + - not prelim_squashfs_builtin + - prelim_snap_pkg_mgr.rc != 0 + tags: + - level2-server + - level2-workstation + - patch + - rule_1.1.1.6 + - squashfs + - NIST800-53R5_CM-7 + block: + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: "install squashfs /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist squashfs(\\s|$)" + line: "blacklist squashfs" + create: true + mode: 'go-rwx' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" + when: not system_is_container + community.general.modprobe: + name: squashfs + state: absent + +- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" + when: ubtu22cis_rule_1_1_1_7 tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.3 - - udf + - level2-server + - level2-workstation + - patch + - rule_1.1.1.7 + - udf + - NIST800-53R5_CM-7 + block: + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install udf(\\s|$)" + line: "install udf /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist udf(\\s|$)" + line: "blacklist udf" + create: true + mode: 'go-rwx' + + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" + when: not system_is_container + community.general.modprobe: + name: udf + state: absent + +- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" + when: ubtu22cis_rule_1_1_1_8 + tags: + - level1-server + - level2-workstation + - patch + - rule_1.1.1.8 + - usb + - NIST800-53R5_SI-3 + block: + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install usb-storage(\\s|$)" + line: "install usb-storage /bin/true" + create: true + mode: 'go-rwx' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist usb-storage(\\s|$)" + line: "blacklist usb-storage" + create: true + mode: 'go-rwx' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" + when: not system_is_container + community.general.modprobe: + name: usb-storage + state: absent diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml deleted file mode 100644 index 4b964b62..00000000 --- a/tasks/section_1/cis_1.1.10.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "1.1.10 | PATCH | Disable USB Storage" - block: - - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: true - - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist usb-storage' - insertafter: EOF - - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs - when: - - ubtu22cis_rule_1_1_10 - - not ubtu22cis_allow_usb_storage - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.10 - - usb_storage diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml new file mode 100644 index 00000000..d33ea877 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -0,0 +1,132 @@ +--- + +- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" + when: + - required_mount not in mount_names + - ubtu22cis_rule_1_1_2_1_1 + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.1.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: "1.1.2.1.1" + required_mount: "/tmp" + block: + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] + register: discovered_tmp_mount + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + when: discovered_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" + when: discovered_tmp_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +# via fstab +- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - ubtu22cis_rule_1_1_2_1_2 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - ubtu22cis_rule_1_1_2_1_3 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - ubtu22cis_rule_1_1_2_1_4 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +# via systemd +- name: | + "1.1.2.1.1 | PATCH | Ensure /tmp is configured + 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - ubtu22cis_tmp_svc + - ubtu22cis_rule_1_1_2_1_1 or ubtu22cis_rule_1_1_2_1_2 or ubtu22cis_rule_1_1_2_1_3 or ubtu22cis_rule_1_1_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.1 + - rule_1.1.2.1.2 + - rule_1.1.2.1.3 + - rule_1.1.2.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: "go-wx" + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml new file mode 100644 index 00000000..81aa836d --- /dev/null +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -0,0 +1,95 @@ +--- + +- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" + when: + - ubtu22cis_rule_1_1_2_2_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.2.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: "1.1.2.2.1" + required_mount: "/dev/shm" + block: + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ] + register: discovered_dev_shm_mount + + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" + when: discovered_dev_shm_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.2.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.2.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.2.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml new file mode 100644 index 00000000..d41d339b --- /dev/null +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -0,0 +1,74 @@ +--- +- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" + when: + - ubtu22cis_rule_1_1_2_3_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.3.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: "1.1.2.3.1" + required_mount: "/home" + block: + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_home_mount.rc not in [ 0, 1 ] + register: discovered_home_mount + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" + when: discovered_dev_shm_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.3.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml new file mode 100644 index 00000000..d934a51c --- /dev/null +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -0,0 +1,75 @@ +--- + +- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" + when: + - ubtu22cis_rule_1_1_2_4_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.4.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.4.1' + required_mount: '/var' + block: + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_mount.rc not in [ 0, 1 ] + register: discovered_var_mount + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" + when: discovered_dev_shm_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.4.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.4.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml new file mode 100644 index 00000000..ea1140dd --- /dev/null +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -0,0 +1,95 @@ +--- + +- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" + when: + - ubtu22cis_rule_1_1_2_5_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.5.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.5.1' + required_mount: '/var/tmp' + block: + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ] + register: discovered_var_tmp_mount + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + when: discovered_var_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present" + when: discovered_var_tmp_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.5.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml new file mode 100644 index 00000000..9d6eaae5 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -0,0 +1,95 @@ +--- + +- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" + when: + - ubtu22cis_rule_1_1_2_6_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.6.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.6.1' + required_mount: '/var/log' + block: + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_mount.rc not in [ 0, 1 ] + register: discovered_var_log_mount + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + when: discovered_var_log_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present" + when: discovered_var_log_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.6.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.6.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.6.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml new file mode 100644 index 00000000..b310e086 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -0,0 +1,95 @@ +--- + +- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" + when: + - ubtu22cis_rule_1_1_2_7_1 + - required_mount not in mount_names + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.7.1 + - NIST800-53R5_CM-7 + vars: + warn_control_id: '1.1.2.7.1' + required_mount: '/var/log/audit' + block: + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ] + register: discovered_var_log_audit_mount + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + when: discovered_var_log_audit_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present" + when: discovered_var_log_audit_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_2 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.7.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.7.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.7.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml deleted file mode 100644 index 9d2b903a..00000000 --- a/tasks/section_1/cis_1.1.2.x.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -- name: "1.1.2.1 | AUDIT | Ensure /tmp is a separate partition" - block: - - name: "1.1.2.1 | AUDIT | Ensure /tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.2.1 | WARN | Ensure /tmp is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.2.1' - required_mount: '/tmp' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_2_1 - tags: - - level1-server - - level1-workstation - - audit - - mounts - - rule_1.1.2.1 - - tmp - -- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.2 - - tmp - -- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.3 - - tmp - -- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.4 - - tmp diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml deleted file mode 100644 index 3e67519b..00000000 --- a/tasks/section_1/cis_1.1.3.x.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "1.1.3.1 | AUDIT | Ensure /var is a separate partition" - block: - - name: "1.1.3.1 | AUDIT | Ensure /var is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.3.1 | WARN | Ensure /var is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.3.1' - required_mount: '/var' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_3_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.3.1 - - var - -- name: | - "1.1.3.2 | PATCH | Ensure /var partition includes the nodev option" - "1.1.3.3 | PATCH | Ensure /var partition includes the nosuid option" - ansible.posix.mount: - path: /var - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_3_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_3_3 %}nosuid{% endif %} - notify: Remount var - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var" - - ubtu22cis_rule_1_1_3_2 or - ubtu22cis_rule_1_1_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.3.2 - - rule_1.1.3.3 - - var diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml deleted file mode 100644 index ecfe566f..00000000 --- a/tasks/section_1/cis_1.1.4.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.4.1 | AUDIT | Ensure /var/tmp is a separate partition" - block: - - name: "1.1.4.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.4.1 | WARN | Ensure /var/tmp is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.4.1' - required_mount: '/var/tmp' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_4_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.4.1 - - var - -- name: | - "1.1.4.2 | PATCH | Ensure /var/tmp partition includes the noexec option" - "1.1.4.3 | PATCH | Ensure /var/tmp partition includes the nosuid option" - "1.1.4.4 | PATCH | Ensure /var/tmp partition includes the nodev option" - ansible.posix.mount: - path: /var/tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_4_2 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_4_4 %}nodev{% endif %} - notify: Remount var_tmp - with_items: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/tmp" - - ubtu22cis_rule_1_1_4_2 or - ubtu22cis_rule_1_1_4_3 or - ubtu22cis_rule_1_1_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.4.2 - - rule_1.1.4.3 - - rule_1.1.4.4 - - var diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml deleted file mode 100644 index 87336843..00000000 --- a/tasks/section_1/cis_1.1.5.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.5.1 | AUDIT | Ensure /var/log is a separate partition" - block: - - name: "1.1.5.1 | AUDIT | Ensure /var/log is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.5.1 | WARN | Ensure /var/log is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.5.1' - required_mount: '/var/log' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_5_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.5.1 - - varlog - -- name: | - "1.1.5.2 | PATCH | Ensure /var/log partition includes the nodev option" - "1.1.5.3 | PATCH | Ensure /var/log partition includes the noexec option" - "1.1.5.4 | PATCH | Ensure /var/log partition includes the nosuid option" - ansible.posix.mount: - path: /var/log - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_5_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_5_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_5_4 %}nosuid{% endif %} - notify: Remount var_log - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/log" - - ubtu22cis_rule_1_1_5_2 or - ubtu22cis_rule_1_1_5_3 or - ubtu22cis_rule_1_1_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.5.2 - - rule_1.1.5.3 - - rule_1.1.5.4 - - varlog diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml deleted file mode 100644 index 215db097..00000000 --- a/tasks/section_1/cis_1.1.6.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.6.1 | AUDIT | Ensure /var/log/audit is a separate partition" - block: - - name: "1.1.6.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.6.1 | WARN | Ensure /var/log/audit is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.6.1' - required_mount: '/var/log/audit' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_6_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.6.1 - - varlogaudit - -- name: | - "1.1.6.2 | PATCH | Ensure /var/log/audit partition includes the noexec option" - "1.1.6.3 | PATCH | Ensure /var/log/audit partition includes the nodev option" - "1.1.6.4 | PATCH | Ensure /var/log/audit partition includes the nosuid option" - ansible.posix.mount: - path: /var/log/audit - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_6_2 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_6_3 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_6_4 %}nosuid{% endif %} - notify: Remount var_log_audit - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/log/audit" - - ubtu22cis_rule_1_1_6_2 or - ubtu22cis_rule_1_1_6_3 or - ubtu22cis_rule_1_1_6_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.6.2 - - rule_1.1.6.3 - - rule_1.1.6.4 - - varlogaudit diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml deleted file mode 100644 index e644655a..00000000 --- a/tasks/section_1/cis_1.1.7.x.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "1.1.7.1 | AUDIT | Ensure /home is a separate partition" - block: - - name: "1.1.7.1 | AUDIT | Ensure /home is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.7.1 | WARN | Ensure /home is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.7.1' - required_mount: '/home' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_7_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.7.1 - - home - -- name: | - "1.1.7.2 | PATCH | Ensure /home partition includes the nodev option" - "1.1.7.3 | PATCH | Ensure /home partition includes the nosuid option" - ansible.posix.mount: - path: /home - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_7_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_7_3 %}nosuid,{% endif %} - notify: Remount home - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/home" - - ubtu22cis_rule_1_1_7_2 or - ubtu22cis_rule_1_1_7_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.7.2 - - rule_1.1.7.3 - - home diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml deleted file mode 100644 index d2b6935c..00000000 --- a/tasks/section_1/cis_1.1.8.x.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition" - "1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition" - "1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" - ansible.posix.mount: - path: /dev/shm - src: /dev/shm - fstype: tmpfs - state: present - opts: "defaults,{% if ubtu22cis_rule_1_1_8_1 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_8_2 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_8_3 %}noexec{% endif %}" - notify: Remount dev_shm - when: - - ubtu22cis_rule_1_1_8_1 or - ubtu22cis_rule_1_1_8_2 or - ubtu22cis_rule_1_1_8_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.8.1 - - rule_1.1.8.2 - - rule_1.1.8.3 - - dev_shm diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml deleted file mode 100644 index 0327fefd..00000000 --- a/tasks/section_1/cis_1.1.9.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: "1.1.9 | PATCH | Disable Automounting" - ansible.builtin.service: - name: autofs - state: stopped - enabled: false - when: - - ubtu22cis_rule_1_1_9 - - ubtu22cis_autofs_service_status.stdout == "loaded" - - not ubtu22cis_allow_autofs - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.9 - - automounting diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml new file mode 100644 index 00000000..d4d2f40a --- /dev/null +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured" + when: ubtu22cis_rule_1_2_1_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_1.2.1.1 + - gpg + - keys + - NIST800-53R5_SI-2 + vars: + warn_control_id: '1.2.1.1' + block: + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + ansible.builtin.command: apt-key list + changed_when: false + failed_when: false + check_mode: false + register: discovered_apt_gpgkeys + + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + ansible.builtin.debug: + msg: + - "Warning!! Below are the apt gpg keys configured" + - "Please review to make sure they are configured" + - "in accordance with site policy" + - "{{ discovered_apt_gpgkeys.stdout_lines }}" + + - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured" + when: ubtu22cis_rule_1_2_1_2 + tags: + - level1-server + - level1-workstation + - audit + - rule_1.2.1.2 + - apt + - NIST800-53R5_SI-2 + vars: + warn_control_id: '1.2.1.2' + block: + - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" + ansible.builtin.command: apt-cache policy + changed_when: false + failed_when: false + check_mode: false + register: discovered_apt_policy + + - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + ansible.builtin.debug: + msg: + - "Warning!! Below are the apt package repositories" + - "Please review to make sure they conform to your sites policies" + - "{{ discovered_apt_policy.stdout_lines }}" + + - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml new file mode 100644 index 00000000..3572c8ee --- /dev/null +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -0,0 +1,14 @@ +--- + +- name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" + when: ubtu22cis_rule_1_2_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.2.2.1 + - patch + - NIST800-53R5_SI-2 + ansible.builtin.package: + name: "*" + state: latest diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml deleted file mode 100644 index 578aa5f5..00000000 --- a/tasks/section_1/cis_1.2.x.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- - -- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" - ansible.builtin.shell: apt-cache policy - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_2_1_apt_policy - - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" - ansible.builtin.debug: - msg: - - "Warning!! Below are the apt package repositories" - - "Please review to make sure they conform to your sites policies" - - "{{ ubtu22cis_1_2_1_apt_policy.stdout_lines }}" - - - name: "1.2.1 | WARN | Ensure package manager repositories are configured | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.2.1' - when: - - ubtu22cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.1 - - apt - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - ansible.builtin.shell: apt-key list - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_2_2_apt_gpgkeys - - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" - ansible.builtin.debug: - msg: - - "Warning!! Below are the apt gpg keys configured" - - "Please review to make sure they are configured" - - "in accordance with site policy" - - "{{ ubtu22cis_1_2_2_apt_gpgkeys.stdout_lines }}" - - - name: "1.2.2 | WARN | Ensure GPG keys are configured | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.2.2' - when: - - ubtu22cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.2 - - gpg - - keys diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml new file mode 100644 index 00000000..d7257667 --- /dev/null +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -0,0 +1,170 @@ +--- + +- name: "1.3.1.1 | PATCH | Ensure AppArmor is installed" + when: + - ubtu22cis_rule_1_3_1_1 + - "'apparmor' not in ansible_facts.packages or + 'apparmor-utils' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.1 + - apparmor + - NIST800-53R5_SI-2 + ansible.builtin.package: + name: ['apparmor', 'apparmor-utils'] + state: present + +- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + when: ubtu22cis_rule_1_3_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.2 + - apparmor + - NIST800-53R5_AC-3 + block: + - name: "1.3.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: discovered_cmdline_settings + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + when: discovered_cmdline_settings.stdout is not search('apparmor=') + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") + line: \1apparmor=1 \3 + backrefs: true + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" + when: discovered_cmdline_settings.stdout is not search('security=') + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") + line: \1security=apparmor \3 + backrefs: true + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + when: + - "'apparmor' not in discovered_cmdline_settings.stdout" + - "'security' not in discovered_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_cmdline_settings.stdout }}"' + insertafter: '^GRUB_' + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" + when: + - "'apparmor' in discovered_cmdline_settings.stdout or + 'security' in discovered_cmdline_settings.stdout" + ansible.builtin.replace: + path: /etc/default/grub + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + with_items: + - { regexp: 'apparmor=\w+', replace: 'apparmor=1' } + - { regexp: 'security=\w+', replace: 'security=apparmor' } + notify: Grub update + +# Controls 1.3.1.4 and 1.3.1.3 target the same setting and thus should not be run together. +# Because control 1.3.1.4 is stricter than 1.3.1.3, we need to change the order -- +# control 1.3.1.4 then registers the fact that is has run and thus keeps 1.3.1.3 from running. + +- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + when: + - ubtu22cis_rule_1_3_1_4 + - not ubtu22cis_apparmor_disable + tags: + - level2-server + - level2-workstation + - scored + - patch + - rule_1.3.1.4 + - apparmor + - NIST800-53R5_AC-3 + block: + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.3.1.3 is not run" + ansible.builtin.set_fact: + control_1_3_1_4_was_run: true + ubtu22cis_apparmor_enforce_only: true + changed_when: false + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: discovered_apparmor_pre_count + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" + ansible.builtin.shell: aa-enforce /etc/apparmor.d/* + changed_when: false + failed_when: false + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: discovered_apparmor_post_count + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout + ansible.builtin.debug: + msg: Changed! The profiles in /etc/apparmor.d were set to enforcing + changed_when: true + +- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + when: + - ubtu22cis_rule_1_3_1_3 + - not ubtu22cis_apparmor_disable + - not control_1_3_1_4_was_run + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.3 + - apparmor + - NIST800-53R5_AC-3 + block: + - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" + when: ubtu22cis_apparmor_mode == "enforce" + ansible.builtin.set_fact: + ubtu22cis_apparmor_enforce_only: true + changed_when: false + + - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" + when: ubtu22cis_apparmor_mode == "complain" + ansible.builtin.set_fact: + ubtu22cis_apparmor_enforce_only: false + changed_when: false + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu22cis_apparmor_mode }} mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: discovered_apparmor_pre_count + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" + ansible.builtin.shell: aa-{{ ubtu22cis_apparmor_mode }} /etc/apparmor.d/* + changed_when: false + failed_when: false + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu22cis_apparmor_mode }} mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: discovered_apparmor_post_count + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout + ansible.builtin.debug: + msg: Changed! The profiles in /etc/apparmor.d were set to {{ ubtu22cis_apparmor_mode }} mode + changed_when: true diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml deleted file mode 100644 index 7b1d2750..00000000 --- a/tasks/section_1/cis_1.3.x.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "1.3.1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.3.1 | PATCH | Ensure AIDE is installed" - ansible.builtin.package: - name: ['aide', 'aide-common'] - state: present - update_cache: true - register: ubtu22cis_rule_1_3_1_aide_added - when: - - "'aide' not in ansible_facts.packages or - 'aide-common' not in ansible_facts.packages" - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" - ansible.builtin.package_facts: - manager: auto - when: ubtu22cis_rule_1_3_1_aide_added.skipped is not defined - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - args: - creates: /var/lib/aide/aide.db - changed_when: false - failed_when: false - async: "{{ ubtu22cis_aide_init.async }}" - poll: "{{ ubtu22cis_aide_init.poll }}" - when: not ansible_check_mode - when: - - ubtu22cis_rule_1_3_1 - - ubtu22cis_config_aide - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.1 - - aide - -- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" - user: "{{ ubtu22cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu22cis_aide_cron['aide_job'] }}" - when: - - ubtu22cis_config_aide - - ubtu22cis_rule_1_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.2 - - cron - - aide diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index bf764ef0..e5a451f1 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,73 +1,55 @@ --- - name: "1.4.1 | PATCH | Ensure bootloader password is set" - block: - - name: "1.4.1 | PATCH | Ensure bootloader password is set" - ansible.builtin.template: - src: etc/grub.d/00_user.j2 - dest: "{{ ubtu22cis_grub_user_file }}" - owner: root - group: root - mode: '0755' - notify: Grub update - - - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" - ansible.builtin.lineinfile: - path: "/etc/grub.d/10_linux" - regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$' - line: '\g<1> --unrestricted"' - backrefs: true - notify: Grub update - when: not ubtu22cis_ask_passwd_to_boot when: - - ubtu22cis_set_boot_pass - - ubtu22cis_rule_1_4_1 + - ubtu22cis_set_boot_pass + - ubtu22cis_rule_1_4_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.1 - - grub - -- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + - level1-server + - level1-workstation + - patch + - rule_1.4.1 + - grub + - NIST800-53R5_AC-3 block: - - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" - ansible.builtin.stat: - path: "{{ ubtu22cis_grub_file }}" - check_mode: false - register: ubtu22cis_1_4_2_grub_cfg_status + - name: "1.4.1 | PATCH | Ensure bootloader password is set" + ansible.builtin.template: + src: etc/grub.d/00_user.j2 + dest: "{{ ubtu22cis_grub_user_file }}" + owner: root + group: root + mode: 'go-w' + notify: Grub update - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" - ansible.builtin.file: - path: "{{ ubtu22cis_grub_file }}" - owner: root - group: root - mode: '0400' - when: - - ubtu22cis_1_4_2_grub_cfg_status.stat.exists - when: - - ubtu22cis_rule_1_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.2 - - grub + - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" + when: not ubtu22cis_ask_passwd_to_boot + ansible.builtin.lineinfile: + path: "/etc/grub.d/10_linux" + regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$' + line: '\g<1> --unrestricted"' + backrefs: true + notify: Grub update -- name: "1.4.3 | PATCH | Ensure authentication required for single user mode" - ansible.builtin.user: - name: "{{ ubtu22cis_grub_user }}" - password: "{{ ubtu22cis_grub_user_passwd }}" - when: - - ubtu22cis_rule_1_4_3 - - ubtu22cis_set_grub_user_pass +- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured" + when: ubtu22cis_rule_1_4_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 - - passwd - - grub + - level1-server + - level1-workstation + - patch + - rule_1.4.2 + - grub + - NIST800-53R5_AC-3 + block: + - name: "1.4.2 | AUDIT | Ensure access to bootloader config is configured | Check for Grub file" + ansible.builtin.stat: + path: "{{ ubtu22cis_grub_file }}" + check_mode: false + register: discovered_grub_cfg_status + + - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" + when: discovered_grub_cfg_status.stat.exists + ansible.builtin.file: + path: "{{ ubtu22cis_grub_file }}" + owner: root + group: root + mode: 'go-rwx' diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 40b43edd..1e53aacd 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,127 +1,142 @@ --- -- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" +- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled | Set active kernel parameter" + when: ubtu22cis_rule_1_5_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.1 + - aslr + - NIST800-53R5_CM-6 ansible.posix.sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" - reload: true - sysctl_set: true - ignoreerrors: true - when: - - ubtu22cis_rule_1_5_1 + name: kernel.randomize_va_space + value: '2' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true + +- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" + when: ubtu22cis_rule_1_5_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.1 - - aslr + - level1-server + - level1-workstation + - patch + - rule_1.5.2 + - ptrace + - NIST800-53R5_CM-6 + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: '1' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true -- name: "1.5.2 | PATCH | Ensure prelink is not installed" +- name: "1.5.3 | PATCH | Ensure core dumps are restricted" + when: ubtu22cis_rule_1_5_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.3 + - coredump + - NIST800-53R5_CM-6 block: - - name: "1.5.2 | PATCH | Ensure prelink is not installed | Restore binaries to normal" - ansible.builtin.shell: prelink -ua - changed_when: false - failed_when: false + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | kernel sysctl" + ansible.posix.sysctl: + name: fs.suid_dumpable + value: '0' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true - - name: "1.5.2 | PATCH | Ensure prelink is not installed| Remove prelink package" - ansible.builtin.package: - name: prelink - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_1_5_2 - - "'prelink' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.2 - - prelink + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | security limits" + ansible.builtin.lineinfile: + path: /etc/security/limits.d/99_zero_core.conf + regexp: '^\* hard core' + line: '* hard core 0' + create: true + owner: root + group: root + mode: 'go-wx' -- name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled" - block: - - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" - ansible.builtin.lineinfile: - path: /etc/default/apport - regexp: ^enabled - line: enabled=0 - create: true - owner: root - group: root - mode: '0644' + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf" + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.suid_dumpable' + line: fs.suid_dumpable=0 + owner: root + group: root + mode: 'go-wx' + notify: Reload systemctl + + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" + ansible.builtin.lineinfile: + path: /etc/systemd/coredump.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true + owner: root + group: root + mode: 'go-wx' + loop: + - { regexp: '^Storage', line: 'Storage=none' } + - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } - - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" - ansible.builtin.package: - name: apport - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - "'apport' in ansible_facts.packages" +- name: "1.5.4 | PATCH | Ensure prelink is not installed" when: - - ubtu22cis_rule_1_5_3 + - ubtu22cis_rule_1_5_4 + - "'prelink' in ansible_facts.packages" tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.3 - - apport - -- name: "1.5.4 | PATCH | Ensure core dumps are restricted" + - level1-server + - level1-workstation + - patch + - rule_1.5.4 + - prelink + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl" - ansible.posix.sysctl: - name: fs.suid_dumpable - value: '0' - state: present - sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" - reload: true - sysctl_set: true - ignoreerrors: true - - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | security limits" - ansible.builtin.lineinfile: - path: /etc/security/limits.d/99_zero_core.conf - regexp: '^\* hard core' - line: '* hard core 0' - create: true - owner: root - group: root - mode: '0644' + - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + ansible.builtin.command: prelink -ua + changed_when: false + failed_when: false - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | sysctl.conf" - ansible.builtin.lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.suid_dumpable' - line: fs.suid_dumpable=0 - owner: root - group: root - mode: '0644' - notify: Reload systemctl + - name: "1.5.4 | PATCH | Ensure prelink is not installed| Remove prelink package" + ansible.builtin.package: + name: prelink + state: absent + purge: "{{ ubtu22cis_purge_apt }}" - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | coredump.conf" - ansible.builtin.lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '^Storage', line: 'Storage=none' } - - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } - when: "'systemd-coredump' in ansible_facts.packages" - when: - - ubtu22cis_rule_1_5_4 +- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" + when: ubtu22cis_rule_1_5_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.4 - - coredump + - level1-server + - level1-workstation + - patch + - rule_1.5.5 + - apport + - NIST800-53R5_NA + block: + - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" + ansible.builtin.lineinfile: + path: /etc/default/apport + regexp: ^enabled + line: enabled=0 + create: true + owner: root + group: root + mode: 'go-wx' + + - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" + when: "'apport' in ansible_facts.packages" + ansible.builtin.package: + name: apport + state: absent + purge: "{{ ubtu22cis_purge_apt }}" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 22cc7616..6b715e87 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,172 +1,132 @@ --- -- name: "1.6.1.1 | PATCH | Ensure AppArmor is installed" - ansible.builtin.package: - name: ['apparmor', 'apparmor-utils'] - state: present - when: - - ubtu22cis_rule_1_6_1_1 - - "'apparmor' not in ansible_facts.packages or - 'apparmor-utils' not in ansible_facts.packages" +- name: "1.6.1 | PATCH | Ensure message of the day is configured properly" + when: ubtu22cis_rule_1_6_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.1 - - apparmor - -- name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + - level1-server + - level1-workstation + - patch + - rule_1.6.1 + - motd + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - - name: "1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_6_1_2_cmdline_settings - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") - line: \1apparmor=1 \3 - backrefs: true - notify: Grub update - when: ubtu22cis_1_6_1_2_cmdline_settings.stdout is not search('apparmor=') - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") - line: \1security=apparmor \3 - backrefs: true - notify: Grub update - when: ubtu22cis_1_6_1_2_cmdline_settings.stdout is not search('security=') - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu22cis_1_6_1_2_cmdline_settings.stdout }}"' - insertafter: '^GRUB_' - when: - - "'apparmor' not in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - - "'security' not in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - notify: Grub update - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" - ansible.builtin.replace: - path: /etc/default/grub - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - with_items: - - { regexp: 'apparmor=\w+', replace: 'apparmor=1' } - - { regexp: 'security=\w+', replace: 'security=apparmor' } - when: - - "'apparmor' in ubtu22cis_1_6_1_2_cmdline_settings.stdout or - 'security' in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - notify: Grub update - when: - - ubtu22cis_rule_1_6_1_2 + - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | motd" + ansible.builtin.template: + src: etc/motd.j2 + dest: /etc/motd + owner: root + group: root + mode: 'u-x,go-wx' + + - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" + when: ubtu22cis_disable_dynamic_motd + ansible.builtin.lineinfile: + path: /etc/pam.d/sshd + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + backrefs: true + loop: + - { regexp: '(session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic)', line: '# \1' } + - { regexp: '(session\s+optional\s+pam_motd.so noupdate)', line: '# \1' } + - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } + +- name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" + when: ubtu22cis_rule_1_6_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.2 - - apparmor - -# Controls 1.6.1.4 and 1.6.1.3 target the same setting and thus should not be run together. -# Because control 1.6.1.4 is stricter than 1.6.1.3, we need to change the order -- -# control 1.6.1.4 then registers the fact that is has run and thus keeps 1.6.1.3 from running. - -- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + - level1-server + - level1-workstation + - patch + - rule_1.6.2 + - banner + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.6.1.3 is not run" - ansible.builtin.set_fact: - control_1_6_1_4_was_run: true - ubtu22cis_apparmor_enforce_only: true - changed_when: false - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_4_pre_count - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-enforce /etc/apparmor.d/* - changed_when: false - failed_when: false - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_4_post_count - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" - ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to enforcing - changed_when: true - when: ubtu22cis_1_6_1_4_pre_count.stdout != ubtu22cis_1_6_1_4_post_count.stdout - when: - - ubtu22cis_rule_1_6_1_4 - - not ubtu22cis_apparmor_disable + - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly | issue" + ansible.builtin.template: + src: etc/issue.j2 + dest: /etc/issue + owner: root + group: root + mode: 'u-x,go-wx' + + - name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" + community.general.dpkg_divert: + path: /etc/issue + +- name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" + when: ubtu22cis_rule_1_6_3 tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_1.6.1.4 - - apparmor - -- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + - level1-server + - level1-workstation + - patch + - rule_1.6.3 + - banner + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" - ansible.builtin.set_fact: - ubtu22cis_apparmor_enforce_only: true - changed_when: false - when: - - ubtu22cis_apparmor_mode == "enforce" - - - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" - ansible.builtin.set_fact: - ubtu22cis_apparmor_enforce_only: false - changed_when: false - when: - - ubtu22cis_apparmor_mode == "complain" - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_3_pre_count - - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* - changed_when: false - failed_when: false - - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_3_post_count - - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" - ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode - changed_when: true - when: ubtu22cis_1_6_1_3_pre_count.stdout != ubtu22cis_1_6_1_3_post_count.stdout - when: - - ubtu22cis_rule_1_6_1_3 - - not ubtu22cis_apparmor_disable - - not control_1_6_1_4_was_run + - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /etc/issue.net + owner: root + group: root + mode: 'u-x,go-wx' + + - name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" + community.general.dpkg_divert: + path: /etc/issue.net + +- name: "1.6.4 | PATCH | Ensure access to /etc/motd is configured" + when: ubtu22cis_rule_1_6_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.4 + - permissions + - motd + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/motd + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "1.6.5 | PATCH | Ensure access to /etc/issue is configured" + when: ubtu22cis_rule_1_6_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.5 + - permissions + - banner + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/issue + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "1.6.6 | PATCH | Ensure access to /etc/issue.net is configured" + when: ubtu22cis_rule_1_6_6 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.3 - - apparmor + - level1-server + - level1-workstation + - patch + - rule_1.6.6 + - permissions + - banner + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/issue.net + owner: root + group: root + mode: 'u-x,go-wx' diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 298563bc..441c7ea0 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,120 +1,343 @@ --- +- name: "1.7.1 | PATCH | Ensure GDM is removed" + when: + - ubtu22cis_rule_1_7_1 + - not ubtu22cis_desktop_required + - ubtu22cis_disruption_high + - "'gdm3' in ansible_facts.packages" + tags: + - level2-server + - patch + - rule_1.7.1 + - gnome + - NIST800-53R5_CM-11 + ansible.builtin.package: + name: gdm3 + state: absent -- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" +- name: "1.7.2 | PATCH | Ensure GDM login banner is configured" + when: + - ubtu22cis_rule_1_7_2 + - ubtu22cis_desktop_required + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.2 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - - name: "1.7.1 | PATCH | Ensure message of the day is configured properly | motd" - ansible.builtin.template: - src: etc/motd.j2 - dest: /etc/motd - - - name: "1.7.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" - ansible.builtin.lineinfile: - path: /etc/pam.d/sshd - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - backrefs: true - loop: - - { regexp: '(session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic)', line: '# \1' } - - { regexp: '(session\s+optional\s+pam_motd.so noupdate)', line: '# \1' } - - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } - when: ubtu22cis_disable_dynamic_motd + - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" + owner: root + group: root + mode: 'go-w' + state: directory + + - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" + ansible.builtin.lineinfile: # noqa: args[module] + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-login-screen" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: 'u-x,go-wx' + loop: + - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } + - { regexp: "banner-message-enable", line: "banner-message-enable=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } + - { regexp: "banner-message-text", line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: "banner-message-enable" } + notify: Update dconf + +- name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" when: - - ubtu22cis_rule_1_7_1 + - ubtu22cis_rule_1_7_3 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.1 - - motd - -- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" + - level1-server + - level1-workstation + - patch + - rule_1.7.3 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue - - - name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" - community.general.dpkg_divert: - path: /etc/issue + - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled | make directories" + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + mode: 'go-w' + state: directory + loop: + - /etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d + - /etc/dconf/profile + + - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" + ansible.builtin.lineinfile: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-login-screen" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: 'u-x,go-wx' + loop: + - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } + - { regexp: "disable-user-list", line: "disable-user-list=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } + notify: Update dconf + + - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" + ansible.builtin.lineinfile: + path: "/etc/dconf/profile/{{ prelim_dconf_system_db.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: 'u-x,go-wx' + loop: + - { regexp: "^user-db:user", line: "user-db:user", insertafter: EOF } + - { regexp: "^system-db:{{ prelim_dconf_system_db.stdout }}", line: "system-db:{{ prelim_dconf_system_db.stdout }}", insertafter: "user-db:user" } + - regexp: "^file-db:/usr/share/gdm/greeter-dconf-defaults" + line: "file-db:/usr/share/gdm/greeter-dconf-defaults" + insertafter: "system-db:{{ prelim_dconf_system_db.stdout }}" + notify: Update dconf + +- name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" when: - - ubtu22cis_rule_1_7_2 + - ubtu22cis_rule_1_7_4 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.2 - - banner - -- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + - level1-server + - level1-workstation + - patch + - rule_1.7.4 + - gnome + - NIST800-53R5_NA block: - - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net - - - name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" - community.general.dpkg_divert: - path: /etc/issue.net + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" + ansible.builtin.lineinfile: + path: "/etc/dconf/profile/{{ prelim_dconf_system_db.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.after | default(omit) }}" + create: true + owner: root + group: root + mode: 'u-x,go-wx' + loop: + - { regexp: "user-db:user", line: "user-db:user" } + - { regexp: "system-db:{{ prelim_dconf_system_db.stdout }}", line: "system-db:{{ prelim_dconf_system_db.stdout }}", after: "^user-db.*" } + + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-screensaver" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" when: - - ubtu22cis_rule_1_7_3 + - ubtu22cis_rule_1_7_5 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.3 - - banner - -- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - ansible.builtin.file: - path: /etc/motd - owner: root - group: root - mode: '0644' + - level1-server + - level1-workstation + - patch + - rule_1.7.5 + - gnome + - NIST800-53R5_CM-11 + block: + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-screensaver" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" when: - - ubtu22cis_rule_1_7_4 + - ubtu22cis_rule_1_7_6 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.4 - - permissions - - motd - -- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - ansible.builtin.file: - path: /etc/issue - owner: root - group: root - mode: '0644' + - level1-server + - level2-workstation + - patch + - rule_1.7.6 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" + ansible.builtin.template: + src: etc/dconf/db/00-media-automount.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-media-automount" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" + when: + - ubtu22cis_rule_1_7_7 + - ubtu22cis_desktop_required + tags: + - level1-server + - level2-workstation + - patch + - rule_1.7.7 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-automount_lock.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-automount_lock" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" when: - - ubtu22cis_rule_1_7_5 + - ubtu22cis_rule_1_7_8 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.5 - - permissions - - banner - -- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - ansible.builtin.file: - path: /etc/issue.net - owner: root - group: root - mode: '0644' + - level1-server + - level2-workstation + - patch + - rule_1.7.8 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" + ansible.builtin.template: + src: etc/dconf/db/00-media-autorun.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-media-autorun" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" + when: + - ubtu22cis_rule_1_7_9 + - ubtu22cis_desktop_required + tags: + - level1-server + - level2-workstation + - patch + - rule_1.7.9 + - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" + owner: root + group: root + mode: 'go-w' + state: directory + notify: Update dconf + + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: 'u-x,go-wx' + notify: Update dconf + +- name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" when: - - ubtu22cis_rule_1_7_6 + - ubtu22cis_rule_1_7_10 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.6 - - permissions - - banner + - level1-server + - level1-workstation + - patch + - rule_1.7.10 + - gnome + - xdcmp + - NIST800-53R5_SI-4 + ansible.builtin.lineinfile: + path: /etc/gdm3/custom.conf + regexp: "^Enable.*=.*true" + state: absent diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml deleted file mode 100644 index 0681df50..00000000 --- a/tasks/section_1/cis_1.8.x.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- - -- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - ansible.builtin.package: - name: gdm3 - state: absent - when: - - ubtu22cis_rule_1_8_1 - - not ubtu22cis_desktop_required - - ubtu22cis_disruption_high - - "'gdm3' in ansible_facts.packages" - tags: - - level2-server - - manual - - patch - - rule_1.8.1 - - gnome - -- name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - block: - - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - - - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | banner settings" - ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - notify: Update dconf - when: - - ubtu22cis_rule_1_8_2 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.2 - - gnome - -- name: "1.8.3 | PATCH | Ensure disable-user-list is enabled" - block: - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | make directories" - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - state: directory - loop: - - /etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d - - /etc/dconf/profile - - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | disable-user-list setting login-screen" - ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} - - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | disable-user-list setting profile" - ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - - { regexp: '^system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', insertafter: 'user-db:user'} - - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu22cis_dconf_db_name }}'} - notify: Update dconf - when: - - ubtu22cis_rule_1_8_3 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.3 - - gnome - -- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - block: - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" - ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.after | default(omit) }}" - create: true - loop: - - { regexp: 'user-db:user', line: 'user-db:user' } - - { regexp: 'system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', after: '^user-db.*' } - - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" - ansible.builtin.template: - src: etc/dconf/db/00-screensaver.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-screensaver" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_4 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.4 - - gnome - -- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" - block: - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_5 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.5 - - gnome - -- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" - block: - - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" - ansible.builtin.template: - src: etc/dconf/db/00-media-automount.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-automount" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_6 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.6 - - gnome - -- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" - block: - - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-automount_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_7 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.7 - - gnome - -- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" - block: - - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | session script" - ansible.builtin.template: - src: etc/dconf/db/00-media-autorun.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-autorun" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_8 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.8 - - gnome - -- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" - block: - - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_9 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.9 - - gnome - -- name: "1.8.10 | PATCH | Ensure XDCMP is not enabled" - ansible.builtin.lineinfile: - path: /etc/gdm3/custom.conf - regexp: '^Enable.*=.*true' - state: absent - when: - - ubtu22cis_rule_1_8_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.10 - - gnome - - xdcmp diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml deleted file mode 100644 index 8d43f42a..00000000 --- a/tasks/section_1/cis_1.9.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - ansible.builtin.package: - name: "*" - state: latest - when: - - ubtu22cis_rule_1_9 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.9 - - patch diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 5ae30275..442ed469 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,88 +1,69 @@ --- -- name: "SECTION | 1.1.1 | Disable Unused Filesystems" - ansible.builtin.import_tasks: - file: cis_1.1.1.x.yml +- name: "SECTION | 1.1.1 | Configure Filesystem Kernel Modules" when: not system_is_container - -- name: "SECTION | 1.1.2 | Configure /tmp" ansible.builtin.import_tasks: - file: cis_1.1.2.x.yml - when: not system_is_container + file: cis_1.1.1.x.yml -- name: "SECTION | 1.1.3 | Configure /var" - ansible.builtin.import_tasks: - file: cis_1.1.3.x.yml +- name: "SECTION | 1.1.2.1 | Configure /tmp" when: not system_is_container - -- name: "SECTION | 1.1.4 | Configure /var/tmp" ansible.builtin.import_tasks: - file: cis_1.1.4.x.yml + file: cis_1.1.2.1.x.yml -- name: "SECTION | 1.1.5 | Configure /var/log" - ansible.builtin.import_tasks: - file: cis_1.1.5.x.yml +- name: "SECTION | 1.1.2.2 | Configure /dev/shm" when: not system_is_container - -- name: "SECTION | 1.1.6 | Configure /var/log/audit" ansible.builtin.import_tasks: - file: cis_1.1.6.x.yml - when: not system_is_container + file: cis_1.1.2.2.x.yml -- name: "SECTION | 1.1.7 | Configure /home" +- name: "SECTION | 1.1.2.3 | Configure /home" ansible.builtin.import_tasks: - file: cis_1.1.7.x.yml - when: not system_is_container + file: cis_1.1.2.3.x.yml -- name: "SECTION | 1.1.8 | Configure /dev/shm" - ansible.builtin.import_tasks: - file: cis_1.1.8.x.yml +- name: "SECTION | 1.1.2.4 | Configure /var" when: not system_is_container - -- name: "SECTION | 1.1.9 | Disable Automounting" ansible.builtin.import_tasks: - file: cis_1.1.9.yml - when: not system_is_container + file: cis_1.1.2.4.x.yml -- name: "SECTION | 1.1.10 | Disable USB Storage" - ansible.builtin.import_tasks: - file: cis_1.1.10.yml +- name: "SECTION | 1.1.2.5 | Configure /var/tmp" when: not system_is_container - -- name: "SECTION | 1.2 | Configure Software Updates" ansible.builtin.import_tasks: - file: cis_1.2.x.yml + file: cis_1.1.2.5.x.yml + +- name: "SECTION | 1.1.2.6 | Configure /var/log" when: not system_is_container + ansible.builtin.import_tasks: + file: cis_1.1.2.6.x.yml -- name: "SECTION | 1.3. | Filesystem Integrity Checking" +- name: "SECTION | 1.1.2.7 | Configure /var/log/audit" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_1.3.x.yml + file: cis_1.1.2.7.x.yml -- name: "SECTION | 1.4 | Secure Boot Settings" +- name: "SECTION | 1.2.1 | Configure Package Repositories" ansible.builtin.import_tasks: - file: cis_1.4.x.yml + file: cis_1.2.1.x.yml -- name: "SECTION | 1.5 | Additional Process Hardening" +- name: "SECTION | 1.2.2 | Configure Package Updates" ansible.builtin.import_tasks: - file: cis_1.5.x.yml + file: cis_1.2.2.x.yml + +- name: "SECTION | 1.3 | Configure AppArmor" when: not system_is_container + ansible.builtin.import_tasks: + file: cis_1.3.1.x.yml -- name: "SECTION | 1.6 | Mandatory Access Control" +- name: "SECTION | 1.4 | Configure Bootloader" ansible.builtin.import_tasks: - file: cis_1.6.x.yml + file: cis_1.4.x.yml -- name: "SECTION | 1.7 | Command Line Warning Banners" +- name: "SECTION | 1.5 | Configure Additional Process Hardening" ansible.builtin.import_tasks: - file: cis_1.7.x.yml + file: cis_1.5.x.yml -- name: "SECTION | 1.8 | GNOME Display Manager" +- name: "SECTION | 1.6 | Command Line Warning Banners" ansible.builtin.import_tasks: - file: cis_1.8.x.yml - when: - - "'gdm3' in ansible_facts.packages" - - not system_is_container + file: cis_1.6.x.yml -- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" +- name: "SECTION | 1.7 | Configure GNOME Display Manager" ansible.builtin.import_tasks: - file: cis_1.9.yml - when: not system_is_container + file: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.1.x.yml b/tasks/section_2/cis_2.1.1.x.yml deleted file mode 100644 index 5ff7c933..00000000 --- a/tasks/section_2/cis_2.1.1.x.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use" - block: - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed" - ansible.builtin.package: - name: "{{ ubtu22cis_time_sync_tool }}" - state: present - - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed" - ansible.builtin.package: - name: "{{ item }}" - state: absent - loop: - - chrony - - ntp - when: item != ubtu22cis_time_sync_tool - - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" - ansible.builtin.service: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - daemon_reload: true - when: - - ubtu22cis_time_sync_tool != "systemd-timesyncd" - - "'systemd-timesyncd' in ansible_facts.packages" - - when: - - ubtu22cis_rule_2_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.1.1 - - chrony - - ntp - - systemd-timesyncd diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml deleted file mode 100644 index a58e69a2..00000000 --- a/tasks/section_2/cis_2.1.2.x.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver" - block: - - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - mode: '0644' - owner: root - group: root - loop: - - etc/chrony/sources.d/pool.sources - - etc/chrony/sources.d/server.sources - notify: Restart timeservice - - - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" - ansible.builtin.lineinfile: - path: /etc/chrony/chrony.conf - regexp: '^sourcedir /etc/chrony/sources.d' - line: sourcedir /etc/chrony/sources.d - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2.1 - - chrony - -- name: "2.1.2.2 | PATCH | Ensure chrony is running as user _chrony" - ansible.builtin.lineinfile: - path: /etc/chrony/chrony.conf - regexp: '^user _chrony' - line: 'user _chrony' - when: - - ubtu22cis_rule_2_1_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2.2 - - chrony - -- name: "2.1.2.3 | PATCH | Ensure chrony is enabled and running" - ansible.builtin.systemd: - name: chrony - state: started - enabled: true - when: - - ubtu22cis_rule_2_1_2_3 - tags: - - level1-server - - level1-workstation - - rule_2.1.2.3 - - chrony diff --git a/tasks/section_2/cis_2.1.3.x.yml b/tasks/section_2/cis_2.1.3.x.yml deleted file mode 100644 index a1a39efe..00000000 --- a/tasks/section_2/cis_2.1.3.x.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" - block: - - name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | create conf.d dir" - ansible.builtin.file: - path: /etc/systemd/timesyncd.conf.d - owner: root - group: root - mode: '0755' - state: directory - - - name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - mode: '0644' - owner: root - group: root - loop: - - "etc/systemd/timesyncd.conf.d/50-timesyncd.conf" - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_3_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.3.1 - - timesyncd - -- name: "2.1.3.2 | PATCH | Ensure systemd-timesyncd is enabled and running" - ansible.builtin.systemd: - name: systemd-timesyncd - state: started - enabled: true - masked: false - when: - - ubtu22cis_rule_2_1_3_2 - tags: - - level1-server - - level1-workstation - - rule_2.1.3.2 - - timesyncd diff --git a/tasks/section_2/cis_2.1.4.x.yml b/tasks/section_2/cis_2.1.4.x.yml deleted file mode 100644 index 869ade0b..00000000 --- a/tasks/section_2/cis_2.1.4.x.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -- name: "2.1.4.1 | PATCH | Ensure ntp access control is configured " - ansible.builtin.lineinfile: - path: /etc/ntp.conf - regexp: '^(restrict) (|{{ item }}) .*$' - line: 'restrict {{ item }} default kod nomodify notrap nopeer noquery' - loop: - - '-4' - - '-6' - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.1 - - ntp - -- name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver" - block: - - name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver | pool" - ansible.builtin.lineinfile: - path: /etc/ntp.conf - regexp: '^pool.*' - line: 'pool {{ item.name }} {{ item.options }}' - notify: Restart timeservice - loop: "{{ ubtu22cis_time_pool }}" - loop_control: - label: "{{ item.name }}" - - - name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver | servers" - ansible.builtin.lineinfile: - path: /etc/ntp.conf - insertafter: '^server' - line: 'server {{ item.name }} {{ item.options }}' - loop: "{{ ubtu22cis_time_servers }}" - loop_control: - label: "{{ item.name }}" - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.2 - - ntp - -- name: "2.1.4.3 | PATCH | Ensure ntp is running as user ntp" - ansible.builtin.lineinfile: - path: /etc/init.d/ntp - regexp: '^RUNASUSER.*' - line: 'RUNASUSER=ntp' - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.3 - - ntp - -- name: "2.1.4.4 | PATCH | Ensure ntp is enabled and running" - ansible.builtin.systemd: - name: ntp - state: started - enabled: true - masked: false - when: - - ubtu22cis_rule_2_1_4_4 - tags: - - level1-server - - level1-workstation - - rule_2.1.4.4 - - ntp diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 00000000..0f50ca5c --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,753 @@ +--- + +- name: "2.1.1 | PATCH | Ensure autofs services are not in use" + when: + - ubtu22cis_rule_2_1_1 + - "'autofs' in ansible_facts.packages" + - not system_is_ec2 + tags: + - level1-server + - level2-workstation + - patch + - rule_2.1.1 + - NIST800-53R5_SI-3 + - NIST800-53R5_MP-7 + block: + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" + when: + - not ubtu22cis_autofs_services + - not ubtu22cis_autofs_mask + ansible.builtin.package: + name: autofs + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service" + when: + - not ubtu22cis_autofs_services + - ubtu22cis_autofs_mask + ansible.builtin.systemd: + name: autofs + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" + when: ubtu22cis_rule_2_1_2 + tags: + - level1-server + - level2-workstation + - patch + - avahi + - rule_2.1.2 + - NIST800-53R5_SI-4 + block: + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" + when: + - not ubtu22cis_avahi_server + - not ubtu22cis_avahi_mask + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + ansible.builtin.package: + name: + - avahi-autoipd + - avahi + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" + when: + - not ubtu22cis_avahi_server + - ubtu22cis_avahi_mask + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - avahi-daemon.socket + - avahi-daemon.service + notify: Systemd_daemon_reload + +- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" + when: ubtu22cis_rule_2_1_3 + tags: + - level1-server + - level1-workstation + - patch + - dhcp + - rule_2.1.3 + - NIST800-53R5_CM-7 + block: + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" + when: + - not ubtu22cis_dhcp_server + - not ubtu22cis_dhcp_mask + - "'dhcp-server' in ansible_facts.packages" + ansible.builtin.package: + name: isc-dhcp-server + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service" + when: + - not ubtu22cis_dhcp_server + - ubtu22cis_dhcp_mask + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - isc-dhcp-server.service + - isc-dhcp-server6.service + notify: Systemd_daemon_reload + +- name: "2.1.4 | PATCH | Ensure dns server services are not in use" + when: ubtu22cis_rule_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - dns + - rule_2.1.4 + - NIST800-53R5_CM-7 + block: + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" + when: + - "'bind9' in ansible_facts.packages" + - not ubtu22cis_dns_server + - not ubtu22cis_dns_mask + ansible.builtin.package: + name: bind9 + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service" + when: + - not ubtu22cis_dns_server + - ubtu22cis_dns_mask + ansible.builtin.systemd: + name: named.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use" + when: ubtu22cis_rule_2_1_5 + tags: + - level1-server + - level1-workstation + - patch + - dns + - rule_2.1.5 + - NIST800-53R5_CM-7 + block: + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package" + when: + - "'dnsmasq' in ansible_facts.packages" + - not ubtu22cis_dnsmasq_server + - not ubtu22cis_dnsmasq_mask + ansible.builtin.package: + name: dnsmasq + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service" + when: + - not ubtu22cis_dnsmasq_server + - ubtu22cis_dnsmasq_mask + ansible.builtin.systemd: + name: dnsmasq.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.6 | PATCH | Ensure ftp server services are not in use" + when: ubtu22cis_rule_2_1_6 + tags: + - level1-server + - level1-workstation + - automation + - patch + - ftp + - rule_2.1.6 + - NIST800-53R5_CM-7 + block: + - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" + when: + - "'vsftp' in ansible_facts.packages" + - not ubtu22cis_ftp_server + - not ubtu22cis_ftp_mask + ansible.builtin.package: + name: vsftpd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Mask service" + when: + - not ubtu22cis_ftp_server + - ubtu22cis_ftp_mask + ansible.builtin.systemd: + name: vsftpd.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.7 | PATCH | Ensure ldap server services are not in use" + when: ubtu22cis_rule_2_1_7 + tags: + - level1-server + - level1-workstation + - patch + - ldap + - rule_2.1.7 + - NIST800-53R5_CM-7 + block: + - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package" + when: + - "'slapd' in ansible_facts.packages" + - not ubtu22cis_ldap_server + - not ubtu22cis_ldap_mask + ansible.builtin.package: + name: slapd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Mask service" + when: + - not ubtu22cis_ldap_server + - ubtu22cis_ldap_mask + ansible.builtin.systemd: + name: slapd.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.8 | PATCH | Ensure message access server services are not in use" + when: ubtu22cis_rule_2_1_8 + tags: + - level1-server + - level1-workstation + - patch + - dovecot + - imap + - pop3 + - rule_2.1.8 + - NIST800-53R5_CM-7 + block: + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" + when: + - "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages" + - not ubtu22cis_message_server + - not ubtu22cis_message_mask + ansible.builtin.package: + name: + - dovecot-pop3d + - dovecot-imapd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" + when: + - not ubtu22cis_message_server + - ubtu22cis_message_mask + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "dovecot.socket" + - "dovecot.service" + notify: Systemd_daemon_reload + +- name: "2.1.9 | PATCH | Ensure network file system services are not in use" + when: ubtu22cis_rule_2_1_9 + tags: + - level1-server + - level1-workstation + - patch + - nfs + - services + - rule_2.1.9 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + block: + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" + when: + - "'nfs-kernel-server' in ansible_facts.packages" + - not ubtu22cis_nfs_server + - not ubtu22cis_nfs_mask + ansible.builtin.package: + name: nfs-kernel-server + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service" + when: + - not ubtu22cis_nfs_server + - ubtu22cis_nfs_mask + ansible.builtin.systemd: + name: nfs-server.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.10 | PATCH | Ensure nis server services are not in use" + when: ubtu22cis_rule_2_1_10 + tags: + - level1-server + - level1-workstation + - patch + - nis + - rule_2.1.10 + - NIST800-53R5_CM-7 + notify: Systemd_daemon_reload + block: + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" + when: + - "'ypserv' in ansible_facts.packages" + - not ubtu22cis_nis_server + - not ubtu22cis_nis_mask + ansible.builtin.package: + name: ypserv + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service" + when: + - not ubtu22cis_nis_server + - ubtu22cis_nis_mask + ansible.builtin.systemd: + name: ypserv.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.11 | PATCH | Ensure print server services are not in use" + when: ubtu22cis_rule_2_1_11 + tags: + - level1-server + - patch + - cups + - rule_2.1.11 + - NIST800-53R5_CM-7 + block: + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" + when: + - "'cups' in ansible_facts.packages" + - not ubtu22cis_print_server + - not ubtu22cis_print_mask + ansible.builtin.package: + name: cups + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service" + when: + - not ubtu22cis_print_server + - ubtu22cis_print_mask + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "cups.socket" + - "cups.service" + notify: Systemd_daemon_reload + +- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" + when: ubtu22cis_rule_2_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rpc + - rule_2.1.12 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + block: + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" + when: + - "'rpcbind' in ansible_facts.packages" + - not ubtu22cis_rpc_server + - not ubtu22cis_rpc_mask + ansible.builtin.package: + name: rpcbind + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service" + when: + - not ubtu22cis_rpc_server + - ubtu22cis_rpc_mask + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - rpcbind.service + - rpcbind.socket + notify: Systemd_daemon_reload + +- name: "2.1.13 | PATCH | Ensure rsync services are not in use" + when: ubtu22cis_rule_2_1_13 + tags: + - level1-server + - level1-workstation + - patch + - rsync + - rule_2.1.13 + - NIST800-53R5_CM-7 + block: + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" + when: + - "'rsync' in ansible_facts.packages" + - not ubtu22cis_rsync_server + - not ubtu22cis_rsync_mask + ansible.builtin.package: + name: rsync + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service" + when: + - not ubtu22cis_rsync_server + - ubtu22cis_rsync_mask + ansible.builtin.systemd: + name: rsyncd.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.14 | PATCH | Ensure samba file server services are not in use" + when: + - ubtu22cis_rule_2_1_14 + tags: + - level1-server + - level1-workstation + - patch + - samba + - rule_2.1.14 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + block: + - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package" + when: + - "'samba' in ansible_facts.packages" + - not ubtu22cis_samba_server + - not ubtu22cis_samba_mask + ansible.builtin.package: + name: samba + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Mask service" + when: + - not ubtu22cis_samba_server + - ubtu22cis_samba_mask + ansible.builtin.systemd: + name: smbd.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.15 | PATCH | Ensure snmp services are not in use" + when: + - ubtu22cis_rule_2_1_15 + tags: + - level1-server + - level1-workstation + - automation + - patch + - samba + - rule_2.1.15 + - NIST800-53R5_CM-7 + block: + - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package" + when: + - "'snmpd' in ansible_facts.packages" + - not ubtu22cis_snmp_server + - not ubtu22cis_snmp_mask + ansible.builtin.package: + name: snmpd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Mask service" + when: + - not ubtu22cis_snmp_server + - ubtu22cis_snmp_mask + ansible.builtin.systemd: + name: snmpd.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.16 | PATCH | Ensure tftp server services are not in use" + when: ubtu22cis_rule_2_1_16 + tags: + - level1-server + - level1-workstation + - patch + - tftp + - rule_2.1.16 + - NIST800-53R5_CM-7 + block: + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" + when: + - "'tftpd-hpa' in ansible_facts.packages" + - not ubtu22cis_tftp_server + - not ubtu22cis_tftp_mask + ansible.builtin.package: + name: tftpd-hpa + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service" + when: + - not ubtu22cis_tftp_server + - ubtu22cis_tftp_mask + ansible.builtin.systemd: + name: tftpd-hpa.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" + when: ubtu22cis_rule_2_1_17 + tags: + - level1-server + - level1-workstation + - patch + - squid + - rule_2.1.17 + - NIST800-53R5_CM-7 + block: + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" + when: + - "'squid' in ansible_facts.packages" + - not ubtu22cis_squid_server + - not ubtu22cis_squid_mask + ansible.builtin.package: + name: squid + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service" + when: + - not ubtu22cis_squid_server + - ubtu22cis_squid_mask + ansible.builtin.systemd: + name: squid.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.18 | PATCH | Ensure web server services are not in use" + when: ubtu22cis_rule_2_1_18 + tags: + - level1-server + - level1-workstation + - patch + - httpd + - nginx + - webserver + - rule_2.1.18 + - NIST800-53R5_CM-7 + block: + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" + when: + - not ubtu22cis_apache2_server + - not ubtu22cis_apache2_mask + - "'apache2' in ansible_facts.packages" + ansible.builtin.package: + name: apache2 + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server" + when: + - not ubtu22cis_nginx_server + - not ubtu22cis_nginx_mask + - "'nginx' in ansible_facts.packages" + ansible.builtin.package: + name: nginx + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" + when: + - not ubtu22cis_apache2_server + - ubtu22cis_apache2_mask + - "'apache2' in ansible_facts.packages" + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - apache2.service + - apache2.socket + notify: Systemd_daemon_reload + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" + when: + - not ubtu22cis_nginx_server + - ubtu22cis_nginx_mask + - "'nginx' in ansible_facts.packages" + ansible.builtin.systemd: + name: ngnix.service + enabled: false + state: stopped + masked: true + notify: Systemd_daemon_reload + +- name: "2.1.19 | PATCH | Ensure xinetd services are not in use" + when: ubtu22cis_rule_2_1_19 + tags: + - level1-server + - level1-workstation + - patch + - xinetd + - rule_2.1.19 + - NIST800-53R5_CM-7 + block: + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" + when: + - "'xinetd' in ansible_facts.packages" + - not ubtu22cis_xinetd_server + - not ubtu22cis_xinetd_mask + ansible.builtin.package: + name: xinetd + purge: "{{ ubtu22cis_purge_apt }}" + state: absent + + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" + when: + - not ubtu22cis_xinetd_server + - ubtu22cis_xinetd_mask + ansible.builtin.systemd: + name: xinetd.service + enabled: false + masked: true + state: stopped + notify: Systemd_daemon_reload + +- name: "2.1.20 | PATCH | Ensure X window server services are not in use" + when: + - not ubtu22cis_xwindow_server + - "'xorg-x11-server-common' in ansible_facts.packages" + - ubtu22cis_rule_2_1_20 + tags: + - level2-server + - patch + - xwindow + - rule_2.1.20 + - NIST800-53R5_CM-11 + ansible.builtin.package: + name: xorg-x11-server-common + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode" + when: + - not ubtu22cis_is_mail_server + - ubtu22cis_rule_2_1_21 + tags: + - level1-server + - level1-workstation + - patch + - postfix + - rule_2.1.21 + - NIST800-53R5_CM-7 + vars: + warn_control_id: "2.1.21" + block: + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" + when: "'exim4' in ansible_facts.packages" + ansible.builtin.lineinfile: # noqa: args[module] + path: /etc/exim4/update-exim4.conf.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: "^dc_eximconfig_configtype", line: "dc_eximconfig_configtype='local'" } + - { regexp: "^dc_local_interfaces", line: "dc_local_interfaces='127.0.0.1 ; ::1'" } + - { regexp: "^dc_readhost", line: "dc_readhost=''" } + - { regexp: "^dc_relay_domains", line: "dc_relay_domains=''" } + - { regexp: "^dc_minimaldns", line: "dc_minimaldns='false'" } + - { regexp: "^dc_relay_nets", line: "dc_relay_nets=''" } + - { regexp: "^dc_smarthost", line: "dc_smarthost=''" } + - { regexp: "^dc_use_split_config", line: "dc_use_split_config='false'" } + - { regexp: "^dc_hide_mailname", line: "dc_hide_mailname=''" } + - { regexp: "^dc_mailname_in_oh", line: "dc_mailname_in_oh='true'" } + - { regexp: "^dc_localdelivery", line: "dc_localdelivery='mail_spool'" } + notify: Restart exim4 + + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" + when: "'postfix' in ansible_facts.packages" + notify: Restart postfix + ansible.builtin.lineinfile: + path: /etc/postfix/main.cf + regexp: ^(?#)inet_interfaces + line: "inet_interfaces = loopback-only" + + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" + when: + - "'exim4' not in ansible_facts.packages" + - "'postfix' not in ansible_facts.packages" + ansible.builtin.debug: + msg: + - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode" + - "Please review your vendors documentation to configure local-only mode" + + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" + when: + - "'exim4' not in ansible_facts.packages" + - "'postfix' not in ansible_facts.packages" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" + when: ubtu22cis_rule_2_1_22 + tags: + - level1-server + - level1-workstation + - audit + - services + - rule_2.1.22 + - NIST800-53R5_CM-7 + vars: + warn_control_id: "2.1.22" + block: + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" + ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module + changed_when: false + failed_when: discovered_list_of_services.rc not in [ 0, 1 ] + check_mode: false + register: discovered_list_of_services + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" + ansible.builtin.debug: + msg: + - "Warning!! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ discovered_list_of_services.stdout_lines }}" + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index baa622ea..7bcc9098 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,359 +1,99 @@ --- -- name: "2.2.1 | PATCH | Ensure X Window System is not installed" - ansible.builtin.package: - name: xserver-xorg* - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" when: - - ubtu22cis_rule_2_2_1 - - not ubtu22cis_desktop_required + - ubtu22cis_rule_2_2_1 + - not ubtu22cis_nis_server tags: - - level1-server - - automated - - patch - - rule_2.2.1 - - xwindows - -- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" - block: - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed| Stop/Disable avahi-daemon.service" - ansible.builtin.service: - name: avahi-daemon.service - state: stopped - enabled: false - when: avahi_service_status.stdout == "loaded" - - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" - ansible.builtin.systemd: - name: avahi-daemon.socket - state: stopped - enabled: false - when: avahi_service_status.stdout == "loaded" - - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" - ansible.builtin.package: - name: avahi-daemon - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_2 - - not ubtu22cis_avahi_server - - ubtu22cis_disruption_high - - "'avahi-daemon' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.2 - - avahi - - services - -- name: "2.2.3 | PATCH | Ensure CUPS is not installed" + - level1-server + - level1-workstation + - rule_2.2.1 + - nis + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: - name: cups - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_3 - - not ubtu22cis_cups_server - - "'cups' in ansible_facts.packages" - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_2.2.3 - - cups - - services + name: nis + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" - ansible.builtin.package: - name: isc-dhcp-server - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.2 | PATCH | Ensure rsh client is not installed" when: - - ubtu22cis_rule_2_2_4 - - not ubtu22cis_dhcp_server - - "'isc-dhcp-server' in ansible_facts.packages" + - ubtu22cis_rule_2_2_2 + - not ubtu22cis_rsh_client tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.4 - - dhcp - - services - -- name: "2.2.5 | PATCH | Ensure LDAP server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.2 + - rsh + - NIST800-53R5_CM-7 ansible.builtin.package: - name: slapd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_5 - - not ubtu22cis_ldap_server - - "'slapd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.5 - - ldap - - services + name: rsh-client + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.6 | PATCH | Ensure NFS is not installed" - ansible.builtin.package: - name: nfs-kernel-server - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.3 | PATCH | Ensure talk client is not installed" when: - - ubtu22cis_rule_2_2_6 - - not ubtu22cis_nfs_server - - "'nfs-kernel-server' in ansible_facts.packages" + - ubtu22cis_rule_2_2_3 + - not ubtu22cis_talk_client tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.6 - - nfs - - rpc - - services - -- name: "2.2.7 | PATCH | Ensure DNS Server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.3 + - talk + - NIST800-53R5_CM-7 ansible.builtin.package: - name: bind9 - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_7 - - not ubtu22cis_dns_server - - "'bind9' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.7 - - dns - - service - -- name: "2.2.8 | PATCH | Ensure FTP Server is not installed" + name: talk + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "2.2.4 | PATCH | Ensure telnet client is not installed" + when: + - ubtu22cis_rule_2_2_4 + - not ubtu22cis_telnet_required + tags: + - level1-server + - level1-workstation + - patch + - rule_2.2.4 + - telnet + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: - name: vsftpd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_8 - - not ubtu22cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.8 - - ftp - - service + name: telnet + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.9 | PATCH | Ensure HTTP server is not installed" - ansible.builtin.package: - name: apache2 - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.5 | PATCH | Ensure ldap client is not installed" when: - - ubtu22cis_rule_2_2_9 - - not ubtu22cis_httpd_server - - "'apache2' in ansible_facts.packages" + - ubtu22cis_rule_2_2_5 + - not ubtu22cis_ldap_clients_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.9 - - httpd - - service - -- name: "2.2.10 | PATCH | Ensure IMAP and POP3 server are not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.5 + - ldap + - NIST800-53R5_CM-7 ansible.builtin.package: - name: ['dovecot-imapd', 'dovecot-pop3d'] - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_10 - - not ubtu22cis_dovecot_server - - "'dovecot-imapd' in ansible_facts.packages or - 'dovecot-pop3d' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.10 - - dovecot - - service - -- name: "2.2.11 | PATCH | Ensure Samba is not installed" + name: ldap-utils + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "2.2.6 | PATCH | Ensure ftp client is not installed" + when: + - ubtu22cis_rule_2_2_6 + - not ubtu22cis_ftp_client + tags: + - level1-server + - level1-workstation + - patch + - rule_2.2.6 + - ftp + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: - name: samba - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_11 - - not ubtu22cis_smb_server - - "'samba' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.11 - - samba - - service - -- name: "2.2.12 | PATCH | Ensure HTTP Proxy Server is not installed" - ansible.builtin.package: - name: squid - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_12 - - not ubtu22cis_squid_server - - "'squid' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.12 - - http_proxy - - service - -- name: "2.2.13 | PATCH | Ensure SNMP Server is not installed" - ansible.builtin.package: - name: snmpd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_13 - - not ubtu22cis_snmp_server - - "'snmpd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.13 - - snmp - - service - -- name: "2.2.14 | PATCH | Ensure NIS Server is not installed" - ansible.builtin.package: - name: nis - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_14 - - not ubtu22cis_nis_server - - "'nis' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - rule_2.2.14 - - nis - - service - -- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" - block: - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" - ansible.builtin.lineinfile: - path: /etc/exim4/update-exim4.conf.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - - { regexp: '^dc_readhost', line: "dc_readhost=''" } - - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } - notify: Restart exim4 - when: "'exim4' in ansible_facts.packages" - - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" - ansible.builtin.lineinfile: - path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' - line: 'inet_interfaces = loopback-only' - notify: Restart postfix - when: "'postfix' in ansible_facts.packages" - - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" - ansible.builtin.debug: - msg: - - "Warning!! You are not using either exim4 or postfix" - - "Please review your vendors documentation to configure local-only mode" - when: - - "'exim4' not in ansible_facts.packages" - - "'postfix' not in ansible_facts.packages" - - - name: "2.2.15 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - "'exim4' not in ansible_facts.packages" - - "'postfix' not in ansible_facts.packages" - vars: - warn_control_id: '2.2.15' - when: - - ubtu22cis_rule_2_2_15 - - not ubtu22cis_is_mail_server - tags: - - level1-server - - level1-workstation - - automated - - scored - - patch - - rule_2.2.15 - - postfix - -- name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked" - block: - - name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked | remove pkg" - ansible.builtin.package: - name: rsync - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_16 - - ubtu22cis_rsync_server == 'remove' - - - name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked | mask service" - ansible.builtin.systemd: - name: rsync - masked: true - enabled: false - state: stopped - daemon_reload: true - when: - - ubtu22cis_rule_2_2_16 - - ubtu22cis_rsync_server == 'mask' - when: - - "'rsync' in ansible_facts.packages" - - ubtu22cis_rule_2_2_16 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.16 - - rsync + name: ftp + state: absent + purge: "{{ ubtu22cis_purge_apt }}" diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml new file mode 100644 index 00000000..a96c70fd --- /dev/null +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -0,0 +1,39 @@ +--- + +- name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" + when: ubtu22cis_rule_2_3_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.1.1 + - chrony + - ntp + - systemd-timesyncd + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + block: + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed" + ansible.builtin.package: + name: "{{ ubtu22cis_time_sync_tool }}" + state: present + + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed" + when: item != ubtu22cis_time_sync_tool + ansible.builtin.package: + name: "{{ item }}" + state: absent + loop: + - chrony + - ntp + + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" + when: + - ubtu22cis_time_sync_tool != "systemd-timesyncd" + - "'systemd-timesyncd' in ansible_facts.packages" + ansible.builtin.service: + name: systemd-timesyncd + state: stopped + enabled: false + masked: true + daemon_reload: true diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml new file mode 100644 index 00000000..977290ba --- /dev/null +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" + when: ubtu22cis_rule_2_3_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.2.1 + - timesyncd + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-8 + block: + - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | create conf.d dir" + ansible.builtin.file: + path: /etc/systemd/timesyncd.conf.d + owner: root + group: root + mode: 'go-w' + state: directory + + - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + mode: 'go-wx' + owner: root + group: root + loop: + - "etc/systemd/timesyncd.conf.d/50-timesyncd.conf" + notify: Restart timeservice + +- name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running" + when: ubtu22cis_rule_2_3_2_2 + tags: + - level1-server + - level1-workstation + - rule_2.3.2.2 + - timesyncd + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-8 + block: + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | enable if timesyncd" + ansible.builtin.systemd: + name: systemd-timesyncd + state: started + enabled: true + + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | disable other time sources | chrony" + when: "'chrony' in ansible_facts.packages" + ansible.builtin.systemd: + name: chrony + state: stopped + enabled: false + masked: true + + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | disable other time sources | ntp" + when: "'ntp' in ansible_facts.packages" + ansible.builtin.systemd: + name: ntp + state: stopped + enabled: false + masked: true diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml new file mode 100644 index 00000000..2c1cfa8f --- /dev/null +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -0,0 +1,76 @@ +--- + +- name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver" + when: ubtu22cis_rule_2_3_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.3.1 + - chrony + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + block: + - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + mode: 'go-wx' + owner: root + group: root + loop: + - etc/chrony/sources.d/pool.sources + - etc/chrony/sources.d/server.sources + notify: Restart timeservice + + - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" + ansible.builtin.lineinfile: + path: /etc/chrony/chrony.conf + regexp: '^sourcedir /etc/chrony/sources.d' + line: sourcedir /etc/chrony/sources.d + notify: Restart timeservice + +- name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony" + when: ubtu22cis_rule_2_3_3_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.3.2 + - chrony + - NIST800-53R5_AU-8 + ansible.builtin.lineinfile: + path: /etc/chrony/chrony.conf + regexp: '^user _chrony' + line: 'user _chrony' + +- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" + when: ubtu22cis_rule_2_3_3_3 + tags: + - level1-server + - level1-workstation + - rule_2.3.3.3 + - chrony + - NIST800-53R5_AU-8 + block: + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" + ansible.builtin.systemd: + name: chrony + state: started + enabled: true + + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd" + when: "'systemd-timesyncd' in ansible_facts.packages" + ansible.builtin.systemd: + name: systemd-timesyncd + state: stopped + enabled: false + masked: true + + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd" + when: "'ntpd' in ansible_facts.packages" + ansible.builtin.systemd: + name: ntpd + state: stopped + enabled: false + masked: true diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml deleted file mode 100644 index b2e2ce3a..00000000 --- a/tasks/section_2/cis_2.3.x.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- - -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" - ansible.builtin.package: - name: nis - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_1 - - not ubtu22cis_nis_required - tags: - - level1-server - - level1-workstation - - rule_2.3.1 - - nis - -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" - ansible.builtin.package: - name: rsh-client - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_2 - - not ubtu22cis_rsh_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.2 - - rsh - -- name: "2.3.3 | PATCH | Ensure talk client is not installed" - ansible.builtin.package: - name: talk - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_3 - - not ubtu22cis_talk_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.3 - - talk - -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" - ansible.builtin.package: - name: telnet - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_4 - - not ubtu22cis_telnet_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.4 - - telnet - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" - ansible.builtin.package: - name: ldap-utils - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_5 - - not ubtu22cis_ldap_clients_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.5 - - ldap - -- name: "2.3.6 | PATCH | Ensure RPC is not installed" - ansible.builtin.package: - name: rpcbind - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_6 - - not ubtu22cis_rpc_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.6 - - rpbc diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml new file mode 100644 index 00000000..aee59b39 --- /dev/null +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -0,0 +1,146 @@ +--- + +- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active" + when: ubtu22cis_rule_2_4_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.1 + - cron + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.systemd: + name: cron + state: started + enabled: true + +- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + when: ubtu22cis_rule_2_4_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.2 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/crontab + owner: root + group: root + mode: 'go-rwx' + +- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + when: ubtu22cis_rule_2_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.3 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.hourly + owner: root + group: root + mode: 'u+rwx,go-rwx' + state: directory + +- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + when: ubtu22cis_rule_2_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.4 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.daily + owner: root + group: root + mode: 'u+rwx,go-rwx' + state: directory + +- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + when: ubtu22cis_rule_2_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.5 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.weekly + owner: root + group: root + mode: 'u+rwx,go-rwx' + state: directory + +- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + when: ubtu22cis_rule_2_4_1_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.6 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.monthly + owner: root + group: root + mode: 'u+rwx,go-rwx' + state: directory + +- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + when: ubtu22cis_rule_2_4_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.7 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.d + owner: root + group: root + mode: 'u+rwx,go-rwx' + state: directory + +- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" + when: ubtu22cis_rule_2_4_1_8 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.8 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny" + ansible.builtin.file: + path: /etc/cron.deny + state: absent + + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Create cron.allow if doesn't exist" + ansible.builtin.file: + path: /etc/cron.allow + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + access_time: preserve + modification_time: preserve + state: touch diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml new file mode 100644 index 00000000..4f5b3e58 --- /dev/null +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -0,0 +1,27 @@ +--- + +- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" + when: ubtu22cis_rule_2_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.2.1 + - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + ansible.builtin.file: + path: /etc/at.deny + state: absent + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" + ansible.builtin.file: + path: /etc/at.allow + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + access_time: preserve + modification_time: preserve + state: touch diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml deleted file mode 100644 index ef209e7f..00000000 --- a/tasks/section_2/cis_2.4.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" - block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" - ansible.builtin.shell: lsof -i -P -n | grep -v "(ESTABLISHED)" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_2_3_services - - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" - ansible.builtin.debug: - msg: - - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ ubtu22cis_2_3_services.stdout_lines }}" - when: ubtu22cis_2_3_services.stdout | length > 0 - - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_2_3_services.stdout | length > 0 - vars: - warn_control_id: '2.4' - when: - - ubtu22cis_rule_2_4 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_2.4 - - services diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 567de2a3..06aa0b6e 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,35 +1,31 @@ --- -- name: "SECTION | 2.1.1.x | time service " +- name: "SECTION | 2.1.x | Configure Server Services" ansible.builtin.import_tasks: - file: cis_2.1.1.x.yml + file: cis_2.1.x.yml -- name: "SECTION | 2.1.2.x | chrony time service" +- name: "SECTION | 2.2.x | Configure Clients Services" ansible.builtin.import_tasks: - file: cis_2.1.2.x.yml - when: - - ubtu22cis_time_sync_tool == "chrony" + file: cis_2.2.x.yml -- name: "SECTION | 2.1.3.x | systemd-timesyncd time service" +- name: "SECTION | 2.3.1.x | Time service " ansible.builtin.import_tasks: - file: cis_2.1.3.x.yml - when: - - ubtu22cis_time_sync_tool == "systemd-timesyncd" + file: cis_2.3.1.x.yml -- name: "SECTION | 2.1.4.x | ntp time service " +- name: "SECTION | 2.3.2.x | Configure systemd-timesyncd" + when: ubtu22cis_time_sync_tool == "systemd-timesyncd" ansible.builtin.import_tasks: - file: cis_2.1.4.x.yml - when: - - ubtu22cis_time_sync_tool == "ntp" + file: cis_2.3.2.x.yml -- name: "SECTION | 2.1.x | Services" +- name: "SECTION | 2.3.3.x | Configure Chrony" + when: ubtu22cis_time_sync_tool == "chrony" ansible.builtin.import_tasks: - file: cis_2.2.x.yml + file: cis_2.3.3.x.yml -- name: "SECTION | 2.2.x | Service Clients" +- name: "SECTION | 2.4.1.x | Configure Cron" ansible.builtin.import_tasks: - file: cis_2.3.x.yml + file: cis_2.4.1.x.yml -- name: "SECTION | 2.3.x | Ensure nonessential services are removed or masked" +- name: "SECTION | 2.4.2.x | Configure At" ansible.builtin.import_tasks: - file: cis_2.4.yml + file: cis_2.4.2.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index c8fbe0cf..16bce82f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,91 +1,121 @@ --- -- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled" +- name: "3.1.1 | PATCH | Ensure IPv6 status is identified" + when: + - ubtu22cis_rule_3_1_1 + - not ubtu22cis_ipv6_required + tags: + - level1-server + - level1-workstation + - patch + - rule_3.1.1 + - ipv6 + - NIST800-53R5_CM-7 block: - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists" - ansible.builtin.replace: - path: /etc/default/grub - regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' - replace: '\1ipv6.disable=1\2' - when: ubtu22cis_ipv6_disable == 'grub' - register: ipv6disable_replaced - notify: Grub update + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Replace ipv6.disable if it exists" + when: ubtu22cis_ipv6_disable == 'grub' + ansible.builtin.replace: + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' + replace: '\1ipv6.disable=1\2' + register: discovered_ipv6disable_replaced + notify: Grub update - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_1_1_cmdline_settings + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: discovered_grub_cmdline_settings - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' - line: '\1 ipv6.disable=1"' - backrefs: true - when: - - ubtu22cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" - notify: Grub update + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist" + when: + - ubtu22cis_ipv6_disable == 'grub' + - discovered_ipv6disable_replaced is not changed + - "'ipv6.disable' not in discovered_grub_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' + line: '\1 ipv6.disable=1"' + backrefs: true + notify: Grub update - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - owner: root - group: root - mode: '0640' - notify: Flush ipv6 route table - loop: - - etc/sysctl.d/60-disable_ipv6.conf - when: ubtu22cis_ipv6_disable == 'sysctl' - when: - - ubtu22cis_rule_3_1_1 - - not ubtu22cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.1.1 - - ipv6 + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Remove net.ipv6.conf.all.disable_ipv6" + when: ubtu22cis_ipv6_disable == 'sysctl' + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: 'g-wx,o-rwx' + notify: Flush ipv6 route table + loop: + - etc/sysctl.d/60-disable_ipv6.conf - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" + when: + - ubtu22cis_rule_3_1_2 + - prelim_wireless_adapters_exist + tags: + - level1-server + - patch + - rule_3.1.2 + - wireless + - NIST800-53R5_CM-7 + vars: + warn_control_id: '3.1.2' block: - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - ansible.builtin.shell: nmcli radio wifi - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_1_2_wifi_status - when: "'network-manager' in ansible_facts.packages" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + when: "'network-manager' in ansible_facts.packages" + ansible.builtin.command: nmcli radio wifi + changed_when: false + failed_when: false + check_mode: false + register: discovered_wifi_status - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - ansible.builtin.shell: nmcli radio all off - changed_when: ubtu22cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu22cis_3_1_2_nmcli_radio_off - when: - - "'network-manager' in ansible_facts.packages" - - "'enabled' in ubtu22cis_3_1_2_wifi_status.stdout" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + when: + - "'network-manager' in ansible_facts.packages" + - "'enabled' in discovered_wifi_status.stdout" + ansible.builtin.command: nmcli radio all off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - ansible.builtin.debug: - msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" - when: "'network-manager' not in ansible_facts.packages" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.debug: + msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "'network-manager' not in ansible_facts.packages" - vars: - warn_control_id: '3.1.2' - when: - - ubtu22cis_rule_3_1_2 + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" + when: ubtu22cis_rule_3_1_3 tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_3.1.2 - - wireless + - level1-server + - level2-workstation + - patch + - bluetooth + - rule_3.1.3 + - NIST800-53R5_CM-7 + block: + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg" + when: + - not ubtu22cis_bluetooth_service + - not ubtu22cis_bluetooth_mask + ansible.builtin.package: + name: bluez + state: absent + + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask" + when: + - not ubtu22cis_bluetooth_service + - ubtu22cis_bluetooth_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: bluetooth.service + enabled: false + state: stopped + masked: true diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index e12f9118..7199f683 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,65 +1,131 @@ --- -- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.send_redirects - - net.ipv4.conf.default.send_redirects - notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_2_1 - - not ubtu22cis_is_router +- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" + when: ubtu22cis_rule_3_2_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.1 - - packet_redirect - - sysctl + - level2-server + - level2-workstation + - patch + - rule_3.2.1 + - dccp + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 + block: + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/dccp.conf + regexp: '^(#)?install dccp(\\s|$)' + line: "{{ item }}" + create: true + owner: root + group: root + mode: 'go-wx' + loop: + - install dccp /bin/true + - blacklist dccp + + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: 'go-wx' -- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" +- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" + when: ubtu22cis_rule_3_2_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.2 + - tipc + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 block: - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - ansible.posix.sysctl: - name: net.ipv4.ip_forward - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - notify: - - Flush ipv4 route table + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/tipc.conf + regexp: '^(#)?install tipc(\\s|$)' + line: "{{ item }}" + create: true + owner: root + group: root + mode: 'go-wx' + loop: + - install tipc /bin/true + - blacklist tipc - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - ansible.posix.sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - notify: - - Flush ipv6 route table + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist tipc(\\s|$)" + line: "blacklist tipc" + create: true + mode: 'go-wx' - when: - - ubtu22cis_rule_3_2_2 - - not ubtu22cis_is_router +- name: "3.2.3 | PATCH | Ensure rds kernel module is not available" + when: ubtu22cis_rule_3_2_3 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.2 - - ip_forwarding - - sysctl + - level2-server + - level2-workstation + - patch + - rule_3.2.3 + - rds + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 + block: + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/rds.conf + regexp: '^(#)?install rds(\\s|$)' + line: "{{ item }}" + create: true + owner: root + group: root + mode: 'go-wx' + loop: + - install rds /bin/true + - blacklist rds + + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist rds(\\s|$)" + line: "blacklist rds" + create: true + mode: 'go-wx' + +- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" + when: ubtu22cis_rule_3_2_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.4 + - sctp + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 + block: + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/sctp.conf + regexp: '^(#)?install sctp(\\s|$)' + line: "{{ item }}" + create: true + owner: root + group: root + mode: 'go-wx' + loop: + - install sctp /bin/true + - blacklist sctp + + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist sctp(\\s|$)" + line: "blacklist sctp" + create: true + owner: root + group: root + mode: 'go-wx' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 67b13df4..a34dbfef 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,245 +1,341 @@ --- -- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv4.conf.default.accept_source_route - notify: Flush ipv4 route table - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - with_items: - - net.ipv6.conf.all.accept_source_route - - net.ipv6.conf.default.accept_source_route - notify: Flush ipv6 route table +- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled" when: - - ubtu22cis_rule_3_3_1 - - not ubtu22cis_is_router + - ubtu22cis_rule_3_3_1 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.1 - - routed_packets - - sysctl - -- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + - level1-server + - level1-workstation + - patch + - rule_3.3.1 + - ip_forwarding + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - notify: Flush ipv4 route table + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: + - Flush ipv4 route table + + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" + when: ubtu22cis_ipv6_disable == 'sysctl' + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: + - Flush ipv6 route table - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - with_items: - - net.ipv6.conf.all.accept_redirects - - net.ipv6.conf.default.accept_redirects - notify: Flush ipv6 route table +- name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled" when: - - ubtu22cis_rule_3_3_2 + - ubtu22cis_rule_3_3_2 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.2 - - icmp - - sysctl - -- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + - level1-server + - level1-workstation + - patch + - rule_3.3.2 + - packet_redirect + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.secure_redirects - - net.ipv4.conf.default.secure_redirects + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.send_redirects + - net.ipv4.conf.default.send_redirects notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.3 - - icmp - - sysctl -- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" +- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" + when: ubtu22cis_rule_3_3_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.3 + - icmp + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.log_martians - - net.ipv4.conf.default.log_martians + name: net.ipv4.icmp_ignore_bogus_error_responses + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.4 - - suspicious_packets - - sysctl -- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" + when: ubtu22cis_rule_3_3_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.4 + - icmp + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_3_5 + +- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" + when: ubtu22cis_rule_3_3_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.5 - - icmp - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.5 + - icmp + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.accept_redirects + - net.ipv4.conf.default.accept_redirects + notify: Flush ipv4 route table -- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' + loop: + - net.ipv6.conf.all.accept_redirects + - net.ipv6.conf.default.accept_redirects + notify: Flush ipv6 route table + +- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" + when: ubtu22cis_rule_3_3_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.6 + - icmp + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.secure_redirects + - net.ipv4.conf.default.secure_redirects notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.6 - - icmp - - sysctl - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + when: ubtu22cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.7 + - reverse_path_filtering + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.rp_filter - - net.ipv4.conf.default.rp_filter + name: "{{ item }}" + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.rp_filter + - net.ipv4.conf.default.rp_filter notify: Flush ipv4 route table + +- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" when: - - ubtu22cis_rule_3_3_7 + - ubtu22cis_rule_3_3_8 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.7 - - reverse_path_filtering - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.8 + - routed_packets + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.accept_source_route + - net.ipv4.conf.default.accept_source_route + notify: Flush ipv4 route table + + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' + loop: + - net.ipv6.conf.all.accept_source_route + - net.ipv6.conf.default.accept_source_route + notify: Flush ipv6 route table -- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.9 | PATCH | Ensure suspicious packets are logged" + when: ubtu22cis_rule_3_3_9 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.9 + - suspicious_packets + - sysctl + - NIST800-53R5_AU-3 ansible.posix.sysctl: - name: net.ipv4.tcp_syncookies - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true + name: "{{ item }}" + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.log_martians + - net.ipv4.conf.default.log_martians notify: Flush ipv4 route table - when: - - ubtu22cis_rule_3_3_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.8 - - tcp_syn_cookies - - sysctl -- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled" + when: ubtu22cis_rule_3_3_10 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.10 + - tcp_syn_cookies + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv6.conf.all.accept_ra - - net.ipv6.conf.default.accept_ra - notify: Flush ipv6 route table + name: net.ipv4.tcp_syncookies + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: Flush ipv4 route table + +- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted" when: - - ubtu22cis_rule_3_3_9 - - ubtu22cis_ipv6_required + - ubtu22cis_rule_3_3_11 + - ubtu22cis_ipv6_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.9 - - ipv6 - - router_advertisements - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.11 + - ipv6 + - router_advertisements + - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv6.conf.all.accept_ra + - net.ipv6.conf.default.accept_ra + notify: Flush ipv6 route table diff --git a/tasks/section_3/cis_3.4.x.yml b/tasks/section_3/cis_3.4.x.yml deleted file mode 100644 index a7cc06db..00000000 --- a/tasks/section_3/cis_3.4.x.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- - -- name: "3.4.1 | PATCH | Ensure DCCP is disabled" - block: - - name: "3.4.1 | PATCH | Ensure DCCP is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/dccp.conf - regexp: '^(#)?install dccp(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install dccp /bin/true - - blacklist dccp - - - name: "3.4.1 | PATCH | Ensure DCCP is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist cramfs(\\s|$)" - line: "blacklist cramfs" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.1 - - dccp - -- name: "3.4.2 | PATCH | Ensure SCTP is disabled" - block: - - name: "3.4.2 | PATCH | Ensure SCTP is disabled modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/sctp.conf - regexp: '^(#)?install sctp(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install sctp /bin/true - - blacklist sctp - - - name: "3.4.2 | PATCH | Ensure SCTP is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist sctp(\\s|$)" - line: "blacklist sctp" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.2 - - sctp - -- name: "3.4.3 | PATCH | Ensure RDS is disabled" - block: - - name: "3.4.3 | PATCH | Ensure RDS is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/rds.conf - regexp: '^(#)?install rds(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install rds /bin/true - - blacklist rds - - - name: "3.4.3 | PATCH | Ensure RDS is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist rds(\\s|$)" - line: "blacklist rds" - create: true - mode: '0600' - when: - - ubtu22cis_rule_3_4_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.3 - - rds - -- name: "3.4.4 | PATCH | Ensure TIPC is disabled" - block: - - name: "3.4.4 | PATCH | Ensure TIPC is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/tipc.conf - regexp: '^(#)?install tipc(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install tipc /bin/true - - blacklist tipc - - - name: "3.4.4 | PATCH | Ensure TIPC is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist tipc(\\s|$)" - line: "blacklist tipc" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.4 - - tipc diff --git a/tasks/section_3/cis_3.5.1.x.yml b/tasks/section_3/cis_3.5.1.x.yml deleted file mode 100644 index 835e3826..00000000 --- a/tasks/section_3/cis_3.5.1.x.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- - -- name: "3.5.1.1 | PATCH | Ensure ufw is installed" - ansible.builtin.package: - name: ufw - state: present - when: - - ubtu22cis_rule_3_5_1_1 - - "'ufw' not in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.1 - - apt - - ufw - -- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" - ansible.builtin.package: - name: iptables-persistent - state: absent - when: - - ubtu22cis_rule_3_5_1_2 - - "'iptables-persistent' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.2 - - ufw - -# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling -- name: "3.5.1.3 | PATCH | Ensure ufw service is enabled" - block: - - name: "3.5.1.3 | PATCH | Ensure ufw service is enabled | ssh port enabled" - community.general.ufw: - rule: allow - name: OpenSSH - state: enabled - - - name: "3.5.1.3 | PATCH | Ensure ufw service is enabled | service" - ansible.builtin.systemd: - name: ufw - enabled: true - state: started - masked: false - when: - - ubtu22cis_rule_3_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.3 - - ufw - -- name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured" - block: - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" - community.general.ufw: - rule: allow - direction: in - interface: lo - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" - community.general.ufw: - rule: allow - direction: out - interface: lo - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" - community.general.ufw: - rule: deny - direction: in - from_ip: 127.0.0.0/8 - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" - community.general.ufw: - rule: deny - direction: in - from_ip: '::1' - when: ubtu22cis_ipv6_required - notify: Reload ufw - when: - - ubtu22cis_rule_3_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.4 - - ufw - -- name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" - block: - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" - community.general.ufw: - rule: allow - direction: out - to_port: '{{ item }}' - with_items: - - "{{ ubtu22cis_ufw_allow_out_ports }}" - notify: Reload ufw - when: ubtu22cis_ufw_allow_out_ports != "all" - - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" - community.general.ufw: - rule: allow - direction: out - notify: Reload ufw - when: "'all' in ubtu22cis_ufw_allow_out_ports" - when: - - ubtu22cis_rule_3_5_1_5 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.1.5 - - ufw - -- name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - block: - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_1_6_open_listen_ports - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" - ansible.builtin.shell: ufw status - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_1_6_firewall_rules - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" - ansible.builtin.debug: - msg: - - "Warning!! Below are the listening ports and firewall rules" - - "Please create firewall rule for any open ports if not already done" - - "*****---Open Listen Ports---*****" - - "{{ ubtu22cis_3_5_1_6_open_listen_ports.stdout_lines }}" - - "*****---Firewall Rules---*****" - - "{{ ubtu22cis_3_5_1_6_firewall_rules.stdout_lines }}" - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.1.6' - when: - - ubtu22cis_rule_3_5_1_6 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.1.6 - - ufw - -- name: "3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" - community.general.ufw: - default: deny - direction: "{{ item }}" - notify: Reload ufw - with_items: - - incoming - - outgoing - - routed - when: - - ubtu22cis_rule_3_5_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.7 - - ufw diff --git a/tasks/section_3/cis_3.5.2.x.yml b/tasks/section_3/cis_3.5.2.x.yml deleted file mode 100644 index c23973d6..00000000 --- a/tasks/section_3/cis_3.5.2.x.yml +++ /dev/null @@ -1,240 +0,0 @@ ---- - -# --------------- -# --------------- -# NFTables is unsupported with this role. However I have the actions commented out as a guide -# --------------- -# --------------- -- name: "3.5.2.1 | AUDIT | Ensure nftables is installed" - block: - - name: "3.5.2.1 | AUDIT | Ensure nftables is installed | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.1 | AUDIT | Ensure nftables is installed | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.1' - when: - - ubtu22cis_rule_3_5_2_1 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.1 - - nftables - -- name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" - block: - - name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.package: - # name: ufw - # state: absent - - - name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.2' - when: - - ubtu22cis_rule_3_5_2_2 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.2 - - nftables - -- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" - block: - - name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.iptables: - # flush: yes - - - name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.3' - when: - - ubtu22cis_rule_3_5_2_3 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.3 - - nftables - -- name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" - block: - - name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" - # ansible.builtin.shell: "nft create table {{ ubtu22cis_nftables_table_name }}" - # changed_when: ubtu22cis_3_5_2_4_new_table.rc == 0 - # failed_when: false - # check_mode: false - # register: ubtu22cis_3_5_2_4_new_table - - - name: "3.5.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.4' - when: - - ubtu22cis_rule_3_5_2_4 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.2.4 - - nftables - -- name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" - block: - - name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" - - - name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.5' - when: - - ubtu22cis_rule_3_5_2_5 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.5 - - nftables - -- name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" - block: - - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.6' - when: - - ubtu22cis_rule_3_5_2_6 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.6 - - nftables - -- name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" - block: - - name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.7' - when: - - ubtu22cis_rule_3_5_2_7 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.7 - - nftables - -- name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" - block: - - name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.8' - when: - - ubtu22cis_rule_3_5_2_8 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.8 - - nftables - -- name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled" - block: - - name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.service: - # name: nftables - # state: started - # enabled: yes - - - name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.9' - when: - - ubtu22cis_rule_3_5_2_9 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.9 - - nftables - -- name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent" - block: - - name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.10' - when: - - ubtu22cis_rule_3_5_2_10 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.10 - - nftables diff --git a/tasks/section_3/cis_3.5.3.x.yml b/tasks/section_3/cis_3.5.3.x.yml deleted file mode 100644 index e7af1fda..00000000 --- a/tasks/section_3/cis_3.5.3.x.yml +++ /dev/null @@ -1,417 +0,0 @@ ---- - -- name: "3.5.3.1.1 | PATCH | Ensure iptables packages are installed" - ansible.builtin.package: - name: ['iptables', 'iptables-persistent'] - state: present - when: - - ubtu22cis_rule_3_5_3_1_1 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.1 - - iptables - -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - ansible.builtin.package: - name: nftables - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_3_5_3_1_2 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.2 - - iptables - -- name: "3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" - ansible.builtin.package: - name: ufw - state: absent - when: - - ubtu22cis_rule_3_5_3_1_3 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.3 - - iptables - -- name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - notify: Iptables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu22cis_rule_3_5_3_2_1 - - ubtu22cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.1 - - iptables - -- name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - notify: Iptables persistent - when: - - ubtu22cis_rule_3_5_3_2_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.2 - - iptables - -- name: "3.5.3.2.3 | PATCH | Ensure iptables outbound and established connections are configured" - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - notify: Iptables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu22cis_rule_3_5_3_2_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.2.3 - - iptables - -- name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - block: - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_2_4_open_ports - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_2_4_current_rules - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu22cis_3_5_3_2_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu22cis_3_5_3_2_4_current_rules.stdout_lines }}" - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.3.2.4' - when: - - ubtu22cis_rule_3_5_3_2_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.2.4 - - iptables - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu22cis_iptables_save.rc == 0 -# failed_when: ubtu22cis_iptables_save.rc > 0 -# register: ubtu22cis_iptables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_3_5_3_2_1 or -# ubtu22cis_rule_3_5_3_2_2 or -# ubtu22cis_rule_3_5_3_2_3 or -# ubtu22cis_rule_3_5_3_2_4 - -- name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - notify: Ip6tables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu22cis_rule_3_5_3_3_1 - - ubtu22cis_ipv6_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.1 - - ip6tables - -- name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - ansible.builtin.iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - notify: Ip6tables persistent - when: - - ubtu22cis_rule_3_5_3_3_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.2 - - ip6tables - -- name: "3.5.3.3.3 | PATCH | Ensure ip6tables outbound and established connections are configured" - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu22cis_rule_3_5_3_3_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.3.3 - - ip6tables - -- name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_3_4_open_ports - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_3_4_current_rules - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu22cis_3_5_3_3_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu22cis_3_5_3_3_4_current_rules.stdout_lines }}" - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.3.3.4' - when: - - ubtu22cis_rule_3_5_3_3_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.3.4 - - ip6tables - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu22cis_ip6tables_save.rc == 0 -# failed_when: ubtu22cis_ip6tables_save.rc > 0 -# register: ubtu22cis_ip6tables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_ipv6_required -# - not ubtu22cis_ipv4_required -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_3_5_3_3_1 or -# ubtu22cis_rule_3_5_3_3_2 or -# ubtu22cis_rule_3_5_3_3_3 or -# ubtu22cis_rule_3_5_3_3_4 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index a3b9162a..5bc0bec0 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,32 +1,13 @@ --- -- name: "SECTION | 3.1 | Disable unused network protocols and devices" +- name: "SECTION | 3.1 | Configure Network Devices" ansible.builtin.import_tasks: - file: cis_3.1.x.yml + file: cis_3.1.x.yml -- name: "SECTION | 3.2 | Network Parameters Host Only" +- name: "SECTION | 3.2 | Configure Network Kernel Modules" ansible.builtin.import_tasks: - file: cis_3.2.x.yml + file: cis_3.2.x.yml -- name: "SECTION | 3.3 | Network Parameters Host and Router" +- name: "SECTION | 3.3 | Configure Network Kernel Parameters" ansible.builtin.import_tasks: - file: cis_3.3.x.yml - -- name: "SECTION | 3.4 | Uncommon Network Protocols" - ansible.builtin.import_tasks: - file: cis_3.4.x.yml - -- name: "SECTION | 3.5.1 | UFW Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.1.x.yml - when: ubtu22cis_firewall_package == "ufw" - -- name: "SECTION | 3.5.2 | nftables Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.2.x.yml - when: ubtu22cis_firewall_package == "nftables" - -- name: "SECTION | 3.5.3 | iptables Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.3.x.yml - when: ubtu22cis_firewall_package == "iptables" + file: cis_3.3.x.yml diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml deleted file mode 100644 index a3e5ad5b..00000000 --- a/tasks/section_4/cis_4.1.1.x.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- - -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - ubtu22cis_rule_4_1_1_1 - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.1 - - auditd - -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - ansible.builtin.service: - name: auditd - state: started - enabled: true - when: - - ubtu22cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.2 - - auditd - -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_1_1_3_cmdline_settings - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' - when: "'audit=' not in ubtu22cis_4_1_1_3_cmdline_settings.stdout" - notify: Grub update - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: 'audit=([0-9]+)' - replace: 'audit=1' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: Grub update - when: "'audit=' in ubtu22cis_4_1_1_3_cmdline_settings.stdout" - when: - - ubtu22cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.3 - - auditd - -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_1_1_4_cmdline_settings - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' - notify: Grub update - when: "'audit_backlog_limit=' not in ubtu22cis_4_1_1_4_cmdline_settings.stdout" - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([0-9]+)' - replace: 'audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: Grub update - when: - - ubtu22cis_rule_4_1_1_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.4 - - auditd diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml deleted file mode 100644 index f1886c7b..00000000 --- a/tasks/section_4/cis_4.1.2.x.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" - state: present - register: rule_4_1_2_1 - notify: Restart auditd - when: - - ubtu22cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.1 - - auditd - -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action' - line: "max_log_file_action = {{ ubtu22cis_auditd['max_log_file_action'] }}" - register: rule_4_1_2_2 - notify: Restart auditd - when: - - ubtu22cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.2 - - auditd - -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - register: rule_4_1_2_3 - notify: Restart auditd - with_items: - - { regexp: '^space_left_action', line: "space_left_action = {{ ubtu22cis_auditd['space_left_action'] }}" } - - { regexp: '^action_mail_acct', line: "action_mail_acct = {{ ubtu22cis_auditd['action_mail_acct'] }}" } - - { regexp: '^admin_space_left_action', line: "admin_space_left_action = {{ ubtu22cis_auditd['admin_space_left_action'] }}" } - when: - - ubtu22cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.3 - - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml deleted file mode 100644 index 6c1018d2..00000000 --- a/tasks/section_4/cis_4.1.3.x.yml +++ /dev/null @@ -1,287 +0,0 @@ ---- - -- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.1 - - auditd - -- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - ansible.builtin.set_fact: - update_audit_template: true - notify: restart auditd - when: - - ubtu22cis_rule_4_1_3_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.2 - - auditd - -- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - ansible.builtin.set_fact: - update_audit_template: true - notify: restart auditd - when: - - ubtu22cis_rule_4_1_3_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.3 - - auditd - -- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.4 - - auditd - -- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_5 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.5 - - auditd - -- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs - changed_when: false - check_mode: false - - - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_6 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.6 - - auditd - -- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_7 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.7 - - auditd - -- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_8 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.8 - - auditd - -- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_9 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.9 - - auditd - -- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - ubtu22cis_rule_4_1_3_10 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.10 - - auditd - -- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_11 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.11 - - auditd - -- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_12 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.12 - - auditd - -- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_13 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.13 - - auditd - -- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_14 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.14 - - auditd - -- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_15 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.15 - - auditd - -- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_16 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.16 - - auditd - -- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_17 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.17 - - auditd - -- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_18 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.18 - - auditd - -- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_19 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.19 - - auditd - -- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_20 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_4.1.3.20 - - auditd - -- name: "4.1.3.21 | PATCH | Ensure the running and on disk configuration is the same" - ansible.builtin.shell: augenrules --check - changed_when: false - register: ubtu22cis_rule_4_1_3_21_augen_check - when: - - ubtu22cis_rule_4_1_3_21 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_4.1.3.21 - - auditd diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml deleted file mode 100644 index 98c9e192..00000000 --- a/tasks/section_4/cis_4.1.4.x.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- - -- name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - - block: - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" - ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - changed_when: false - register: audit_discovered_logfile - - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout }}" - changed_when: false - register: auditd_logfile - - - name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout }}" - mode: 'u-x,g-wx,o-rwx' - owner: root - group: root - when: - - ubtu22cis_rule_4_1_4_1 or - ubtu22cis_rule_4_1_4_2 or - ubtu22cis_rule_4_1_4_3 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.1 - - rule_4.1.4.2 - - rule_4.1.4.3 - -- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" - block: - - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - register: auditlog_dir - - - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - state: directory - mode: '0750' - when: not auditlog_dir.stat.mode is match('07(0|5)0') - when: - - ubtu22cis_rule_4_1_4_4 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.4 - -- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - ansible.builtin.file: - path: "{{ item.path }}" - mode: '0640' - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_5 - - item.mode > '0640' - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.5 - -- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_6 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.6 - -- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" - ansible.builtin.file: - path: "{{ item.path }}" - group: root - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_7 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.7 - -- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" - block: - - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" - when: not item.stat.mode is match('07(0|5)0') - when: - - ubtu22cis_rule_4_1_4_8 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.8 - -- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - ubtu22cis_rule_4_1_4_9 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.9 - -- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" - ansible.builtin.file: - path: "{{ item }}" - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - ubtu22cis_rule_4_1_4_10 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.10 - -- name: "4.1.4.11 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - ansible.builtin.lineinfile: - path: /etc/aide/aide.conf - regexp: "{{ item }}" - line: "{{ item }}" - loop: - - '# Audit tools' - - /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - when: - - ubtu22cis_rule_4_1_4_11 and - ubtu22cis_config_aide - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.11 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml new file mode 100644 index 00000000..36da60fe --- /dev/null +++ b/tasks/section_4/cis_4.1.x.yml @@ -0,0 +1,181 @@ +--- + +- name: "4.1.1 | PATCH | Ensure ufw is installed" + when: + - ubtu22cis_rule_4_1_1 + - "'ufw' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.1 + - apt + - ufw + - NIST800-53R5_SC-7 + ansible.builtin.package: + name: ufw + state: present + +- name: "4.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" + when: + - ubtu22cis_rule_4_1_2 + - "'iptables-persistent' in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.2 + - ufw + - NIST800-53R5_SC-7 + ansible.builtin.package: + name: iptables-persistent + state: absent + +# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling +- name: "4.1.3 | PATCH | Ensure ufw service is enabled" + when: + - ubtu22cis_rule_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.3 + - ufw + - NIST800-53R5_SC-7 + block: + - name: "4.1.3 | PATCH | Ensure ufw service is enabled | ssh port enabled" + community.general.ufw: + rule: allow + name: OpenSSH + state: enabled + + - name: "4.1.3 | PATCH | Ensure ufw service is enabled | service" + ansible.builtin.systemd: + name: ufw + enabled: true + state: started + +- name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured" + when: + - ubtu22cis_rule_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.4 + - ufw + - NIST800-53R5_SC-7 + block: + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow in ufw rules" + community.general.ufw: + rule: allow + direction: in + interface: lo + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow out ufw rules" + community.general.ufw: + rule: allow + direction: out + interface: lo + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv4" + community.general.ufw: + rule: deny + direction: in + from_ip: 127.0.0.0/8 + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv6" + when: ubtu22cis_ipv6_required + community.general.ufw: + rule: deny + direction: in + from_ip: '::1' + notify: Reload ufw + +- name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured" + when: ubtu22cis_rule_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.5 + - ufw + - NIST800-53R5_SC-7 + block: + - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" + when: ubtu22cis_ufw_allow_out_ports != "all" + community.general.ufw: + rule: allow + direction: out + to_port: '{{ item }}' + with_items: + - "{{ ubtu22cis_ufw_allow_out_ports }}" + notify: Reload ufw + + - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" + when: "'all' in ubtu22cis_ufw_allow_out_ports" + community.general.ufw: + rule: allow + direction: out + notify: Reload ufw + +- name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" + when: ubtu22cis_rule_4_1_6 + tags: + - level1-server + - level1-workstation + - audit + - rule_4.1.6 + - ufw + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.1.6' + block: + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.command: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: discovered_list_open_listen_ports + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" + ansible.builtin.command: ufw status + changed_when: false + failed_when: false + check_mode: false + register: discovered_firewall_rules + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" + ansible.builtin.debug: + msg: + - "Warning!! Below are the listening ports and firewall rules" + - "Please create firewall rule for any open ports if not already done" + - "*****---Open Listen Ports---*****" + - "{{ discovered_list_open_listen_ports.stdout_lines }}" + - "*****---Firewall Rules---*****" + - "{{ discovered_firewall_rules.stdout_lines }}" + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.1.7 | PATCH | Ensure ufw default deny firewall policy" + when: ubtu22cis_rule_4_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.7 + - ufw + - NIST800-53R5_SC-7 + community.general.ufw: + default: deny + direction: "{{ item }}" + loop: + - incoming + - outgoing + - routed + notify: Reload ufw diff --git a/tasks/section_4/cis_4.2.1.1.x.yml b/tasks/section_4/cis_4.2.1.1.x.yml deleted file mode 100644 index 4159572c..00000000 --- a/tasks/section_4/cis_4.2.1.1.x.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- - -- name: "4.2.1.1.1 | PATCH | Ensure systemd-journal-remote is installed" - ansible.builtin.package: - name: systemd-journal-remote - state: present - when: - - ubtu22cis_rule_4_2_1_1_1 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.1 - -- name: "4.2.1.1.2 | PATCH | Ensure systemd-journal-remote is configured" - ansible.builtin.lineinfile: - path: /etc/systemd/journal-upload.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} - - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} - - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} - - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} - when: - - ubtu22cis_rule_4_2_1_1_2 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.2 - -- name: "4.2.1.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - ansible.builtin.systemd: - name: systemd-journal-upload - state: started - enabled: true - when: - - not ubtu22cis_system_is_log_server - - ubtu22cis_rule_4_2_1_1_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.3 - -- name: "4.2.1.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - ansible.builtin.systemd: - name: systemd-journal-remote.socket - state: stopped - enabled: false - masked: true - when: - - not ubtu22cis_system_is_log_server - - ubtu22cis_rule_4_2_1_1_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.1.4 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml deleted file mode 100644 index bdf81c98..00000000 --- a/tasks/section_4/cis_4.2.1.x.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- - -- name: "4.2.1.2 | PATCH | Ensure journald service is enabled" - block: - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Capture status" - ansible.builtin.shell: systemctl is-enabled systemd-journald.service - changed_when: false - failed_when: false - register: ubtu22cis_4_2_1_2_status - - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - ansible.builtin.debug: - msg: - - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" - when: "'static' not in ubtu22cis_4_2_1_2_status.stdout" - - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "'static' not in ubtu22cis_4_2_1_2_status.stdout" - vars: - warn_control_id: '4.2.1.2' - when: - - ubtu22cis_rule_4_2_1_2 - tags: - - level1-server - - level1-workstation - - audit - - journald - - rule_4.2.1.2 - -- name: "4.2.1.3 | PATCH | Ensure journald is configured to compress large log files" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^(#|)Compress=' - line: Compress=yes - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.3 - -- name: "4.2.1.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^(#|)Storage=' - line: Storage=persistent - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.4 - -- name: "4.2.1.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^ForwardToSyslog=' - line: '#ForwardToSyslog=yes' - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_5 - tags: - - level1-server - - level2-workstation - - manual - - patch - - journald - - rule_4.2.1.5 - -- name: "4.2.1.6 | PATCH | Ensure journald log rotation is configured per site policy" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: '^(#|\s+)SystemMaxUse=', line: "{{ ubtu22cis_journald_systemmaxuse }}" } - - { regexp: '^(#|\s+)SystemKeepFree=', line: "{{ ubtu22cis_journald_systemkeepfree }}" } - - { regexp: '^(#|\s+)RuntimeMaxUse=', line: "{{ ubtu22cis_journald_runtimemaxuse }}" } - - { regexp: '^(#|\s+)RuntimeKeepFree=', line: "{{ ubtu22cis_journald_runtimekeepfree }}" } - - { regexp: '^(#|\s+)MaxFileSec=', line: "{{ ubtu22cis_journald_maxfilesec }}" } - when: - - ubtu22cis_rule_4_2_1_6 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.6 - -- name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured" - block: - - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - ansible.builtin.stat: - path: /etc/tmpfiles.d/systemd.conf - register: ubtu22cis_4_2_1_7_override - - - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Set live file" - ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: ubtu22cis_4_2_1_7_override.stat.exists - - - name: "4.2.1.7 | PATCH | Ensure journald default file permissions configured | Set permission" - ansible.builtin.lineinfile: - path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: '^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root' - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - when: - - ubtu22cis_rule_4_2_1_7 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml deleted file mode 100644 index 7775936c..00000000 --- a/tasks/section_4/cis_4.2.2.x.yml +++ /dev/null @@ -1,179 +0,0 @@ ---- - -- name: "4.2.2.1 | PATCH | Ensure rsyslog is installed" - ansible.builtin.package: - name: rsyslog - state: present - when: - - ubtu22cis_rule_4_2_2_1 - - "'rsyslog' not in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.1 - - rsyslog - - apt - -- name: "4.2.2.2 | PATCH | Ensure rsyslog Service is enabled" - ansible.builtin.systemd: - name: rsyslog - enabled: true - when: - - ubtu22cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.2 - - rsyslog - -- name: "4.2.2.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: ^ForwardToSyslog= - line: ForwardToSyslog=yes - notify: Restart syslog service - when: - - ubtu22cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.3 - -- name: "4.2.2.4 | PATCH | Ensure rsyslog default file permissions configured" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$FileCreateMode|^#\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: Restart syslog service - when: - - ubtu22cis_rule_4_2_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.4 - - rsyslog - -- name: "4.2.2.5 | PATCH | Ensure logging is configured" - block: - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Find configuration file" - ansible.builtin.shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_2_2_5_rsyslog_config_path - - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - ansible.builtin.shell: "cat {{ ubtu22cis_4_2_2_5_rsyslog_config_path.stdout }}" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_2_2_5_rsyslog_config - - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Message out config" - ansible.builtin.debug: - msg: - - "Warning!! Below is the current logging configurations for rsyslog, please review" - - "{{ ubtu22cis_4_2_2_5_rsyslog_config.stdout_lines }}" - when: not ubtu22cis_rsyslog_ansible_managed - - - name: "4.2.2.5 | PATCH | Ensure logging is configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: not ubtu22cis_rsyslog_ansible_managed - - - name: "4.2.2.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration" - ansible.builtin.lineinfile: - path: "{{ ubtu22cis_4_2_2_5_rsyslog_config_path.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } - - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/secure', insertafter: '^# First some standard log files. Log by facility' } - - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } - - { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' } - - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warning -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } - - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - loop_control: - label: "{{ item.line }}" - notify: Restart syslog service - when: ubtu22cis_rsyslog_ansible_managed - vars: - warn_control_id: '4.2.2.5' - when: - - ubtu22cis_rule_4_2_2_5 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.2.5 - - rsyslog - -- name: "4.2.2.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - block: | - ##Enable sending of logs over TCP add the following line: - *.* @@{{ ubtu22cis_remote_log_server }} - insertafter: EOF - when: - - ubtu22cis_rule_4_2_2_6 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.6 - - rsyslog - -- name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client" - block: - - name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not a log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '({{ item }})' - replace: '#\1' - with_items: - - '^(\$ModLoad|module(load="imtcp"))' - - '^(\$(InputTCP|InputRELP|UDP)ServerRun|input(type="imtcp" port=".*"))' - notify: Restart syslog service - when: not ubtu22cis_system_is_log_server - - - name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When a log server" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } - - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } - notify: Restart syslog service - when: ubtu22cis_system_is_log_server - when: - - ubtu22cis_rule_4_2_2_7 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.2.7 - - rsyslog diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml deleted file mode 100644 index 2ee735b5..00000000 --- a/tasks/section_4/cis_4.2.3.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - block: - - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: - paths: "/var/log" - file_type: file - recurse: true - hidden: true - register: logfiles - - - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" - ansible.builtin.file: - path: "{{ item.path }}" - mode: '0640' - failed_when: logfiles_perms_update.state not in '[ file, absent ]' - register: logfiles_perms_update - loop: "{{ logfiles.files }}" - loop_control: - label: "{{ item.path }}" - when: - - item.path != "/var/log/btmp" - - item.path != "/var/log/utmp" - - item.path != "/var/log/wtmp" - when: - - ubtu22cis_rule_4_2_3 - tags: - - level1-server - - level1-workstation - - patch - - logfiles - - rule_4.2.3 diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml new file mode 100644 index 00000000..c5258c80 --- /dev/null +++ b/tasks/section_4/cis_4.2.x.yml @@ -0,0 +1,247 @@ +--- + +# --------------- +# --------------- +# NFTables is unsupported with this role. However I have the actions commented out as a guide +# --------------- +# --------------- +- name: "4.2.1 | AUDIT | Ensure nftables is installed" + when: + - ubtu22cis_rule_4_2_1 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.1 + - nftables + - NIST800-53R5_CA-9 + vars: + warn_control_id: '4.2.1' + block: + - name: "4.2.1 | AUDIT | Ensure nftables is installed | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.1 | AUDIT | Ensure nftables is installed | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" + when: + - ubtu22cis_rule_4_2_2 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.2 + - nftables + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.2' + block: + - name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.package: + # name: ufw + # state: absent + + - name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables" + when: + - ubtu22cis_rule_4_2_3 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.3 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.3' + block: + - name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.iptables: + # flush: yes + + - name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.4 | AUDIT | Ensure a nftables table exists" + when: + - ubtu22cis_rule_4_2_4 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.2.4 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.4' + block: + - name: "4.2.4 | AUDIT | Ensure a nftables table exists" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" + # ansible.builtin.shell: "nft create table {{ ubtu22cis_nftables_table_name }}" + # changed_when: discovered_new_nftables_table.rc == 0 + # failed_when: false + # check_mode: false + # register: discovered_new_nftables_table + + - name: "4.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.5 | AUDIT | Ensure nftables base chains exist" + when: + - ubtu22cis_rule_4_2_5 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.5 + - nftables + - NIST800-53R5_NA + vars: + warn_control_id: '4.2.5' + block: + - name: "4.2.5 | AUDIT | Ensure nftables base chains exist" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" + + - name: "4.2.5 | AUDIT | Ensure nftables base chains exist | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured" + when: + - ubtu22cis_rule_4_2_6 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.6 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.6' + block: + - name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_2_7 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.7 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.7' + block: + - name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy" + when: + - ubtu22cis_rule_4_2_8 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.8 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.8' + block: + - name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.9 | AUDIT | Ensure nftables service is enabled" + when: + - ubtu22cis_rule_4_2_9 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.9 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.9' + block: + - name: "4.2.9 | AUDIT | Ensure nftables service is enabled | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.service: + # name: nftables + # state: started + # enabled: yes + + - name: "4.2.9 | AUDIT | Ensure nftables service is enabled | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.10 | AUDIT | Ensure nftables rules are permanent" + when: + - ubtu22cis_rule_4_2_10 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.10 + - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.2.10' + block: + - name: "4.2.10 | AUDIT | Ensure nftables rules are permanent | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.10 | AUDIT | Ensure nftables rules are permanent | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_4/cis_4.3.1.x.yml b/tasks/section_4/cis_4.3.1.x.yml new file mode 100644 index 00000000..88622585 --- /dev/null +++ b/tasks/section_4/cis_4.3.1.x.yml @@ -0,0 +1,50 @@ +--- + +- name: "4.3.1.1 | PATCH | Ensure iptables packages are installed" + when: + - ubtu22cis_rule_4_3_1_1 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.1 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + ansible.builtin.package: + name: ['iptables', 'iptables-persistent'] + state: present + +- name: "4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" + when: + - ubtu22cis_rule_4_3_1_2 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.2 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + ansible.builtin.package: + name: nftables + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "4.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" + when: + - ubtu22cis_rule_4_3_1_3 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.3 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + ansible.builtin.package: + name: ufw + state: absent diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml new file mode 100644 index 00000000..589968ad --- /dev/null +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -0,0 +1,188 @@ +--- + +- name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy" + when: + - ubtu22cis_rule_4_3_2_1 + - ubtu22cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.1 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + block: + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + loop: + - INPUT + - FORWARD + - OUTPUT + notify: Iptables persistent + +- name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_2_2 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.2 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + block: + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + source: 127.0.0.0/8 + jump: DROP + notify: Iptables persistent + +- name: "4.3.2.3 | PATCH | Ensure iptables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_2_3 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.3 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + with_items: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Iptables persistent + +- name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_2_4 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.2.4 + - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.3.2.4' + block: + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.command: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: discovered_list_open_ports + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.command: iptables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: discovered_current_iptables_rules + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ discovered_list_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ discovered_current_iptables_rules.stdout_lines }}" + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# --------------- +# --------------- +# This is not a control however using the iptables module only writes to memory +# if a reboot occurs that means changes can revert. This task will make the +# above iptables settings permanent +# --------------- +# --------------- +# - name: "Make IPTables persistent | Not a control" +# block: +# - name: "Make IPTables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present + +# - name: "Make IPTables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" +# changed_when: discovered_ip4tables_save.rc == 0 +# failed_when: discovered_ip4tables_save.rc > 0 +# register: discovered_ip4tables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_2_1 or +# ubtu22cis_rule_4_3_2_2 or +# ubtu22cis_rule_4_3_2_3 or +# ubtu22cis_rule_4_3_2_4 diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml new file mode 100644 index 00000000..181c09ab --- /dev/null +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -0,0 +1,184 @@ +--- + +- name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" + when: ubtu22cis_rule_4_3_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.3.1 + - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + block: + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + loop: + - INPUT + - FORWARD + - OUTPUT + notify: Ip6tables persistent + +- name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_3_2 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.3.2 + - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + block: + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" + ansible.builtin.iptables: + action: append + chain: INPUT + source: ::1 + jump: DROP + ip_version: ipv6 + notify: Ip6tables persistent + +- name: "4.3.3.3 | PATCH | Ensure ip6tables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_3_3 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.3.3 + - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + ip_version: ipv6 + loop: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Ip6tables persistent + +- name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_3_4 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.3.4 + - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 + vars: + warn_control_id: '4.3.3.4' + block: + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.command: ss -6tuln + changed_when: false + failed_when: false + check_mode: false + register: discovered_list_ip6tables_open_ports + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.command: ip6tables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: discovered_ip6tables_current_rules + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ discovered_list_ip6tables_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ discovered_ip6tables_current_rules.stdout_lines }}" + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# --------------- +# --------------- +# This is not a control however using the ip6tables module only writes to memory +# if a reboot occurs that means changes can revert. This task will make the +# above ip6tables settings permanent +# --------------- +# --------------- +# via handler +# - name: "Make IP6Tables persistent | Not a control" +# block: +# - name: "Make IP6Tables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present +# when: "'iptables-persistent' not in ansible_facts.packages" + +# - name: "Make IP6Tables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" +# changed_when: discovered_ip6tables_save.rc == 0 +# failed_when: discovered_ip6tables_save.rc > 0 +# register: discovered_ip6tables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_ipv6_required +# - not ubtu22cis_ipv4_required +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_1_1 or +# ubtu22cis_rule_4_3_1_2 or +# ubtu22cis_rule_4_3_1_3 or +# ubtu22cis_rule_4_3_1_4 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index c56e79bc..8cf4b76b 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,36 +1,28 @@ --- -- name: "SECTION | 4.1.1 | Ensure auditing is enabled" +- name: "SECTION | 4.1 | Configure UnComplicatedFirewall" + when: ubtu22cis_firewall_package == "ufw" ansible.builtin.import_tasks: - file: cis_4.1.1.x.yml + file: cis_4.1.x.yml -- name: "SECTION | 4.1.2 | Configure Data Retention" +- name: "SECTION | 4.2 | Configure nftables software" + when: ubtu22cis_firewall_package == "nftables" ansible.builtin.import_tasks: - file: cis_4.1.2.x.yml + file: cis_4.2.x.yml -- name: "SECTION | 4.1.3 | Configure auditd rules" +- name: "SECTION | 4.3.1.x | Configure iptables software" + when: ubtu22cis_firewall_package == "iptables" ansible.builtin.import_tasks: - file: cis_4.1.3.x.yml + file: cis_4.3.1.x.yml -- name: "SECTION | 4.1.4 | Configure auditd file access" +- name: "SECTION | 4.3.2.x | Configure ipv4 iptables" + when: ubtu22cis_firewall_package == "iptables" ansible.builtin.import_tasks: - file: cis_4.1.4.x.yml + file: cis_4.3.2.x.yml -- name: "SECTION | 4.2.1.1.x | Configure journald" +- name: "SECTION | 4.3.3.x | Configure ipv6 iptables" + when: + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv6_required ansible.builtin.import_tasks: - file: cis_4.2.1.1.x.yml - when: ubtu22cis_syslog_service == 'journald' - -- name: "SECTION | 4.2.1.x | Configure journald" - ansible.builtin.import_tasks: - file: cis_4.2.1.x.yml - when: ubtu22cis_syslog_service == 'journald' - -- name: "SECTION | 4.2.2.x | Configure rsyslog" - ansible.builtin.import_tasks: - file: cis_4.2.2.x.yml - when: ubtu22cis_syslog_service == 'rsyslog' - -- name: "SECTION | 4.2.3 | Ensure permissions on all logfiles are configured" - ansible.builtin.import_tasks: - file: cis_4.2.3.yml + file: cis_4.3.3.x.yml diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index b8bcea4c..51cee835 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,188 +1,468 @@ --- -- name: "5.1.1 | PATCH | Ensure cron daemon is enabled and running" - ansible.builtin.systemd: - name: cron - state: started - enabled: true - when: - - ubtu22cis_rule_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.1 - - cron - -- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - ansible.builtin.file: - path: /etc/crontab - owner: root - group: root - mode: '0600' - when: - - ubtu22cis_rule_5_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.2 - - cron - -- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - ansible.builtin.file: - path: /etc/cron.hourly - owner: root - group: root - mode: '0700' - when: - - ubtu22cis_rule_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.3 - - cron - -- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - ansible.builtin.file: - path: /etc/cron.daily - owner: root - group: root - mode: '0700' - when: - - ubtu22cis_rule_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.4 - - cron - -- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - ansible.builtin.file: - path: /etc/cron.weekly - owner: root - group: root - mode: '0700' - when: - - ubtu22cis_rule_5_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.5 - - cron - -- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - ansible.builtin.file: - path: /etc/cron.monthly - owner: root - group: root - mode: '0700' - when: - - ubtu22cis_rule_5_1_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.6 - - cron - -- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" +- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + when: ubtu22cis_rule_5_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.1 + - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: - path: /etc/cron.d - owner: root - group: root - mode: '0700' - when: - - ubtu22cis_rule_5_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.7 - - cron - -- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" + path: /etc/ssh/sshd_config + owner: root + group: root + mode: 'go-rwx' + +- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" + when: ubtu22cis_rule_5_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.2 + - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - ansible.builtin.file: - path: /etc/cron.deny - state: absent - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" - ansible.builtin.stat: - path: /etc/cron.allow - register: ubtu22cis_5_1_8_status - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" - ansible.builtin.file: - path: /etc/cron.allow - owner: root - group: root - mode: '0640' - state: touch - when: not ubtu22cis_5_1_8_status.stat.exists - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" - ansible.builtin.file: - path: /etc/cron.allow - owner: root - group: root - mode: '0640' - when: ubtu22cis_5_1_8_status.stat.exists - when: - - ubtu22cis_rule_5_1_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.8 - - cron - -- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" + - name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*_key' + register: discovered_ssh_host_priv_keys + + - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: 'o-x,go-rwx' + with_items: + - "{{ discovered_ssh_host_priv_keys.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" + when: ubtu22cis_rule_5_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.3 + - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - ansible.builtin.file: - path: /etc/at.deny - state: absent - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" - ansible.builtin.stat: - path: /etc/at.allow - register: ubtu22cis_5_1_9_status - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" - ansible.builtin.file: - path: /etc/at.allow - owner: root - group: root - mode: '0640' - state: touch - when: not ubtu22cis_5_1_9_status.stat.exists - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" - ansible.builtin.file: - path: /etc/at.allow - owner: root - group: root - mode: '0640' - when: ubtu22cis_5_1_9_status.stat.exists - when: - - ubtu22cis_rule_5_1_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.9 - - cron + - name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*_key.pub' + register: discovered_ssh_host_pub_keys + + - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: 'go-wx' + with_items: + - "{{ discovered_ssh_host_pub_keys.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.1.4 | PATCH | Ensure sshd access is configured" + when: ubtu22cis_rule_5_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.4 + - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" + when: "ubtu22cis_sshd_allow_users | default('') | length > 0 " + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowUsers|^#AllowUsers' + line: 'AllowUsers {{ ubtu22cis_sshd_allow_users }}' + validate: 'sshd -t -f %s' + notify: Restart sshd + + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups" + when: "ubtu22cis_sshd_allow_groups | default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowGroups|^#AllowGroups' + line: 'AllowGroups {{ ubtu22cis_sshd_allow_groups }}' + validate: 'sshd -t -f %s' + notify: Restart sshd + + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users" + when: "ubtu22cis_sshd_deny_users | default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyUsers|^#DenyUsers' + line: 'DenyUsers {{ ubtu22cis_sshd_deny_users }} ' + validate: 'sshd -t -f %s' + notify: Restart sshd + + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups" + when: "ubtu22cis_sshd_deny_groups | default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyGroups|^#DenyGroups' + line: 'DenyGroups {{ ubtu22cis_sshd_deny_groups }}' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.5| PATCH | Ensure sshd Banner is configured" + when: ubtu22cis_rule_5_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.5 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Banner|^#Banner' + line: Banner /etc/issue.net + insertafter: '^# no default banner path' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured" + when: ubtu22cis_rule_5_1_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.6 + - ssh + - NIST800-53R5_SC-8 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Ciphers|^#Ciphers' + line: "Ciphers {{ ubtu22cis_sshd_ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" + when: ubtu22cis_rule_5_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.7 + - sshd + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + validate: 'sshd -t -f %s' + with_items: + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd_client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd_client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } + notify: Restart sshd + +- name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" + when: ubtu22cis_rule_5_1_8 + tags: + - level2-server + - level1-workstation + - patch + - rule_5.1.8 + - ssh + - NIST800-53R5_CM-7 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DisableForwarding|^#DisableForwarding' + line: 'DisableForwarding yes' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" + when: ubtu22cis_rule_5_1_9 + tags: + - level2-server + - level1-workstation + - patch + - rule_5.1.9 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^(?i)GSSAPIAuthentication|^(?i)#GSSAPIAuthentication' + line: 'GSSAPIAuthentication no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.10 | PATCH | Ensure sshd HostbasedAuthentication is disabled" + when: ubtu22cis_rule_5_1_10 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.10 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' + line: 'HostbasedAuthentication no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.11 | PATCH | Ensure sshd IgnoreRhosts is enabled" + when: ubtu22cis_rule_5_1_11 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.11 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^IgnoreRhosts|^#IgnoreRhosts' + line: 'IgnoreRhosts yes' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.12 | PATCH | Ensure sshd Kexalgorithms is configured" + when: ubtu22cis_rule_5_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.12 + - ssh + - NIST800-53R5_SC-8 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KexAlgorithms|^#KexAlgorithms' + line: "KexAlgorithms {{ ubtu22cis_sshd_kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.13 | PATCH | Ensure sshd LoginGraceTime is configured" + when: ubtu22cis_rule_5_1_13 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.13 + - ssh + - NIST800-53R5_CM-6 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LoginGraceTime|^#LoginGraceTime' + line: 'LoginGraceTime {{ ubtu22cis_sshd_login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.14 | PATCH | Ensure sshd LogLevel is configured" + when: ubtu22cis_rule_5_1_14 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.14 + - ssh + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LogLevel|^#LogLevel' + line: 'LogLevel {{ ubtu22cis_sshd_log_level | default(ubtu22cis_sshd_default_log_level) }}' + insertafter: '^# Logging' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.15 | PATCH | Ensure sshd MACs are configured" + when: ubtu22cis_rule_5_1_15 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.15 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MACs|^#MACs' + line: "MACs {{ ubtu22cis_sshd_macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured" + when: ubtu22cis_rule_5_1_16 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.16 + - ssh + - NIST800-53R5_AU-3 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxAuthTries|^#MaxAuthTries' + line: 'MaxAuthTries {{ ubtu22cis_sshd_max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" + when: ubtu22cis_rule_5_1_17 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.17 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxSessions|^#MaxSessions' + line: 'MaxSessions {{ ubtu22cis_sshd_max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.18 | PATCH | Ensure sshd MaxStartups is configured" + when: ubtu22cis_rule_5_1_18 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.18 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxStartups|^#MaxStartups' + line: 'MaxStartups 10:30:60' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" + when: ubtu22cis_rule_5_1_19 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.19 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + insertafter: '# To disable tunneled clear text passwords' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" + when: ubtu22cis_rule_5_1_20 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.20 + - ssh + - NIST800-53R5_AC-6 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin|^#PermitRootLogin' + line: 'PermitRootLogin no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" + when: ubtu22cis_rule_5_1_21 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.21 + - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' + line: 'PermitUserEnvironment no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" + when: ubtu22cis_rule_5_1_22 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.22 + - ssh + - pam + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^UsePAM|^#UsePAM' + line: 'UsePAM yes' + insertafter: '^# and ChallengeResponseAuthentication' + validate: 'sshd -t -f %s' + notify: Restart sshd diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d0b0f042..b998d204 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,440 +1,140 @@ --- -- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - ansible.builtin.file: - path: /etc/ssh/sshd_config - owner: root - group: root - mode: '0600' - when: - - ubtu22cis_rule_5_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.1 - - ssh - -- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" +- name: "5.2.1 | PATCH | Ensure sudo is installed" + when: ubtu22cis_rule_5_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.2.1 + - sudo + - NIST800-53R5_AC-6 + ansible.builtin.package: + name: "{{ ubtu22cis_sudo_package }}" + state: present + +- name: "5.2.2 | PATCH | Ensure sudo commands use pty" + when: ubtu22cis_rule_5_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.2.2 + - sudo + - NIST800-53R5_AC-6 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^Defaults\s+use_' + line: 'Defaults use_pty' + insertafter: '^\s*Defaults' + +- name: "5.2.3 | PATCH | Ensure sudo log file exists" + when: ubtu22cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.2.3 + - sudo + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^Defaults\s+logfile' + line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' + insertafter: '^\s*Defaults' + +- name: "5.2.4 | PATCH | Ensure users must provide password for privilege escalation" + when: ubtu22cis_rule_5_2_4 + tags: + - level2-server + - level2-workstation + - patch + - sudo + - rule_5.2.4 + - NIST800-53R5_AC-6 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ prelim_sudoers_files.stdout_lines }}" + +- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" + when: ubtu22cis_rule_5_2_5 + tags: + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.5 + - NIST800-53R5_AC-6 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ prelim_sudoers_files.stdout_lines }}" + +- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" + when: ubtu22cis_rule_5_2_6 + tags: + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.6 + - NIST800-53R5_AC-6 block: - - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" - ansible.builtin.find: - paths: /etc/ssh - patterns: 'ssh_host_*_key' - register: ubtu22cis_5_2_2_ssh_host_priv_keys - - - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: '0600' - with_items: - - "{{ ubtu22cis_5_2_2_ssh_host_priv_keys.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.2 - - ssh - -- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" - block: - - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" - ansible.builtin.find: - paths: /etc/ssh - patterns: 'ssh_host_*_key.pub' - register: ubtu22cis_5_2_3_ssh_host_pub_keys - - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: '0644' - with_items: - - "{{ ubtu22cis_5_2_3_ssh_host_pub_keys.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_5_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.3 - - ssh - -- name: "5.2.4 | PATCH | Ensure SSH access is limited" + - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: discovered_timeout_files + + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: discovered_timeout_files.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' + validate: '/usr/sbin/visudo -cf %s' + + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: discovered_timeout_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_timeout_files.stdout_lines }}" + +- name: "5.2.7 | PATCH | Ensure access to the su command is restricted" + when: ubtu22cis_rule_5_2_7 + tags: + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed users" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " - - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed groups" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" - - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny users" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" - - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny groups" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" - when: - - ubtu22cis_rule_5_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.4 - - ssh - -- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' - insertafter: '^# Logging' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.5 - - ssh - -- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^UsePAM|^#UsePAM' - line: 'UsePAM yes' - insertafter: '^# and ChallengeResponseAuthentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.6 - - ssh - - pam - -- name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin|^#PermitRootLogin' - line: 'PermitRootLogin no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.7 - - ssh - -- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' - line: 'HostbasedAuthentication no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.8 - - ssh - -- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - insertafter: '# To disable tunneled clear text passwords' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.9 - - ssh - -- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' - line: 'PermitUserEnvironment no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.10 - - ssh - -- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^IgnoreRhosts|^#IgnoreRhosts' - line: 'IgnoreRhosts yes' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.11 - - ssh - -- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^X11Forwarding|^#X11Forwarding' - line: 'X11Forwarding no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_12 - tags: - - level2-server - - level1-workstation - - automated - - patch - - rule_5.2.12 - - ssh - -- name: "5.2.13 | PATCH | Ensure only strong Ciphers are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Ciphers|^#Ciphers' - line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_13 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.13 - - ssh - -- name: "5.2.14 | PATCH | Ensure only strong MAC algorithms are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MACs|^#MACs' - line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_14 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.14 - - ssh - -- name: "5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^KexAlgorithms|^#KexAlgorithms' - line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_15 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.15 - - ssh - -- name: "5.2.16 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' - line: 'AllowTcpForwarding no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_16 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_5.2.16 - - ssh - -- name: "5.2.17 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Banner|^#Banner' - line: Banner /etc/issue.net - insertafter: '^# no default banner path' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_17 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.17 - - ssh - -- name: "5.2.18 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_18 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.18 - - ssh - -- name: "5.2.19 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxStartups|^#MaxStartups' - line: 'MaxStartups 10:30:60' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_19 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.19 - - ssh - -- name: "5.2.20 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_20 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.20 - - ssh - -- name: "5.2.21 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_21 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.21 - - ssh - -- name: "5.2.22 | PATCH | Ensure SSH Idle Timeout Interval is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - validate: 'sshd -t -f %s' - with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_22 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.22 - - sshd + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ ubtu22cis_sugroup }}" + state: present + + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' + line: '{{ ubtu22cis_sugroup }}\g<1>' + backrefs: true + + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + ansible.builtin.lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml new file mode 100644 index 00000000..197e92f1 --- /dev/null +++ b/tasks/section_5/cis_5.3.1.x.yml @@ -0,0 +1,48 @@ +--- + +- name: "5.3.1.1 | PATCH | Ensure latest version of pam is installed" + when: + - ubtu22cis_rule_5_3_1_1 + - ansible_facts.packages['libpam-runtime'][0]['version'] is version('1.5.2-6', '<=') or + "'libpam-runtime' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.1 + - NIST800-53R5_NA + ansible.builtin.package: + name: libpam-runtime + state: latest + +- name: "5.3.1.2 | PATCH | Ensure libpam-modules is installed" + when: + - ubtu22cis_rule_5_3_1_2 + - ansible_facts.packages['libpam-modules'][0]['version'] is version('1.5.2-6', '<=') or + "'libpam-modules' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.2 + - NIST800-53R5_NA + ansible.builtin.package: + name: libpam-modules + state: latest + +- name: "5.3.1.3 | PATCH | Ensure libpam-pwquality is installed" + when: + - ubtu22cis_rule_5_3_1_3 + - "'libpam-pwquality' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.3 + - NIST800-53R5_NA + ansible.builtin.package: + name: libpam-pwquality + state: latest diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml new file mode 100644 index 00000000..642368e9 --- /dev/null +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -0,0 +1,92 @@ +--- + +- name: "5.3.2.1 | PATCH | Ensure pam_unix module is enabled" + when: + - ubtu22cis_rule_5_3_2_1 + - ubtu22cis_disruption_high + - ubtu22cis_pam_auth_unix + - ubtu22cis_pam_create_pamunix_file + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.1 + - Pam_auth_update + - pam_unix + - NIST800-53R5_IA-5 + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + owner: root + group: root + mode: 'go-rwx' + notify: Pam_auth_update_pwunix + +- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" + when: + - ubtu22cis_rule_5_3_2_2 + - ubtu22cis_disruption_high + - ubtu22cis_pam_auth_faillock + - ubtu22cis_pam_create_faillock_files + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.2 + - Pam_auth_update + - pam_faillock + - NIST800-53R5_NA + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ item }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ item }}" + owner: root + group: root + mode: 'go-rwx' + loop: + - "{{ ubtu22cis_pam_faillock_file }}" + - "{{ ubtu22cis_pam_faillock_notify_file }}" + notify: + - Pam_auth_update_pwfaillock + - Pam_auth_update_pwfaillock_notify + +- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" + when: + - ubtu22cis_rule_5_3_2_3 + - ubtu22cis_disruption_high + - ubtu22cis_pam_create_pwquality_files + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.3 + - Pam_auth_update + - pam_quality + - NIST800-53R5_NA + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" + owner: root + group: root + mode: 'go-rwx' + notify: Pam_auth_update_pwquality + +- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" + when: + - ubtu22cis_rule_5_3_2_4 + - ubtu22cis_disruption_high + - ubtu22cis_pam_create_pwhistory_files + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.4 + - Pam_auth_update + - pam_history + - NIST800-53R5_NA + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + owner: root + group: root + mode: 'go-rwx' + notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml new file mode 100644 index 00000000..dc0782c0 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -0,0 +1,115 @@ +--- + +- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" + when: + - ubtu22cis_rule_5_3_3_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.1.1 + - pam + - NIST800-53R5_NA + block: + - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^deny' + line: "deny = {{ ubtu22cis_faillock_deny }}" + insertafter: '^# end of pam-auth-update config' + create: true + owner: root + group: root + mode: 'go-wx' + + - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* + changed_when: false + failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ] + register: discovered_faillock_deny_files + + - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" + when: discovered_faillock_deny_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' + replace: \1\2 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' + +- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" + when: + - ubtu22cis_rule_5_3_3_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.1.2 + - pam + - NIST800-53R5_NA + block: + - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^unlock_time' + line: "unlock_time = {{ ubtu22cis_faillock_unlock_time }}" + insertafter: '^# end of pam-auth-update config' + create: true + owner: root + group: root + mode: 'go-wx' + + - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* + register: discovered_faillock_unlock_files + changed_when: false + failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ] + + - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" + when: discovered_faillock_unlock_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' + replace: \1\2 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' + +- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" + when: + - ubtu22cis_rule_5_3_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_5.3.3.1.3 + - pam + - NIST800-53R5_NA + block: + - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^{{ ubtu22cis_pamroot_lock_option }}' + line: "{{ ubtu22cis_pamroot_lock_string }}" + insertafter: '^# end of pam-auth-update config' + create: true + owner: root + group: root + mode: 'go-wx' + + - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* + changed_when: false + failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ] + register: discovered_faillock_rootlock_files + + - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" + when: discovered_faillock_rootlock_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' + replace: \1\3 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml new file mode 100644 index 00000000..37d4df57 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -0,0 +1,235 @@ +--- + +- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" + when: + - ubtu22cis_rule_5_3_3_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.1 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" + when: + - item != ubtu22cis_passwd_difok_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'difok\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_difok_file }}.j2" + dest: "/{{ ubtu22cis_passwd_difok_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured" + when: + - ubtu22cis_rule_5_3_3_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.2 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" + when: + - item != ubtu22cis_passwd_minlen_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'minlen\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_minlen_file }}.j2" + dest: "/{{ ubtu22cis_passwd_minlen_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" + when: + - ubtu22cis_rule_5_3_3_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.3 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_complex_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_complex_file }}.j2" + dest: "/{{ ubtu22cis_passwd_complex_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" + when: + - ubtu22cis_rule_5_3_3_2_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.4 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_maxrepeat_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'maxrepeat\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_maxrepeat_file }}.j2" + dest: "/{{ ubtu22cis_passwd_maxrepeat_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured" + when: + - ubtu22cis_rule_5_3_3_2_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.5 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_maxsequence_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'maxsequence\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_maxsequence_file }}.j2" + dest: "/{{ ubtu22cis_passwd_maxsequence_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" + when: + - ubtu22cis_rule_5_3_3_2_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.6 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_dictcheck_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'dictcheck\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_dictcheck_file }}.j2" + dest: "/{{ ubtu22cis_passwd_dictcheck_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" + when: + - ubtu22cis_rule_5_3_3_2_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.7 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_quality_enforce_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'enforcing\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_quality_enforce_file }}.j2" + dest: "/{{ ubtu22cis_passwd_quality_enforce_file }}" + owner: root + group: root + mode: 'go-rwx' + +- name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user" + when: + - ubtu22cis_rule_5_3_3_2_8 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.8 + - pam + - NIST800-53R5_IA-5 + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_quality_enforce_root_file }}.j2" + dest: "/{{ ubtu22cis_passwd_quality_enforce_root_file }}" + owner: root + group: root + mode: 'go-rwx' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml new file mode 100644 index 00000000..d4fa250b --- /dev/null +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -0,0 +1,82 @@ +--- + +- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" + when: + - ubtu22cis_rule_5_3_3_3_1 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.1 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password + register: discovered_pwhistory_remember + changed_when: false + failed_when: discovered_pwhistory_remember.rc not in [0, 1] + + - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set" + when: discovered_pwhistory_remember.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+) + line: '\1\2\3 remember={{ ubtu22cis_pamd_pwhistory_remember }}' + backrefs: true + notify: Pam_auth_update_pwhistory + +- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" + when: + - ubtu22cis_rule_5_3_3_3_2 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.2 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password + register: discovered_pwhistory_remember + changed_when: false + failed_when: discovered_pwhistory_remember.rc not in [0, 1] + + - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set" + when: discovered_pwhistory_remember.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root) + line: '\1\2\3 enforce_for_root' + backrefs: true + notify: Pam_auth_update_pwhistory + +- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" + when: + - ubtu22cis_rule_5_3_3_3_3 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.3 + - pam + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password + register: discovered_pwhistory_use_authtok + changed_when: false + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] + + - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set" + when: discovered_pwhistory_use_authtok.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok) + line: '\1\2\3 use_authtok' + backrefs: true + notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml new file mode 100644 index 00000000..5dcfa8e7 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -0,0 +1,105 @@ +--- + +- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok" + when: + - ubtu22cis_rule_5_3_3_4_1 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.4.1 + - pam + - NIST800-53R5_NA + block: + - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" + ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq + changed_when: false + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok + + - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" + when: discovered_pam_nullok.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: nullok + replace: '' + loop: "{{ discovered_pam_nullok.stdout_lines }}" + notify: Pam_auth_update_pwunix + +- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" + when: + - ubtu22cis_rule_5_3_3_4_2 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.2 + - NIST800-53R5_NA + block: + - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" + ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' + changed_when: false + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember + + - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" + when: discovered_pam_remember.stdout | length > 0 + ansible.builtin.replace: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + regexp: remember=\d+ + replace: '' + notify: Pam_auth_update_pwunix + +- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm" + when: + - ubtu22cis_rule_5_3_3_4_3 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.3 + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" + ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu22cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password + changed_when: false + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash + + - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" + when: discovered_pam_remember.stdout | length > 0 + ansible.builtin.replace: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" + replace: '{{ ubtu22cis_passwd_hash_algo }}' + notify: Pam_auth_update_pwunix + +- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok" + when: + - ubtu22cis_rule_5_3_3_4_4 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.4 + - NIST800-53R5_IA-5 + block: + - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" + ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password + changed_when: false + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok + + - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" + when: + - discovered_pam_authtok is defined + - discovered_pam_authtok | length > 0 + ansible.builtin.lineinfile: + path: "/etc/pam.d/common-password" + regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) + line: \1\2\3 use_authtok + backrefs: true diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml deleted file mode 100644 index bd495b19..00000000 --- a/tasks/section_5/cis_5.3.x.yml +++ /dev/null @@ -1,142 +0,0 @@ ---- - -- name: "5.3.1 | PATCH | Ensure sudo is installed" - ansible.builtin.package: - name: "{{ ubtu22cis_sudo_package }}" - state: present - when: - - ubtu22cis_rule_5_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.1 - - sudo - -- name: "5.3.2 | PATCH | Ensure sudo commands use pty" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+use_' - line: 'Defaults use_pty' - insertafter: '^\s*Defaults' - when: - - ubtu22cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.2 - - sudo - -- name: "5.3.3 | PATCH | Ensure sudo log file exists" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+logfile' - line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^\s*Defaults' - when: - - ubtu22cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.3 - - sudo - -- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" - when: - - ubtu22cis_rule_5_3_4 - tags: - - level2-server - - level2-workstation - - patch - - sudo - - rule_5.3.4 - -- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" - when: - - ubtu22cis_rule_5_3_5 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.5 - -- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - block: - - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort - changed_when: false - failed_when: false - register: ubtu22cis_5_3_6_timeout_files - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^\s*Defaults/s+timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - insertafter: '^\s*Defaults' - validate: '/usr/sbin/visudo -cf %s' - when: ubtu22cis_5_3_6_timeout_files.stdout | length == 0 - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - ansible.builtin.replace: - path: "{{ item }}" - regexp: 'timestamp_timeout=(\d+)' - replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_5_3_6_timeout_files.stdout_lines }}" - when: ubtu22cis_5_3_6_timeout_files.stdout | length > 0 - when: - - ubtu22cis_rule_5_3_6 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.6 - -- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" - ansible.builtin.group: - name: "{{ ubtu22cis_sugroup }}" - state: present - register: ubtu22cis_5_3_7_sugroup - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - ansible.builtin.lineinfile: - path: /etc/group - regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' - line: '{{ ubtu22cis_sugroup }}\g<1>' - backrefs: true - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - path: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' - when: - - ubtu22cis_rule_5_3_7 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml new file mode 100644 index 00000000..f1c5cd6a --- /dev/null +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -0,0 +1,211 @@ +--- + +- name: "5.4.1.1 | PATCH | Ensure password expiration is configured" + when: + - ubtu22cis_rule_5_4_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.1 + - user + - login + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set /etc/login.defs PASS_MAX_DAYS" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ ubtu22cis_pass_max_days }}' + insertafter: '# Password aging controls' + + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass_max_days }} || $5<{{ ubtu22cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_max_days + + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.command: chage --maxdays {{ ubtu22cis_pass_max_days }} {{ item }} + failed_when: false + changed_when: discovered_max_days.stdout | length > 0 + loop: "{{ discovered_max_days.stdout_lines }}" + +- name: "5.4.1.2 | PATCH | Ensure minimum password age is configured" + when: + - ubtu22cis_rule_5_4_1_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_5.4.1.2 + - user + - login + - NIST800-53R5_NA + block: + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set /etc/login.defs PASS_MIN_DAYS" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS {{ ubtu22cis_pass_min_days }}' + + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" + ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass_min_days }})) {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_passwd_min_days + + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.command: chage --mindays {{ ubtu22cis_pass_min_days }} {{ item }} + failed_when: false + changed_when: discovered_passwd_min_days.stdout |length > 0 + loop: "{{ discovered_passwd_min_days.stdout_lines }}" + +- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" + when: + - ubtu22cis_rule_5_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.3 + - user + - login + - NIST800-53R5_NA + block: + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set /etc/login.defs PASS_WARN_AGE" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' + line: 'PASS_WARN_AGE {{ ubtu22cis_pass_warn_age }}' + + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass_warn_age }}){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_passwd_warn_days + + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.command: chage --maxdays {{ ubtu22cis_pass_warn_age }} {{ item }} + failed_when: false + changed_when: discovered_passwd_warn_days.stdout | length > 0 + loop: "{{ discovered_passwd_warn_days.stdout_lines }}" + +- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" + when: + - ubtu22cis_rule_5_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.4 + - pam + - NIST800-53R5_IA-5 + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD' + line: 'ENCRYPT_METHOD {{ ubtu22cis_passwd_hash_algo | upper }}' + +- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured" + when: + - ubtu22cis_rule_5_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.5 + - user + - login + - NIST800-53R5_NA + block: + - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" + ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 + changed_when: false + failed_when: false + register: discovered_passwd_inactive_setting + + - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" + when: discovered_passwd_inactive_setting.stdout != ubtu22cis_pass_inactive | string + ansible.builtin.command: useradd -D -f {{ ubtu22cis_pass_inactive }} + failed_when: false + changed_when: true + + - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" + ansible.builtin.shell: awk -F':' '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<"{{ ubtu22cis_pass_inactive }}"))) {print $1}' /etc/shadow + changed_when: false + failed_when: false + register: discovered_passwd_inactive_users + + - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" + when: + - ubtu22cis_disruption_high + - discovered_passwd_inactive_users.stdout | length > 0 + - (item != 'root') and (not ubtu22cis_uses_root) + ansible.builtin.command: chage --inactive {{ ubtu22cis_pass_inactive }} {{ item }} + failed_when: false + changed_when: true + with_items: + - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}" + +- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" + when: + - ubtu22cis_rule_5_4_1_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.6 + - user + - login + - NIST800-53R5_NA + vars: + warn_control_id: '5.4.1.6' + block: + - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: false + register: discovered_current_time + + - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: false + register: discovered_passwd_future_user_list + + - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" + when: discovered_passwd_future_user_list.stdout | length > 0 + ansible.builtin.debug: + msg: + - "WARNING!! The following accounts have the last PW change date in the future" + - "{{ discovered_passwd_future_user_list.stdout_lines }}" + + - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count" + when: discovered_passwd_future_user_list.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" + when: + - ubtu22cis_disruption_high + - discovered_passwd_future_user_list.stdout | length > 0 + ansible.builtin.command: passwd --expire {{ item }} + failed_when: false + changed_when: true + with_items: + - "{{ discovered_passwd_future_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml new file mode 100644 index 00000000..b7f5987d --- /dev/null +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -0,0 +1,246 @@ +--- + +- name: "5.4.2.1 | PATCH | Ensure root is the only UID 0 account" + when: + - ubtu22cis_rule_5_4_2_1 + - prelim_uid_zero_accounts_except_root.rc + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - accounts + - users + - rule_5.4.2.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.command: passwd -l {{ item }} + changed_when: false + failed_when: false + loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" + +- name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account" + when: + - ubtu22cis_rule_5_4_2_2 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.2.2 + - user + - system + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" + ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" + changed_when: false + failed_when: discovered_gid0_members.rc not in [ 0, 1 ] + register: discovered_gid0_members + + - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" + when: + - discovered_gid0_members is defined + - discovered_gid0_members.stdout | length > 0 + ansible.builtin.user: + name: "{{ item }}" + group: root + state: absent + loop: "{{ discovered_gid0_members.stdout_lines }}" + +- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" + when: + - ubtu22cis_rule_5_4_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.2.3 + - user + - system + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" + ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" + changed_when: false + failed_when: discovered_gid0_groups.rc not in [ 0, 1 ] + register: discovered_gid0_groups + + - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" + when: + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have other groups assigned to GID 0 - Please resolve" + - "{{ discovered_gid0_groups.stdout_lines }}" + + - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" + when: + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '5.4.2.3' + +- name: "5.4.2.4 | PATCH | Ensure root password is set" + when: + - ubtu22cis_rule_5_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.4 + - NIST800-53R5_NA + ansible.builtin.debug: + msg: "This is set as an assert in tasks/main" + +- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" + when: + - ubtu22cis_rule_5_4_2_5 + tags: + - level1-server + - level1-workstation + - patch + - paths + - rule_5.4.2.5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 + changed_when: false + register: discovered_root_paths + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" + when: discovered_root_paths is defined + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" + changed_when: false + register: discovered_root_paths_split + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set fact" + when: discovered_root_paths is defined + ansible.builtin.set_fact: + root_paths: "{{ discovered_root_paths.stdout }}" + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + when: discovered_root_paths is defined + ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' + changed_when: false + failed_when: discovered_root_path_empty_dir.rc not in [ 0, 1 ] + register: discovered_root_path_empty_dir + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + when: discovered_root_paths is defined + ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' + changed_when: false + failed_when: discovered_root_path_trailing_colon.rc not in [ 0, 1 ] + register: discovered_root_path_trailing_colon + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + when: discovered_root_paths is defined + block: + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.stat: + path: "{{ item }}" + register: discovered_root_path_perms + loop: "{{ discovered_root_paths_split.stdout_lines }}" + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set permissions" + when: + - item.stat.exists + - item.stat.isdir + - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp + - (item != 'root') and (not ubtu22cis_uses_root) + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + owner: root + group: root + mode: 'go-w' + follow: false + loop: "{{ discovered_root_path_perms.results }}" + loop_control: + label: "{{ item }}" + +- name: "5.4.2.6 | PATCH | Ensure root user umask is configured" + when: + - ubtu22cis_rule_5_4_2_6 + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.lineinfile: + path: /root/.bash_profile + regexp: \s*umask + line: "umask {{ ubtu22cis_root_umask }}" + create: true + owner: root + group: root + mode: 'g-wx,o-rwx' + +- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" + when: + - ubtu22cis_rule_5_4_2_7 + - "item.id not in prelim_interactive_usernames.stdout" + - "'root' not in item.id" + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.7 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-11 + - NIST800-53R5_MP-2 + ansible.builtin.user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + loop: "{{ ubtu22cis_passwd }}" + loop_control: + label: "{{ item.id }}" + +- name: "5.4.2.8 | PATCH | Ensure accounts without a valid login shell are locked | Lock accounts" + when: + - ubtu22cis_rule_5_4_2_8 + - ubtu22cis_disruption_high + - "item.id not in prelim_interactive_usernames.stdout" + - "'root' not in item.id" + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.8 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-11 + - NIST800-53R5_MP-2 + ansible.builtin.user: + name: "{{ item.id }}" + password_lock: true + loop: "{{ ubtu22cis_passwd }}" + loop_control: + label: "{{ item.id }}" diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml new file mode 100644 index 00000000..97e6d7d7 --- /dev/null +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" + when: + - ubtu22cis_rule_5_4_3_1 + tags: + - level2-server + - level2-workstation + - patch + - shells + - rule_5.4.3.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.replace: + path: /etc/shells + regexp: nologin + replace: "" + +- name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured" + when: + - ubtu22cis_rule_5_4_3_2 + tags: + - level1-server + - level1-workstation + - patch + - shell + - rule_5.4.3.2 + - NIST800-53R5_NA + ansible.builtin.blockinfile: + path: "{{ item.path }}" + state: "{{ item.state }}" + marker: "# {mark} - CIS benchmark - Ansible-lockdown" + create: true + mode: 'u-x,go-wx' + block: | + TMOUT={{ ubtu22cis_shell_session_timeout }} + readonly TMOUT + export TMOUT + loop: + - { path: "{{ ubtu22cis_shell_session_file }}", state: present } + - { path: /etc/profile, state: "{{ (ubtu22cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" } + +- name: "5.4.3.3 | PATCH | Ensure default user umask is configured" + when: + - ubtu22cis_rule_5_4_3_3 + tags: + - level1-server + - level1-workstation + - patch + - umask + - rule_5.4.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} {{ ubtu22cis_bash_umask }}' + loop: + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml deleted file mode 100644 index f04e27c3..00000000 --- a/tasks/section_5/cis_5.4.x.yml +++ /dev/null @@ -1,216 +0,0 @@ ---- - -- name: "5.4.1 | PATCH | Ensure password creation requirements are configured" - block: - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" - ansible.builtin.package: - name: libpam-pwquality - state: present - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minlen|^# minlen' - line: minlen = 14 - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: ^minclass - line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}" - when: ubtu22cis_pwquality_minclass - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: ^{{ item.key }} - line: "{{ item.key }} = {{ item.value }}" - loop: "{{ ubtu22cis_pwquality }}" - when: not ubtu22cis_pwquality_minclass - - - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" - ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_1_pam_pwquality_state - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" - community.general.pamd: - name: common-password - type: password - control: requisite - module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: args_present - when: ubtu22cis_5_4_1_pam_pwquality_state.stdout | length > 0 - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" - community.general.pamd: - name: common-password - type: password - control: required - module_path: pam_permit.so - new_type: password - new_control: requisite - new_module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: after - when: ubtu22cis_5_4_1_pam_pwquality_state.stdout | length == 0 - when: - - ubtu22cis_rule_5_4_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.1 - - pam - -- name: "5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured" - block: - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Check pam faillock is set" - ansible.builtin.shell: grep -E "preauth|authfail|authsucc" /etc/pam.d/common-auth | grep pam_faillock.so - register: faillock_state - failed_when: faillock_state.rc not in [0, 1] - changed_when: false - - ## Issues have been seen with this control that can't always be replicated - ## Please ensure you understand what this control is doing before overriding the current settings - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock in common-auth" - ansible.builtin.replace: - path: /etc/pam.d/common-auth - before: .*pam_deny.so - regexp: .*pam_unix.so nullok - replace: "{{ ubtu22cis_rule_5_4_2_faillock_config }}" - when: - - "'pam_faillock.so' not in faillock_state.stdout" - - ubtu22cis_allow_common_auth_rewrite - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock common-account" - ansible.builtin.lineinfile: - path: /etc/pam.d/common-account - regexp: '^account\s+required\s+pam_faillock.so' - line: 'account required pam_faillock.so' - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" - ansible.builtin.lineinfile: - path: /etc/security/faillock.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^# end of pam-auth-update config' - create: true - loop: - - { regexp: '^deny', line: 'deny = 4' } - - { regexp: '^fail_interval', line: 'fail_interval = 900' } - - { regexp: '^unlock_time', line: 'unlock_time = 600' } - when: - - ubtu22cis_rule_5_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.2 - - pam - - notimplemented - -- name: "5.4.3 | PATCH | Ensure password reuse is limited" - block: - - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: 'obscure - yescrypt' - state: args_present - - - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - new_type: password - new_module_path: pam_pwhistory.so - new_control: required - module_arguments: 'use_authtok - remember={{ ubtu22cis_pamd_pwhistory_remember }}' - state: before - when: - - ubtu22cis_rule_5_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.3 - - pam - -- name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards" - block: - - name: "5.4.4 | AUDIT | Ensure password hashing algorithm is up to date with the latest standards | Confirm pam_unix.so" - ansible.builtin.shell: grep -v ^# /etc/pam.d/common-password | grep -E "(yescrypt|md5|bigcrypt|sha256|sha512|blowfish)" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_4_pam_unix_state - - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so exists" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "{{ ubtu22cis_passwd_hash_algo }}" - state: "{{ ubtu22cis_passwd_setpam_hash_algo | ternary('args_present', 'args_absent') }}" - when: - - ubtu22cis_5_4_4_pam_unix_state.stdout | length > 0 - - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so does not exist" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD' - line: 'ENCRYPT_METHOD {{ ubtu22cis_passwd_hash_algo }}' - when: - - ubtu22cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.4 - - pam - -- name: "5.4.5 | PATCH | Ensure password hashing algorithm is up to date with the latest standards" - block: - - name: "5.4.5 | AUDIT | Ensure all current passwords uses the configured hashing algorithm | capture hash" - ansible.builtin.shell: cat /etc/shadow | awk -F':' '{print $1" "$2}' | grep -Ev '(!|\*)' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_5_passwd_hash_used - - # This is only looking for yescrypt if sha512 need to change the $y$ to $6$ - - name: "5.4.5 | AUDIT | Ensure all current passwords uses the configured hashing algorithm | check has found" - ansible.builtin.debug: - msg: "Warning!! Passwords found using not using {{ ubtu22cis_passwd_hash_algo }} algorithm - This required manual intervention" - when: "' $y$' not in ubtu22cis_5_4_5_passwd_hash_used.stdout" - - - name: "5.4.5 | WARN | Ensure all current passwords uses the configured hashing algorithm | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "' $y$' not in ubtu22cis_5_4_5_passwd_hash_used.stdout" - vars: - warn_control_id: '5.4.5' - when: - - ubtu22cis_rule_5_4_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.5 - - pam diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml deleted file mode 100644 index ada449c0..00000000 --- a/tasks/section_5/cis_5.5.x.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- - -- name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" - block: - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu22cis_pass.min_days }}' - - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_1_min_days - - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_1_min_days.stdout |length > 0 - loop: "{{ ubtu22cis_5_5_1_1_min_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.1 - - user - - login - -- name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" - block: - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu22cis_pass.max_days }}' - insertafter: '# Password aging controls' - - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass.max_days }} || $5<{{ ubtu22cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_2_max_days - - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.max_days }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_2_max_days.stdout | length > 0 - loop: "{{ ubtu22cis_5_5_1_2_max_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.2 - - user - - login - -- name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - block: - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu22cis_pass.warn_age }}' - - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_3_warn_days - - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_3_warn_days.stdout | length > 0 - loop: "{{ ubtu22cis_5_5_1_3_warn_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.3 - - user - - login - -- name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | General setting" - ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_4_inactive_setting - - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" - ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} - failed_when: false - when: ubtu22cis_5_5_1_4_inactive_setting.stdout != ubtu22cis_pass.inactive | string - - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_4_inactive_users - - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" - ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_5_5_1_4_inactive_users.stdout_lines) | list }}" - when: - - ubtu22cis_disruption_high - - ubtu22cis_5_5_1_4_inactive_users.stdout | length > 0 - - (item != 'root') and (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.4 - - user - - login - -- name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_1_5_current_time - - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_5_5_1_5_current_time.stdout }})print$1}'" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_1_5_user_list - - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" - ansible.builtin.debug: - msg: - - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ ubtu22cis_5_5_1_5_user_list.stdout_lines }}" - when: ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - - - name: "5.5.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" - ansible.builtin.shell: passwd --expire {{ item }} - failed_when: false - with_items: - - "{{ ubtu22cis_5_5_1_5_user_list.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - vars: - warn_control_id: '5.5.1.5' - when: - - ubtu22cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.5 - - user - - login - -- name: "5.5.2 | PATCH | Ensure system accounts are secured" - block: - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" - ansible.builtin.user: - name: "{{ item }}" - shell: /sbin/nologin - with_items: - - "{{ ubtu22cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - - item != "sync" - - item != "shutdown" - - item != "halt" - - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" - ansible.builtin.user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu22cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - when: - - ubtu22cis_rule_5_5_2 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.2 - - user - - system - -- name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" - block: - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" - ansible.builtin.group: - name: root - gid: 0 - - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" - ansible.builtin.user: - name: root - group: root - when: - - ubtu22cis_rule_5_5_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.3 - - user - - system - -- name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" - ansible.builtin.shell: grep -E '^session\s+optional\s+pam_umask.so' /etc/pam.d/common-session - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_4_umask_pam_status - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: /etc/pam.d/common-session - line: 'session optional pam_umask.so' - insertbefore: '^# end of pam-auth-update config' - when: ubtu22cis_5_5_4_umask_pam_status.stdout | length == 0 - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: "{{ item.path }}" - regexp: '(?i)(umask\s*\d\d\d)' - line: '{{ item.line }} {{ ubtu22cis_bash_umask }}' - with_items: - - { path: '/etc/bash.bashrc', line: 'umask' } - - { path: '/etc/profile', line: 'umask' } - - { path: '/etc/login.defs', line: 'UMASK' } - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^USERGROUPS_ENAB' - line: USERGROUPS_ENAB no - when: - - ubtu22cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.4 - - user - -- name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" - ansible.builtin.blockinfile: - create: true - mode: '0644' - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID 5.5.5 - # only set TMOUT if it isn't set yet to avoid a shell error - : ${TMOUT={{ ubtu22cis_shell_session_timeout.timeout }}} - readonly TMOUT - export TMOUT - with_items: - - { dest: "{{ ubtu22cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (ubtu22cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - - { dest: /etc/bash.bashrc, state: present } - when: - - ubtu22cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.5 - - user diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index b5bc9184..e8d9d951 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,24 +1,55 @@ --- -- name: "SECTION | 5.1 | Configure time-based job schedulers" +- name: "SECTION | 5.1 | Configure SSH Server" ansible.builtin.import_tasks: - file: cis_5.1.x.yml + file: cis_5.1.x.yml -- name: "SECTION | 5.2 | Configure sudo" +- name: "SECTION | 5.2 | Configure privilege escalation" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.2.x.yml + file: cis_5.2.x.yml + +- name: "SECTION | 5.3.1.x | Configure PAM software packages" when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.1.x.yml -- name: "SECTION | 5.3 | Configure SSH Server" +- name: "SECTION | 5.3.2.x | Configure pam-auth-update" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.3.x.yml + file: cis_5.3.2.x.yml + +- name: "SECTION | 5.3.3.1.x | Configure pam_faillock module" when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.3.1.x.yml -- name: "SECTION | 5.4.x | User PAM" +- name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.4.x.yml + file: cis_5.3.3.2.x.yml + +- name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module" when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.3.3.x.yml -- name: "SECTION | 5.5.x | User Accounts and Environment" +- name: "SECTION | 5.3.3.4.x | Configure pam_unix module" + when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.3.4.x.yml + +- name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" + when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.4.1.x.yml + +- name: "SECTION | 5.4.2.x | Configure root and system accounts and environment" + when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.4.2.x.yml + +- name: "SECTION | 5.4.3.x | Configure user default environment" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.5.x.yml + file: cis_5.4.3.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9770898e..267f0b78 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,370 +1,132 @@ --- -- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - ansible.builtin.file: - path: /etc/passwd - owner: root - group: root - mode: '0644' +- name: "6.1.1 | PATCH | Ensure AIDE is installed" when: - - ubtu22cis_rule_6_1_1 + - ubtu22cis_rule_6_1_1 + - ubtu22cis_config_aide tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.1 - -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - ansible.builtin.file: - path: /etc/passwd- - owner: root - group: root - mode: '0644' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists - when: - - ubtu22cis_rule_6_1_2 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.2 - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" - ansible.builtin.file: - path: /etc/group - owner: root - group: root - mode: '0644' - when: - - ubtu22cis_rule_6_1_3 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.3 - -- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - ansible.builtin.file: - path: /etc/group- - owner: root - group: root - mode: '0644' - when: - - ubtu22cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - patch - - permissionss - - rule_6.1.4 - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - ansible.builtin.file: - path: /etc/shadow - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_5 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.5 - -- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - ansible.builtin.file: - path: /etc/shadow- - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_6 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.6 - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - ansible.builtin.file: - path: /etc/gshadow - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.7 - -- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - ansible.builtin.file: - path: /etc/gshadow- - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_8 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.8 - -- name: "6.1.9 | PATCH | Ensure no world writable files exist" + - level1-server + - level1-workstation + - patch + - rule_6.1.1 + - aide + - NIST800-53R5_AU-2 block: - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - failed_when: false - changed_when: false - register: rhel_09_6_1_9_perms_results - - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - ansible.builtin.file: - path: '{{ item }}' - mode: o-w - state: touch - loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" - when: - - rhel_09_6_1_9_perms_results.stdout_lines is defined - - ubtu22cis_no_world_write_adjust + - name: "6.1.1 | PATCH | Ensure AIDE is installed" + when: + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" + ansible.builtin.package: + name: ['aide', 'aide-common'] + state: present + update_cache: true + register: discovered_aide_pkg_added + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" + when: discovered_aide_pkg_added.skipped is not defined + ansible.builtin.package_facts: + manager: auto + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ ubtu22cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ ubtu22cis_aide_db_file | dirname }}" + pattern: "{{ ubtu22cis_aide_db_file | basename }}" + age: "{{ ubtu22cis_aide_db_file_age }}" + register: discovered_aide_db_age + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + ubtu22cis_aide_db_recreate + block: + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Remove current db file" + ansible.builtin.file: + path: "{{ ubtu22cis_aide_db_file }}" + state: absent + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: not ansible_check_mode + ansible.builtin.command: aideinit -y -f + args: + creates: "{{ ubtu22cis_aide_db_file }}" + async: "{{ ubtu22cis_aide_init_async }}" + poll: "{{ ubtu22cis_aide_init_poll }}" + +- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: - - ubtu22cis_rule_6_1_9 + - ubtu22cis_config_aide + - ubtu22cis_rule_6_1_2 tags: - - level1-server - - level1-workstation - - patch - - files - - permissions - - rule_6.1.9 - -- name: "6.1.10 | PATCH | Ensure no unowned files or directories exist" + - level1-server + - level1-workstation + - patch + - rule_6.1.2 + - cron + - aide + - NIST800-53R5_NA block: - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" - ansible.builtin.shell: find {{ item.mount }} -xdev -nouser -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_10_no_user_items - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_10_no_user_items_flatten: "{{ ubtu22cis_6_1_10_no_user_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" - ansible.builtin.debug: - msg: - - "Warning!! You have unowned files and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign an owner" - - "{{ ubtu22cis_6_1_10_no_user_items_flatten }}" - when: - - not ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - - - name: "6.1.10 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" - ansible.builtin.file: - path: "{{ item }}" - owner: "{{ ubtu22cis_unowned_owner }}" - with_items: - - "{{ ubtu22cis_6_1_10_no_user_items_flatten }}" - when: - - ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - not ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - vars: - warn_control_id: '6.1.10' - when: - - ubtu22cis_rule_6_1_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.10 - - permissions - -- name: "6.1.11 | PATCH | Ensure no ungrouped files or directories exist" - block: - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped files or directories" - ansible.builtin.shell: find {{ item.mount }} -xdev -nogroup -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_11_ungrouped_items - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_11_ungrouped_items_flatten: "{{ ubtu22cis_6_1_11_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" - ansible.builtin.debug: - msg: - - "Warning!! You have ungrouped files/directories and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign a group" - - "{{ ubtu22cis_6_1_11_ungrouped_items_flatten }}" - when: - - not ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - - - name: "6.1.11 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" - ansible.builtin.file: - path: "{{ item }}" - group: "{{ ubtu22cis_ungrouped_group }}" - with_items: - - "{{ ubtu22cis_6_1_11_ungrouped_items_flatten }}" - when: - - ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - not ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - vars: - warn_control_id: '6.1.11' - when: - - ubtu22cis_rule_6_1_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.11 - - permissions - -- name: "6.1.12 | AUDIT | Audit SUID executables" - block: - - name: "6.1.12 | AUDIT | Audit SUID executables | Find SUID executables" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -4000 -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_12_suid_executables - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.12 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_12_suid_executables_flatten: "{{ ubtu22cis_6_1_12_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.12 | AUDIT | Audit SUID executables | Alert SUID executables exist" - ansible.builtin.debug: - msg: - - "Warning!! You have SUID executables" - - "The files are listed below, please confirm the integrity of these binaries" - - "{{ ubtu22cis_6_1_12_suid_executables_flatten }}" - when: - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - not ubtu22cis_suid_adjust - - - name: "6.1.12 | PATCH | Audit SUID executables | Remove SUID bit" - ansible.builtin.file: - path: "{{ item }}" - mode: 'u-s' - with_items: - - "{{ ubtu22cis_6_1_12_suid_executables_flatten }}" - when: - - ubtu22cis_suid_adjust - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - - name: "6.1.12 | AUDIT | Audit SUID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - not ubtu22cis_suid_adjust - vars: - warn_control_id: '6.1.12' - when: - - ubtu22cis_rule_6_1_12 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.12 - - permissions - -- name: "6.1.13 | AUDIT | Audit SGID executables" - block: - - name: "6.1.13 | AUDIT | Audit SGID executables | Find SGID executables" - ansible.builtin.shell: find {{ item }} -xdev -type f -perm -2000 -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_13_sgid_executables - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.13 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_13_sgid_executables_flatten: "{{ ubtu22cis_6_1_13_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.13 | AUDIT | Audit SGID executables | Alert SGID executables exist" - ansible.builtin.debug: - msg: - - "Warning!! You have SGID executables" - - "The files are listed below, please review the integrity of these binaries" - - "{{ ubtu22cis_6_1_13_sgid_executables_flatten }}" - when: - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - - not ubtu22cis_sgid_adjust - - - name: "6.1.13 | AUDIT | Audit SGID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - - not ubtu22cis_sgid_adjust - - - name: "6.1.13 | PATCH | Audit SGID executables | Remove SGID bit" - ansible.builtin.file: - path: "{{ item }}" - mode: 'g-s' - with_items: - - "{{ ubtu22cis_6_1_13_sgid_executables_flatten }}" - when: - - ubtu22cis_sgid_adjust - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - vars: - warn_control_id: '6.1.13' - when: - - ubtu22cis_rule_6_1_13 + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" + when: ubtu22cis_aide_scan == 'cron' + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu22cis_aide_cron_file }}" + user: "{{ ubtu22cis_aide_cron_user }}" + minute: "{{ ubtu22cis_aide_cron_minute | default('0') }}" + hour: "{{ ubtu22cis_aide_cron_hour | default('5') }}" + day: "{{ ubtu22cis_aide_cron_day | default('*') }}" + month: "{{ ubtu22cis_aide_cron_month | default('*') }}" + weekday: "{{ ubtu22cis_aide_cron_weekday | default('*') }}" + job: "{{ ubtu22cis_aide_cron_job }}" + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template" + when: ubtu22cis_aide_scan == 'timer' + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: 'go-wx' + loop: + - etc/systemd/system/aidecheck.service + - etc/systemd/system/aidecheck.timer + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer service" + when: ubtu22cis_aide_scan == 'timer' + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + daemon_reload: true + loop: + - aidecheck.service + - aidecheck.timer + +- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + when: ubtu22cis_rule_6_1_3 tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.13 - - permissions + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_6.1.3 + - NIST800-53R5_NA + ansible.builtin.blockinfile: + path: /etc/aide/aide.conf + marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" + block: | + /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + validate: aide -D --config %s diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml new file mode 100644 index 00000000..88c9d25f --- /dev/null +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -0,0 +1,180 @@ +--- + +- name: "6.2.1.1.1 | PATCH | Ensure journald service is enabled and active" + when: ubtu22cis_rule_6_2_1_1_1 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.1.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: systemd-journald.service + masked: false + state: started + +- name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured" + when: ubtu22cis_rule_6_2_1_1_2 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + - NIST800-53R5_SI-5 + block: + - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" + ansible.builtin.file: + path: /usr/lib/tmpfiles.d/systemd.conf + mode: 'g-wx,o-rwx' + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: discovered_tmpfile_override + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" + when: discovered_tmpfile_override.stat.exists + ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf + changed_when: false + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] + register: discovered_journald_fileperms_override + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '6.2.1.1.2' + +- name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured" + when: ubtu22cis_rule_6_2_1_1_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + block: + - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/rotation.conf.j2 + dest: /etc/systemd/journald.conf.d/rotation.conf + owner: root + group: root + mode: 'g-wx,o-rwx' + notify: Restart journald + + - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: "{{ item }}" + replace: '#\1' + loop: + - '^(\s*SystemMaxUse\s*=.*)' + - '^(\s*SystemKeepFree\s*=.*)' + - '^(\s*RuntimeMaxUse\s*=)' + - '^(\s*RuntimeKeepFree\s*=.*)' + - '^(\s*MaxFileSec\s*=.*)' + notify: Restart journald + +- name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled" + when: ubtu22cis_rule_6_2_1_1_4 + tags: + - level1-server + - level2-workstation + - patch + - journald + - rule_6.2.1.1.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-6 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + block: + - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf + owner: root + group: root + mode: 'g-wx,o-rwx' + notify: Restart journald + + - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(\s*ForwardToSyslog) + replace: '#\1' + notify: Restart journald + +- name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured" + when: ubtu22cis_rule_6_2_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.5 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + block: + - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: 'g-wx,o-rwx' + notify: Restart journald + + - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*storage=) + replace: '#\1' + notify: Restart journald + +- name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured" + when: ubtu22cis_rule_6_2_1_1_6 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.6 + - NIST800-53R5_AU-4 + block: + - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.5 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: 'g-wx,o-rwx' + notify: Restart journald + + - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*compress=) + replace: '#\1' + notify: Restart journald diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml new file mode 100644 index 00000000..e4747936 --- /dev/null +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -0,0 +1,80 @@ +--- + +- name: "6.2.1.2.1 | PATCH | Ensure systemd-journal-remote is installed" + when: + - ubtu22cis_rule_6_2_1_2_1 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + ansible.builtin.package: + name: systemd-journal-remote + state: present + +- name: "6.2.1.2.2 | PATCH | Ensure systemd-journal-remote authentication is configured" + when: + - ubtu22cis_rule_6_2_1_2_2 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + ansible.builtin.lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} + notify: Restart journald + +- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-upload is enabled and active" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_1_2_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: systemd-journal-upload + masked: false + enabled: true + +- name: "6.2.1.2.4 | PATCH | Ensure systemd-journal-remote service is not in use" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_1_2_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + enabled: false + masked: true + loop: + - systemd-journal-remote.socket + - systemd-journal-remote.service diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml new file mode 100644 index 00000000..100571e9 --- /dev/null +++ b/tasks/section_6/cis_6.2.2.yml @@ -0,0 +1,41 @@ +--- + +- name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured" + when: + - ubtu22cis_rule_6_2_2_1 + tags: + - level1-server + - level1-workstation + - patch + - logfiles + - rule_6.2.2.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | find files" + ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; + changed_when: false + failed_when: false + register: discovered_system_logfiles + + - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + when: + - discovered_system_logfiles.stdout_lines is defined + - item != "/var/log/btmp" + - item != "/var/log/utmp" + - item != "/var/log/wtmp" + - item != "/var/log/lastlog" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_system_logfiles.stdout_lines }}" + + - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + ansible.builtin.file: + path: "{{ item }}" + mode: 'ug-x,o-wx' + with_fileglob: + - "/var/log/*tmp" + - "/var/log/lastlog*" + - "/var/log/sssd*" + - "/var/log/SSSD*" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml deleted file mode 100644 index ed3166ae..00000000 --- a/tasks/section_6/cis_6.2.x.yml +++ /dev/null @@ -1,528 +0,0 @@ ---- - -- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - block: - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" - ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd - changed_when: false - failed_when: false - register: ubtu22cis_6_2_1_nonshadowed_users - - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" - ansible.builtin.debug: - msg: - - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" - - "{{ ubtu22cis_6_2_1_nonshadowed_users.stdout_lines }}" - when: ubtu22cis_6_2_1_nonshadowed_users.stdout | length > 0 - - - name: "6.2.1 | WARN | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_1_nonshadowed_users.stdout | length > 0 - vars: - warn_control_id: '6.2.1' - when: - - ubtu22cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.1 - - user_accounts - -- name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - block: - - name: "6.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" - ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow - changed_when: false - check_mode: false - register: ubtu22cis_6_2_2_empty_password_acct - - - name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" - ansible.builtin.user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu22cis_6_2_2_empty_password_acct.stdout_lines }}" - when: ubtu22cis_6_2_2_empty_password_acct.stdout | length > 0 - when: - - ubtu22cis_rule_6_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.2 - - user - - permissions - -- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_3_passwd_gid_check - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - ansible.builtin.debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length == 0 - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ ubtu22cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length > 0 - - - name: "6.2.3 | WARN | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length > 0 - vars: - warn_control_id: '6.2.3' - when: - - ubtu22cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.3 - - groups - -- name: "6.2.4 | PATCH | Ensure shadow group is empty" - block: - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.getent: - database: group - split: ':' - key: shadow - - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.debug: - msg: "Warning!! - You have users in the shadow group" - when: ansible_facts.getent_group.shadow[2] | length > 0 - - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ansible_facts.getent_group.shadow[2] | length > 0 - vars: - warn_control_id: '6.2.4' - when: - - ubtu22cis_rule_6_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.4 - - user - -- name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist" - block: - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_5_user_uid_check - - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - ansible.builtin.debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ ubtu22cis_6_2_5_user_uid_check.stdout_lines }}" - when: ubtu22cis_6_2_5_user_uid_check.stdout | length > 0 - - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_5_user_uid_check.stdout | length > 0 - vars: - warn_control_id: '6.2.5' - when: - - ubtu22cis_rule_6_2_5 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.5 - - user - -- name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_6_user_user_check - - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - ansible.builtin.debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ ubtu22cis_6_2_14_user_user_check.stdout_lines }}" - when: ubtu22cis_6_2_6_user_user_check.stdout | length > 0 - - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_6_user_user_check.stdout | length > 0 - vars: - warn_control_id: '6.2.6' - when: - - ubtu22cis_rule_6_2_6 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.6 - - groups - -- name: "6.2.7 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_7_user_username_check - - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ ubtu22cis_6_2_7_user_username_check.stdout_lines }}" - when: ubtu22cis_6_2_7_user_username_check.stdout | length > 0 - - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_7_user_username_check.stdout | length > 0 - vars: - warn_control_id: '6.2.7' - when: - - ubtu22cis_rule_6_2_7 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.7 - - user - -- name: "6.2.8 | AUDIT | Ensure no duplicate group names exist" - block: - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_8_group_group_check - - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - ansible.builtin.debug: - msg: "Warning!! The following group names are duplicates: {{ ubtu22cis_6_2_8_group_group_check.stdout_lines }}" - when: ubtu22cis_6_2_8_group_group_check.stdout | length > 0 - - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_8_group_group_check.stdout | length > 0 - vars: - warn_control_id: '6.2.8' - when: - - ubtu22cis_rule_6_2_8 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.8 - - groups - -- name: "6.2.9 | PATCH | Ensure root PATH Integrity" - block: - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 - changed_when: false - register: ubtu22cis_6_2_9_root_paths - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" - changed_when: false - register: ubtu22cis_6_2_9_root_paths_split - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set fact" - ansible.builtin.set_fact: - root_paths: "{{ ubtu22cis_6_2_9_root_paths.stdout }}" - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" - ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' - changed_when: false - failed_when: root_path_empty_dir.rc not in [ 0, 1 ] - register: root_path_empty_dir - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" - ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' - changed_when: false - failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] - register: root_path_trailing_colon - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - block: - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - ansible.builtin.stat: - path: "{{ item }}" - register: root_path_perms - loop: "{{ ubtu22cis_6_2_9_root_paths_split.stdout_lines }}" - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set permissions" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - owner: root - group: root - mode: '0755' - follow: false - loop: "{{ root_path_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.exists - - item.stat.isdir - - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - (item != 'root') and (not ubtu22cis_uses_root) - - when: - - ubtu22cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - paths - - rule_6.2.9 - -- name: "6.2.10 | PATCH | Ensure root is the only UID 0 account" - ansible.builtin.shell: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ ubtu22cis_uid_zero_accounts_except_root.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_10 - - ubtu22cis_uid_zero_accounts_except_root.rc - tags: - - level1-server - - level1-workstation - - patch - - accounts - - users - - rule_6.2.10 - -- name: "6.2.11 | PATCH | Ensure local interactive user home directories exist" - block: - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" - ansible.builtin.file: - path: "{{ item.dir }}" - state: directory - owner: "{{ item.id }}" - group: "{{ item.gid }}" - register: ubtu22cis_6_2_11_home_dir - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - ubtu22cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure local interactive users own their home directories" - ansible.builtin.file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - when: - - item.uid >= min_int_uid | int - - item.id != 'nobody' - - (item.id != 'tss' and item.dir != '/dev/null') - - item.shell != '/sbin/nologin' - - ubtu22cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.12 - -- name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" - block: - - name: "6.2.13 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" - ansible.builtin.stat: - path: "{{ item }}" - register: rhel_09_6_2_13_home_dir_perms - loop: "{{ interactive_users_home.stdout_lines }}" - - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - mode: '0750' - loop: "{{ rhel_09_6_2_13_home_dir_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.mode > '0750' - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - ubtu22cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - patch - - users - - permissions - - rule_6.2.13 - -- name: "6.2.14 | PATCH | Ensure no interactive users have .netrc files" - ansible.builtin.file: - dest: "~{{ item }}/.netrc" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_14 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.14 - - user - -- name: "6.2.15 | PATCH | Ensure no interactive users have .forward files" - ansible.builtin.file: - dest: "~{{ item }}/.forward" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_15 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.15 - - user - -- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" - ansible.builtin.file: - dest: "~{{ item }}/.rhosts" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_16 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.16 - - user - -- name: "6.2.17 | PATCH | Ensure users' dot files are not group or world writable" - block: - - name: "6.2.17 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_17_audit - - - name: "6.2.17 | AUDIT | Ensure users' dot files are not group or world-writable | Warning on files found" - ansible.builtin.debug: - msg: - - "Warning!! You have group or world-writable dot files on your system and have configured for manual intervention" - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - - - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world writable | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - - - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - ansible.builtin.file: - path: '{{ item }}' - mode: go-w - with_items: "{{ ubtu22cis_6_2_17_audit.stdout_lines }}" - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - vars: - warn_control_id: '6.2.17' - when: - - ubtu22cis_rule_6_2_17 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.17 - - user diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml new file mode 100644 index 00000000..04576ea6 --- /dev/null +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -0,0 +1,107 @@ +--- + +- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed" + when: ubtu22cis_rule_6_3_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.1 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present + +- name: "6.3.1.2 | PATCH | Ensure auditd service is enabled and active" + when: ubtu22cis_rule_6_3_1_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.2 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.service: + name: auditd + state: started + enabled: true + masked: false + +- name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + when: ubtu22cis_rule_6_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.3 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + block: + - name: "6.3.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: discovered_grub_cmdline_settings + + - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" + when: "'audit=' not in discovered_grub_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"' + notify: Grub update + + - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" + when: "'audit=' in discovered_grub_cmdline_settings.stdout" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit=([0-9]+)' + replace: 'audit=1' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: Grub update + +- name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" + when: ubtu22cis_rule_6_3_1_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.4 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + block: + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: discovered_grub_cmdline_settings + + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" + when: "'audit_backlog_limit=' not in discovered_grub_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' + notify: Grub update + + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit_backlog_limit=([0-9]+)' + replace: 'audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: Grub update diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml new file mode 100644 index 00000000..e3afc759 --- /dev/null +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -0,0 +1,75 @@ +--- + +- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" + when: ubtu22cis_rule_6_3_2_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.1 + - auditd + - NIST800-53R5_NA + ansible.builtin.lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" + state: present + notify: Restart auditd + +- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" + when: ubtu22cis_rule_6_3_2_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.2 + - auditd + - NIST800-53R5_AU-8 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action' + line: "max_log_file_action = {{ ubtu22cis_auditd_max_log_file_action }}" + notify: Restart auditd + +- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" + when: ubtu22cis_rule_6_3_2_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.3 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^disk_full_action', line: "disk_full_action = {{ ubtu22cis_auditd_disk_full_action }}" } + - { regexp: '^disk_error_action', line: "disk_error_action = {{ ubtu22cis_auditd_disk_error_action }}" } + notify: Restart auditd + +- name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" + when: + - ubtu22cis_rule_6_3_2_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.2.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ ubtu22cis_auditd_admin_space_left_action }}' } + - { regexp: '^space_left_action', line: 'space_left_action = {{ ubtu22cis_auditd_space_left_action }}' } + notify: Restart auditd diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml new file mode 100644 index 00000000..6d756300 --- /dev/null +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -0,0 +1,279 @@ +--- + +- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + when: ubtu22cis_rule_6_3_3_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" + when: ubtu22cis_rule_6_3_3_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.2 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" + when: ubtu22cis_rule_6_3_3_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.3 + - auditd + - NIST800-53R5_NA + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" + when: ubtu22cis_rule_6_3_3_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.4 + - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" + when: ubtu22cis_rule_6_3_3_5 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.5 + - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected" + when: ubtu22cis_rule_6_3_3_6 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.6 + - auditd + - NIST800-53R5_AU-3 + block: + - name: "6.3.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + register: discovered_priv_procs + changed_when: false + check_mode: false + + - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" + when: ubtu22cis_rule_6_3_3_7 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.7 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" + when: ubtu22cis_rule_6_3_3_8 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.8 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + when: ubtu22cis_rule_6_3_3_9 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.9 + - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" + when: ubtu22cis_rule_6_3_3_10 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.10 + - auditd + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" + when: ubtu22cis_rule_6_3_3_11 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.11 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" + when: ubtu22cis_rule_6_3_3_12 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.12 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" + when: ubtu22cis_rule_6_3_3_13 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.13 + - auditd + - NIST800-53R5_AU-12 + - NIST800-53R5_SC-7 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + when: ubtu22cis_rule_6_3_3_14 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.14 + - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + when: ubtu22cis_rule_6_3_3_15 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.15 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + when: ubtu22cis_rule_6_3_3_16 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.16 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + when: ubtu22cis_rule_6_3_3_17 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.17 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + when: ubtu22cis_rule_6_3_3_18 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.18 + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected" + when: ubtu22cis_rule_6_3_3_19 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.19 + - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" + when: ubtu22cis_rule_6_3_3_20 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.20 + - auditd + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.21 | PATCH | Ensure the running and on disk configuration is the same" + when: ubtu22cis_rule_6_3_3_21 + tags: + - level2-server + - level2-workstation + - scored + - patch + - rule_6.3.3.21 + - auditd + - NIST800-53R5_AU-3 + ansible.builtin.command: augenrules --check + changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml new file mode 100644 index 00000000..be1d22be --- /dev/null +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -0,0 +1,154 @@ +--- + +- name: | + "6.3.4.1 | PATCH | Ensure audit log files mode is configured" + "6.3.4.2 | PATCH | Ensure audit log files owner is configured" + "6.3.4.3 | PATCH | Ensure audit log files group owner is configured" + when: + - ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_2 or + ubtu22cis_rule_6_3_4_3 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ prelim_auditd_logfile.stdout }}" + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + +- name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" + when: ubtu22cis_rule_6_3_4_4 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.4 + - NIST800-53R5_AU-3 + block: + - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" + ansible.builtin.stat: + path: "{{ prelim_auditd_logfile.stdout | dirname }}" + register: discovered_auditlog_dir + + - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" + ansible.builtin.file: + path: "{{ discovered_auditlog_dir.stat.path }}" + state: directory + mode: 'g-w,o-rwx' + +- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" + when: ubtu22cis_rule_6_3_4_5 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.5 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item.path }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ prelim_auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" + when: ubtu22cis_rule_6_3_4_6 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.6 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + loop: "{{ prelim_auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" + when: ubtu22cis_rule_6_3_4_7 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.7 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item.path }}" + group: root + loop: "{{ prelim_auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" + when: ubtu22cis_rule_6_3_4_8 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.8 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item }}" + mode: 'g-w,o-rwx' + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" + when: ubtu22cis_rule_6_3_4_9 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.9 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" + when: ubtu22cis_rule_6_3_4_10 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.10 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item }}" + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b194fdc8..8b46ff82 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,9 +1,33 @@ --- -- name: "SECTION | 6.1 | System File Permissions" +- name: "SECTION | 6.1 | Configure Filesystem Integrity Checking" ansible.builtin.import_tasks: - file: cis_6.1.x.yml + file: cis_6.1.x.yml -- name: "SECTION | 6.2 | User and Group Settings" +- name: "SECTION | 6.2.1.1 | Configure systemd-journald service" ansible.builtin.import_tasks: - file: cis_6.2.x.yml + file: cis_6.2.1.1.x.yml + +- name: "SECTION | 6.2.1.2 | Configure systemd-journal-remote" + ansible.builtin.import_tasks: + file: cis_6.2.1.2.x.yml + +- name: "SECTION | 6.2.2 | Configure Logfiles" + ansible.builtin.import_tasks: + file: cis_6.2.2.yml + +- name: "SECTION | 6.3.1 | Configure auditd Service" + ansible.builtin.import_tasks: + file: cis_6.3.1.x.yml + +- name: "SECTION | 6.3.2 | Configure data retention" + ansible.builtin.import_tasks: + file: cis_6.3.2.x.yml + +- name: "SECTION | 6.3.3 | Configure auditd rules" + ansible.builtin.import_tasks: + file: cis_6.3.3.x.yml + +- name: "SECTION | 6.3.4 | Configure auditd file access" + ansible.builtin.import_tasks: + file: cis_6.3.4.x.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml new file mode 100644 index 00000000..9c72472e --- /dev/null +++ b/tasks/section_7/cis_7.1.x.yml @@ -0,0 +1,320 @@ +--- + +- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" + when: ubtu22cis_rule_7_1_1 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/passwd + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" + when: ubtu22cis_rule_7_1_2 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/passwd- + owner: root + group: root + mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + +- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" + when: ubtu22cis_rule_7_1_3 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/group + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" + when: ubtu22cis_rule_7_1_4 + tags: + - level1-server + - level1-workstation + - patch + - permissionss + - rule_7.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/group- + owner: root + group: root + mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + +- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" + when: ubtu22cis_rule_7_1_5 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shadow + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + +- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" + when: ubtu22cis_rule_7_1_6 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shadow- + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + +- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" + when: ubtu22cis_rule_7_1_7 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/gshadow + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + +- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" + when: ubtu22cis_rule_7_1_8 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.8 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/gshadow- + owner: root + group: root + mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + +- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" + when: ubtu22cis_rule_7_1_9 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.9 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shells + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" + when: ubtu22cis_rule_7_1_10 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.10 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + mode: 'u-x,go-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + loop: + - /etc/security/opasswd + - /etc/security/opasswd.old + +- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" + when: ubtu22cis_rule_7_1_11 + tags: + - level1-server + - level1-workstation + - patch + - files + - permissions + - rule_7.1.11 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + failed_when: false + changed_when: false + register: discovered_worldwriteable_files + + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" + when: + - discovered_worldwriteable_files.stdout_lines is defined + - ubtu22cis_no_world_write_adjust + ansible.builtin.file: + path: '{{ item }}' + mode: 'o-w' + state: touch + loop: "{{ discovered_worldwriteable_files.stdout_lines }}" + + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false + +- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" + when: ubtu22cis_rule_7_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.1.12 + - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + warn_control_id: '7.1.12' + block: + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" + ansible.builtin.command: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs' + changed_when: false + failed_when: false + check_mode: false + register: discovered_unowned_files + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use" + ansible.builtin.set_fact: + discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories" + when: + - not ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have unowned files and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign an owner" + - "{{ discovered_unowned_files_flatten }}" + + - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist | Set files/directories to configured owner and group" + when: + - ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ ubtu22cis_unowned_owner }}" + group: "{{ ubtu22cis_unowned_group }}" + with_items: + - "{{ discovered_unowned_files_flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" + when: + - not ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" + when: ubtu22cis_rule_7_1_13 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.1.13 + - permissions + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + warn_control_id: '7.1.13' + block: + - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + changed_when: false + failed_when: false + check_mode: false + register: discovered_suid_sgid_files + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + ansible.builtin.set_fact: + discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not ubtu22cis_suid_sgid_adjust + ansible.builtin.debug: + msg: + - "Warning!! You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + when: + - ubtu22cis_suid_sgid_adjust + - discovered_suid_sgid_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-s' + loop: "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not ubtu22cis_suid_sgid_adjust + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml new file mode 100644 index 00000000..9bbe850a --- /dev/null +++ b/tasks/section_7/cis_7.2.x.yml @@ -0,0 +1,339 @@ +--- +- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + when: ubtu22cis_rule_7_2_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.1 + - user_accounts + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.1" + block: + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: discovered_nonshadowed_users + + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ discovered_nonshadowed_users.stdout_lines }}" + + - name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" + when: ubtu22cis_rule_7_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.2 + - user + - permissions + - NIST800-53R5_IA-5 + block: + - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" + ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: false + check_mode: false + register: discovered_empty_password_acct + + - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" + when: discovered_empty_password_acct.stdout | length > 0 + ansible.builtin.user: + name: "{{ item }}" + password_lock: true + loop: + - "{{ discovered_empty_password_acct.stdout_lines }}" + +- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + when: ubtu22cis_rule_7_2_3 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.3 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.3" + block: + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: discovered_passwd_gid_check + + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}" + + - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.4 | PATCH | Ensure shadow group is empty" + when: ubtu22cis_rule_7_2_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.4 + - user + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.4" + block: + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.getent: + database: group + split: ":" + key: shadow + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.debug: + msg: "Warning!! - You have users in the shadow group" + when: ansible_facts.getent_group.shadow[2] | length > 0 + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: ansible_facts.getent_group.shadow[2] | length > 0 + +- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist" + when: ubtu22cis_rule_7_2_5 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.5 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.5" + block: + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_uid_check + + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}" + + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist" + when: ubtu22cis_rule_7_2_6 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.6 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.6" + block: + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_gid_check + + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}" + + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist" + when: ubtu22cis_rule_7_2_7 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.7 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.7" + block: + - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_dup_username + + - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + when: discovered_dup_username.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" + + - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Set warning count" + when: discovered_dup_username.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist" + when: ubtu22cis_rule_7_2_8 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.8 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.8" + block: + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: "getent passwd | cut -d: -f1 | sort -n | uniq -d" + changed_when: false + failed_when: false + check_mode: false + register: discovered_dup_group + + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + when: discovered_dup_group.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" + + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" + when: discovered_dup_group.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured" + when: ubtu22cis_rule_7_2_9 + tags: + - level1-server + - level1-workstation + - patch + - users + - rule_7.2.9 + - NIST800-53R5_NA + block: + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + ansible.builtin.file: # noqa risky-file-permissions + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" + loop_control: + label: "{{ item.id }}" + + # set default ACLs so the homedir has an effective umask of 0027 + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set group ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: group + permissions: rx + state: present + loop: "{{ prelim_interactive_users_home.stdout_lines }}" + + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ prelim_interactive_users_home.stdout_lines }}" + +- name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured" + when: + - ubtu22cis_rule_7_2_10 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.10 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: "7.2.10" + block: + - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" + ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] + check_mode: false + register: discovered_homedir_dot_files + + - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.debug: + msg: + - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate + these files further." + + - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.file: + path: "{{ item }}" + mode: 'go-w' + with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" diff --git a/tasks/section_7/main.yml b/tasks/section_7/main.yml new file mode 100644 index 00000000..2d1247ae --- /dev/null +++ b/tasks/section_7/main.yml @@ -0,0 +1,9 @@ +--- + +- name: "SECTION | 7.1 | System File Permissions" + ansible.builtin.import_tasks: + file: cis_7.1.x.yml + +- name: "SECTION | 7.2 | Local User and Group Settings" + ansible.builtin.import_tasks: + file: cis_7.2.x.yml diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 0da92a67..66594eb8 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention # @@ -10,11 +9,11 @@ # # warn_control_id is set within the task itself and has the control ID as the value # -# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# warn_control_list is the main variable to be used and is a list made up of the warn_control_ids # # warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: - warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" - warn_count: "{{ warn_count | int + 1 }}" + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index b6429ca5..e67a077f 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,152 +1,204 @@ ## metadata for Audit benchmark +benchmark_version: {{ benchmark_version }} -benchmark_version: '1.1.0' - -# Some audit tests may need to scan every filesystem or have an impact on a system -# these may need be scheduled to minimise impact also ability to set a timeout if taking too long +# timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: {{ audit_cmd_timeout }} - ubtu22cis_section1: {{ ubtu22cis_section1 }} ubtu22cis_section2: {{ ubtu22cis_section2 }} ubtu22cis_section3: {{ ubtu22cis_section3 }} ubtu22cis_section4: {{ ubtu22cis_section4 }} ubtu22cis_section5: {{ ubtu22cis_section5 }} ubtu22cis_section6: {{ ubtu22cis_section6 }} +ubtu22cis_section7: {{ ubtu22cis_section7 }} ubtu22cis_level_1: {{ ubtu22cis_level_1 }} ubtu22cis_level_2: {{ ubtu22cis_level_2 }} # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: true +run_heavy_tests: {{ audit_run_heavy_tests }} # True is BIOS based system else set to false ubtu22_legacy_boot: true -ubtu22_set_boot_pass: true +## +## Rule-specific switches +## +## Use the switches below to disable specific rules independently of the chosen profile +## ## Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules ubtu22cis_rule_1_1_1_1: {{ ubtu22cis_rule_1_1_1_1 }} ubtu22cis_rule_1_1_1_2: {{ ubtu22cis_rule_1_1_1_2 }} ubtu22cis_rule_1_1_1_3: {{ ubtu22cis_rule_1_1_1_3 }} -ubtu22cis_rule_1_1_2_1: {{ ubtu22cis_rule_1_1_2_1 }} -ubtu22cis_rule_1_1_2_2: {{ ubtu22cis_rule_1_1_2_2 }} -ubtu22cis_rule_1_1_2_3: {{ ubtu22cis_rule_1_1_2_3 }} -ubtu22cis_rule_1_1_2_4: {{ ubtu22cis_rule_1_1_2_4 }} -ubtu22cis_rule_1_1_3_1: {{ ubtu22cis_rule_1_1_3_1 }} -ubtu22cis_rule_1_1_3_2: {{ ubtu22cis_rule_1_1_3_2 }} -ubtu22cis_rule_1_1_3_3: {{ ubtu22cis_rule_1_1_3_3 }} -ubtu22cis_rule_1_1_4_1: {{ ubtu22cis_rule_1_1_4_1 }} -ubtu22cis_rule_1_1_4_2: {{ ubtu22cis_rule_1_1_4_2 }} -ubtu22cis_rule_1_1_4_3: {{ ubtu22cis_rule_1_1_4_3 }} -ubtu22cis_rule_1_1_4_4: {{ ubtu22cis_rule_1_1_4_4 }} -ubtu22cis_rule_1_1_5_1: {{ ubtu22cis_rule_1_1_5_1 }} -ubtu22cis_rule_1_1_5_2: {{ ubtu22cis_rule_1_1_5_2 }} -ubtu22cis_rule_1_1_5_3: {{ ubtu22cis_rule_1_1_5_3 }} -ubtu22cis_rule_1_1_5_4: {{ ubtu22cis_rule_1_1_5_4 }} -ubtu22cis_rule_1_1_6_1: {{ ubtu22cis_rule_1_1_6_1 }} -ubtu22cis_rule_1_1_6_2: {{ ubtu22cis_rule_1_1_6_2 }} -ubtu22cis_rule_1_1_6_3: {{ ubtu22cis_rule_1_1_6_3 }} -ubtu22cis_rule_1_1_6_4: {{ ubtu22cis_rule_1_1_6_4 }} -ubtu22cis_rule_1_1_7_1: {{ ubtu22cis_rule_1_1_7_1 }} -ubtu22cis_rule_1_1_7_2: {{ ubtu22cis_rule_1_1_7_2 }} -ubtu22cis_rule_1_1_7_3: {{ ubtu22cis_rule_1_1_7_3 }} -ubtu22cis_rule_1_1_8_1: {{ ubtu22cis_rule_1_1_8_1 }} -ubtu22cis_rule_1_1_8_2: {{ ubtu22cis_rule_1_1_8_2 }} -ubtu22cis_rule_1_1_8_3: {{ ubtu22cis_rule_1_1_8_3 }} -ubtu22cis_rule_1_1_9: {{ ubtu22cis_rule_1_1_9 }} -ubtu22cis_rule_1_1_10: {{ ubtu22cis_rule_1_1_10 }} -ubtu22cis_rule_1_2_1: {{ ubtu22cis_rule_1_2_1 }} -ubtu22cis_rule_1_2_2: {{ ubtu22cis_rule_1_2_2 }} -ubtu22cis_rule_1_3_1: {{ ubtu22cis_rule_1_3_1 }} -ubtu22cis_rule_1_3_2: {{ ubtu22cis_rule_1_3_2 }} +ubtu22cis_rule_1_1_1_4: {{ ubtu22cis_rule_1_1_1_4 }} +ubtu22cis_rule_1_1_1_5: {{ ubtu22cis_rule_1_1_1_5 }} +ubtu22cis_rule_1_1_1_6: {{ ubtu22cis_rule_1_1_1_6 }} +ubtu22cis_rule_1_1_1_7: {{ ubtu22cis_rule_1_1_1_7 }} +ubtu22cis_rule_1_1_1_8: {{ ubtu22cis_rule_1_1_1_8 }} + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu22cis_rule_1_1_2_1_1: {{ ubtu22cis_rule_1_1_2_1_1 }} +ubtu22cis_rule_1_1_2_1_2: {{ ubtu22cis_rule_1_1_2_1_2 }} +ubtu22cis_rule_1_1_2_1_3: {{ ubtu22cis_rule_1_1_2_1_3 }} +ubtu22cis_rule_1_1_2_1_4: {{ ubtu22cis_rule_1_1_2_1_4 }} + +# /dev/shm +ubtu22cis_rule_1_1_2_2_1: {{ ubtu22cis_rule_1_1_2_2_1 }} +ubtu22cis_rule_1_1_2_2_2: {{ ubtu22cis_rule_1_1_2_2_2 }} +ubtu22cis_rule_1_1_2_2_3: {{ ubtu22cis_rule_1_1_2_2_3 }} +ubtu22cis_rule_1_1_2_2_4: {{ ubtu22cis_rule_1_1_2_2_4 }} + +# /home +ubtu22cis_rule_1_1_2_3_1: {{ ubtu22cis_rule_1_1_2_3_1 }} +ubtu22cis_rule_1_1_2_3_2: {{ ubtu22cis_rule_1_1_2_3_2 }} +ubtu22cis_rule_1_1_2_3_3: {{ ubtu22cis_rule_1_1_2_3_3 }} + +# /var +ubtu22cis_rule_1_1_2_4_1: {{ ubtu22cis_rule_1_1_2_4_1 }} +ubtu22cis_rule_1_1_2_4_2: {{ ubtu22cis_rule_1_1_2_4_2 }} +ubtu22cis_rule_1_1_2_4_3: {{ ubtu22cis_rule_1_1_2_4_3 }} + +# /var/tmp +ubtu22cis_rule_1_1_2_5_1: {{ ubtu22cis_rule_1_1_2_5_1 }} +ubtu22cis_rule_1_1_2_5_2: {{ ubtu22cis_rule_1_1_2_5_2 }} +ubtu22cis_rule_1_1_2_5_3: {{ ubtu22cis_rule_1_1_2_5_3 }} +ubtu22cis_rule_1_1_2_5_4: {{ ubtu22cis_rule_1_1_2_5_4 }} + +# /var/log +ubtu22cis_rule_1_1_2_6_1: {{ ubtu22cis_rule_1_1_2_6_1 }} +ubtu22cis_rule_1_1_2_6_2: {{ ubtu22cis_rule_1_1_2_6_2 }} +ubtu22cis_rule_1_1_2_6_3: {{ ubtu22cis_rule_1_1_2_6_3 }} +ubtu22cis_rule_1_1_2_6_4: {{ ubtu22cis_rule_1_1_2_6_4 }} + +# /var/log/audit +ubtu22cis_rule_1_1_2_7_1: {{ ubtu22cis_rule_1_1_2_7_1 }} +ubtu22cis_rule_1_1_2_7_2: {{ ubtu22cis_rule_1_1_2_7_2 }} +ubtu22cis_rule_1_1_2_7_3: {{ ubtu22cis_rule_1_1_2_7_3 }} +ubtu22cis_rule_1_1_2_7_4: {{ ubtu22cis_rule_1_1_2_7_4 }} + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu22cis_rule_1_2_1_1: {{ ubtu22cis_rule_1_2_1_1 }} +ubtu22cis_rule_1_2_1_2: {{ ubtu22cis_rule_1_2_1_2 }} +# 1.2.2 Configure Package updates +ubtu22cis_rule_1_2_2_1: {{ ubtu22cis_rule_1_2_2_1 }} + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu22cis_rule_1_3_1_1: {{ ubtu22cis_rule_1_3_1_1 }} +ubtu22cis_rule_1_3_1_2: {{ ubtu22cis_rule_1_3_1_2 }} +ubtu22cis_rule_1_3_1_3: {{ ubtu22cis_rule_1_3_1_3 }} +ubtu22cis_rule_1_3_1_4: {{ ubtu22cis_rule_1_3_1_4 }} + +# 1.4 Configure Bootloader ubtu22cis_rule_1_4_1: {{ ubtu22cis_rule_1_4_1 }} ubtu22cis_rule_1_4_2: {{ ubtu22cis_rule_1_4_2 }} -ubtu22cis_rule_1_4_3: {{ ubtu22cis_rule_1_4_3 }} + +# 1.5 Configure additional Process Hardening ubtu22cis_rule_1_5_1: {{ ubtu22cis_rule_1_5_1 }} ubtu22cis_rule_1_5_2: {{ ubtu22cis_rule_1_5_2 }} ubtu22cis_rule_1_5_3: {{ ubtu22cis_rule_1_5_3 }} ubtu22cis_rule_1_5_4: {{ ubtu22cis_rule_1_5_4 }} -ubtu22cis_rule_1_6_1_1: {{ ubtu22cis_rule_1_6_1_1 }} -ubtu22cis_rule_1_6_1_2: {{ ubtu22cis_rule_1_6_1_2 }} -ubtu22cis_rule_1_6_1_3: {{ ubtu22cis_rule_1_6_1_3 }} -ubtu22cis_rule_1_6_1_4: {{ ubtu22cis_rule_1_6_1_4 }} +ubtu22cis_rule_1_5_5: {{ ubtu22cis_rule_1_5_5 }} + +# 1.6 Configure Command Line Warning Banners +ubtu22cis_rule_1_6_1: {{ ubtu22cis_rule_1_6_1 }} +ubtu22cis_rule_1_6_2: {{ ubtu22cis_rule_1_6_2 }} +ubtu22cis_rule_1_6_3: {{ ubtu22cis_rule_1_6_3 }} +ubtu22cis_rule_1_6_4: {{ ubtu22cis_rule_1_6_4 }} +ubtu22cis_rule_1_6_5: {{ ubtu22cis_rule_1_6_5 }} +ubtu22cis_rule_1_6_6: {{ ubtu22cis_rule_1_6_6 }} + +# 1.7 Configure GNOME Display Manager ubtu22cis_rule_1_7_1: {{ ubtu22cis_rule_1_7_1 }} ubtu22cis_rule_1_7_2: {{ ubtu22cis_rule_1_7_2 }} ubtu22cis_rule_1_7_3: {{ ubtu22cis_rule_1_7_3 }} ubtu22cis_rule_1_7_4: {{ ubtu22cis_rule_1_7_4 }} ubtu22cis_rule_1_7_5: {{ ubtu22cis_rule_1_7_5 }} ubtu22cis_rule_1_7_6: {{ ubtu22cis_rule_1_7_6 }} -ubtu22cis_rule_1_8_1: {{ ubtu22cis_rule_1_8_1 }} -ubtu22cis_rule_1_8_2: {{ ubtu22cis_rule_1_8_2 }} -ubtu22cis_rule_1_8_3: {{ ubtu22cis_rule_1_8_3 }} -ubtu22cis_rule_1_8_4: {{ ubtu22cis_rule_1_8_4 }} -ubtu22cis_rule_1_8_5: {{ ubtu22cis_rule_1_8_5 }} -ubtu22cis_rule_1_8_6: {{ ubtu22cis_rule_1_8_6 }} -ubtu22cis_rule_1_8_7: {{ ubtu22cis_rule_1_8_7 }} -ubtu22cis_rule_1_8_8: {{ ubtu22cis_rule_1_8_8 }} -ubtu22cis_rule_1_8_9: {{ ubtu22cis_rule_1_8_9 }} -ubtu22cis_rule_1_8_10: {{ ubtu22cis_rule_1_8_10 }} -ubtu22cis_rule_1_9: {{ ubtu22cis_rule_1_9 }} - -# Section 2 Fixes +ubtu22cis_rule_1_7_7: {{ ubtu22cis_rule_1_7_7 }} +ubtu22cis_rule_1_7_8: {{ ubtu22cis_rule_1_7_8 }} +ubtu22cis_rule_1_7_9: {{ ubtu22cis_rule_1_7_9 }} +ubtu22cis_rule_1_7_10: {{ ubtu22cis_rule_1_7_10 }} + +## Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -ubtu22cis_rule_2_1_1_1: {{ ubtu22cis_rule_2_1_1_1 }} -ubtu22cis_rule_2_1_1_2: {{ ubtu22cis_rule_2_1_1_2 }} -ubtu22cis_rule_2_1_1_3: {{ ubtu22cis_rule_2_1_1_3 }} -ubtu22cis_rule_2_1_1_4: {{ ubtu22cis_rule_2_1_1_4 }} -# Chrony -ubtu22cis_rule_2_1_2_1: {{ ubtu22cis_rule_2_1_2_1 }} -ubtu22cis_rule_2_1_2_2: {{ ubtu22cis_rule_2_1_2_2 }} -ubtu22cis_rule_2_1_2_3: {{ ubtu22cis_rule_2_1_2_3 }} -# systemd-timesyncd -ubtu22cis_rule_2_1_3_1: {{ ubtu22cis_rule_2_1_3_1 }} -ubtu22cis_rule_2_1_3_2: {{ ubtu22cis_rule_2_1_3_2 }} -# ntp -ubtu22cis_rule_2_1_4_1: {{ ubtu22cis_rule_2_1_4_1 }} -ubtu22cis_rule_2_1_4_2: {{ ubtu22cis_rule_2_1_4_2 }} -ubtu22cis_rule_2_1_4_3: {{ ubtu22cis_rule_2_1_4_3 }} -ubtu22cis_rule_2_1_4_4: {{ ubtu22cis_rule_2_1_4_4 }} -# Services + +# 2.1 Configure Server Services +ubtu22cis_rule_2_1_1: {{ ubtu22cis_rule_2_1_1 }} +ubtu22cis_rule_2_1_2: {{ ubtu22cis_rule_2_1_2 }} +ubtu22cis_rule_2_1_3: {{ ubtu22cis_rule_2_1_3 }} +ubtu22cis_rule_2_1_4: {{ ubtu22cis_rule_2_1_4 }} +ubtu22cis_rule_2_1_5: {{ ubtu22cis_rule_2_1_5 }} +ubtu22cis_rule_2_1_6: {{ ubtu22cis_rule_2_1_6 }} +ubtu22cis_rule_2_1_7: {{ ubtu22cis_rule_2_1_7 }} +ubtu22cis_rule_2_1_8: {{ ubtu22cis_rule_2_1_8 }} +ubtu22cis_rule_2_1_9: {{ ubtu22cis_rule_2_1_9 }} +ubtu22cis_rule_2_1_10: {{ ubtu22cis_rule_2_1_10 }} +ubtu22cis_rule_2_1_11: {{ ubtu22cis_rule_2_1_11 }} +ubtu22cis_rule_2_1_12: {{ ubtu22cis_rule_2_1_12 }} +ubtu22cis_rule_2_1_13: {{ ubtu22cis_rule_2_1_13 }} +ubtu22cis_rule_2_1_14: {{ ubtu22cis_rule_2_1_14 }} +ubtu22cis_rule_2_1_15: {{ ubtu22cis_rule_2_1_15 }} +ubtu22cis_rule_2_1_16: {{ ubtu22cis_rule_2_1_16 }} +ubtu22cis_rule_2_1_17: {{ ubtu22cis_rule_2_1_17 }} +ubtu22cis_rule_2_1_18: {{ ubtu22cis_rule_2_1_18 }} +ubtu22cis_rule_2_1_19: {{ ubtu22cis_rule_2_1_19 }} +ubtu22cis_rule_2_1_20: {{ ubtu22cis_rule_2_1_20 }} +ubtu22cis_rule_2_1_21: {{ ubtu22cis_rule_2_1_21 }} +ubtu22cis_rule_2_1_22: {{ ubtu22cis_rule_2_1_22 }} + +# 2.2 Configure client services ubtu22cis_rule_2_2_1: {{ ubtu22cis_rule_2_2_1 }} ubtu22cis_rule_2_2_2: {{ ubtu22cis_rule_2_2_2 }} ubtu22cis_rule_2_2_3: {{ ubtu22cis_rule_2_2_3 }} ubtu22cis_rule_2_2_4: {{ ubtu22cis_rule_2_2_4 }} ubtu22cis_rule_2_2_5: {{ ubtu22cis_rule_2_2_5 }} ubtu22cis_rule_2_2_6: {{ ubtu22cis_rule_2_2_6 }} -ubtu22cis_rule_2_2_7: {{ ubtu22cis_rule_2_2_7 }} -ubtu22cis_rule_2_2_8: {{ ubtu22cis_rule_2_2_8 }} -ubtu22cis_rule_2_2_9: {{ ubtu22cis_rule_2_2_9 }} -ubtu22cis_rule_2_2_10: {{ ubtu22cis_rule_2_2_10 }} -ubtu22cis_rule_2_2_11: {{ ubtu22cis_rule_2_2_11 }} -ubtu22cis_rule_2_2_12: {{ ubtu22cis_rule_2_2_12 }} -ubtu22cis_rule_2_2_13: {{ ubtu22cis_rule_2_2_13 }} -ubtu22cis_rule_2_2_14: {{ ubtu22cis_rule_2_2_14 }} -ubtu22cis_rule_2_2_15: {{ ubtu22cis_rule_2_2_15 }} -ubtu22cis_rule_2_2_16: {{ ubtu22cis_rule_2_2_16 }} -ubtu22cis_rule_2_2_17: {{ ubtu22cis_rule_2_2_17 }} -# Service Client -ubtu22cis_rule_2_3_1: {{ ubtu22cis_rule_2_3_1 }} -ubtu22cis_rule_2_3_2: {{ ubtu22cis_rule_2_3_2 }} -ubtu22cis_rule_2_3_3: {{ ubtu22cis_rule_2_3_3 }} -ubtu22cis_rule_2_3_4: {{ ubtu22cis_rule_2_3_4 }} -ubtu22cis_rule_2_3_5: {{ ubtu22cis_rule_2_3_5 }} -ubtu22cis_rule_2_3_6: {{ ubtu22cis_rule_2_3_6 }} -# Non-essential services -ubtu22cis_rule_2_4: {{ ubtu22cis_rule_2_4 }} - -# Section 3 Network Configuration -# Disable Unused Network + +# Ensure time synchronization is in use +ubtu22cis_rule_2_3_1_1: {{ ubtu22cis_rule_2_3_1_1 }} +# Configure systemd-timesyncd +ubtu22cis_rule_2_3_2_1: {{ ubtu22cis_rule_2_3_2_1 }} +ubtu22cis_rule_2_3_2_2: {{ ubtu22cis_rule_2_3_2_2 }} +# Configure Chrony +ubtu22cis_rule_2_3_3_1: {{ ubtu22cis_rule_2_3_3_1 }} +ubtu22cis_rule_2_3_3_2: {{ ubtu22cis_rule_2_3_3_2 }} +ubtu22cis_rule_2_3_3_3: {{ ubtu22cis_rule_2_3_3_3 }} + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu22cis_rule_2_4_1_1: {{ ubtu22cis_rule_2_4_1_1 }} +ubtu22cis_rule_2_4_1_2: {{ ubtu22cis_rule_2_4_1_2 }} +ubtu22cis_rule_2_4_1_3: {{ ubtu22cis_rule_2_4_1_3 }} +ubtu22cis_rule_2_4_1_4: {{ ubtu22cis_rule_2_4_1_4 }} +ubtu22cis_rule_2_4_1_5: {{ ubtu22cis_rule_2_4_1_5 }} +ubtu22cis_rule_2_4_1_6: {{ ubtu22cis_rule_2_4_1_6 }} +ubtu22cis_rule_2_4_1_7: {{ ubtu22cis_rule_2_4_1_7 }} +ubtu22cis_rule_2_4_1_8: {{ ubtu22cis_rule_2_4_1_8 }} +# Configure At +ubtu22cis_rule_2_4_2_1: {{ ubtu22cis_rule_2_4_2_1 }} + +## Section 3 Network Configuration +# 3.1 Configure Network Devices ubtu22cis_rule_3_1_1: {{ ubtu22cis_rule_3_1_1 }} ubtu22cis_rule_3_1_2: {{ ubtu22cis_rule_3_1_2 }} -# Network Parameters (Host Only) +ubtu22cis_rule_3_1_3: {{ ubtu22cis_rule_3_1_3 }} +# 3.2 Configure Network Kernel Modules (Host Only) ubtu22cis_rule_3_2_1: {{ ubtu22cis_rule_3_2_1 }} ubtu22cis_rule_3_2_2: {{ ubtu22cis_rule_3_2_2 }} -# Network Parameters (Host and Router) +ubtu22cis_rule_3_2_3: {{ ubtu22cis_rule_3_2_3 }} +ubtu22cis_rule_3_2_4: {{ ubtu22cis_rule_3_2_4 }} +# 3.3 Configure Network Kernel Parameters (Host and Router) ubtu22cis_rule_3_3_1: {{ ubtu22cis_rule_3_3_1 }} ubtu22cis_rule_3_3_2: {{ ubtu22cis_rule_3_3_2 }} ubtu22cis_rule_3_3_3: {{ ubtu22cis_rule_3_3_3 }} @@ -156,115 +208,47 @@ ubtu22cis_rule_3_3_6: {{ ubtu22cis_rule_3_3_6 }} ubtu22cis_rule_3_3_7: {{ ubtu22cis_rule_3_3_7 }} ubtu22cis_rule_3_3_8: {{ ubtu22cis_rule_3_3_8 }} ubtu22cis_rule_3_3_9: {{ ubtu22cis_rule_3_3_9 }} -# Uncommon Network Protocols -ubtu22cis_rule_3_4_1: {{ ubtu22cis_rule_3_4_1 }} -ubtu22cis_rule_3_4_2: {{ ubtu22cis_rule_3_4_2 }} -ubtu22cis_rule_3_4_3: {{ ubtu22cis_rule_3_4_3 }} -ubtu22cis_rule_3_4_4: {{ ubtu22cis_rule_3_4_4 }} -# Firewall Configuration -# UFW -ubtu22cis_rule_3_5_1_1: {{ ubtu22cis_rule_3_5_1_1 }} -ubtu22cis_rule_3_5_1_2: {{ ubtu22cis_rule_3_5_1_2 }} -ubtu22cis_rule_3_5_1_3: {{ ubtu22cis_rule_3_5_1_3 }} -ubtu22cis_rule_3_5_1_4: {{ ubtu22cis_rule_3_5_1_4 }} -ubtu22cis_rule_3_5_1_5: {{ ubtu22cis_rule_3_5_1_5 }} -ubtu22cis_rule_3_5_1_6: {{ ubtu22cis_rule_3_5_1_6 }} -ubtu22cis_rule_3_5_1_7: {{ ubtu22cis_rule_3_5_1_7 }} -# nftables -ubtu22cis_rule_3_5_2_1: {{ ubtu22cis_rule_3_5_2_1 }} -ubtu22cis_rule_3_5_2_2: {{ ubtu22cis_rule_3_5_2_2 }} -ubtu22cis_rule_3_5_2_3: {{ ubtu22cis_rule_3_5_2_3 }} -ubtu22cis_rule_3_5_2_4: {{ ubtu22cis_rule_3_5_2_4 }} -ubtu22cis_rule_3_5_2_5: {{ ubtu22cis_rule_3_5_2_5 }} -ubtu22cis_rule_3_5_2_6: {{ ubtu22cis_rule_3_5_2_6 }} -ubtu22cis_rule_3_5_2_7: {{ ubtu22cis_rule_3_5_2_7 }} -ubtu22cis_rule_3_5_2_8: {{ ubtu22cis_rule_3_5_2_8 }} -ubtu22cis_rule_3_5_2_9: {{ ubtu22cis_rule_3_5_2_9 }} -ubtu22cis_rule_3_5_2_10: {{ ubtu22cis_rule_3_5_2_10 }} -# iptables -ubtu22cis_rule_3_5_3_1_1: {{ ubtu22cis_rule_3_5_3_1_1 }} -ubtu22cis_rule_3_5_3_1_2: {{ ubtu22cis_rule_3_5_3_1_2 }} -ubtu22cis_rule_3_5_3_1_3: {{ ubtu22cis_rule_3_5_3_1_3 }} -ubtu22cis_rule_3_5_3_2_1: {{ ubtu22cis_rule_3_5_3_2_1 }} -ubtu22cis_rule_3_5_3_2_2: {{ ubtu22cis_rule_3_5_3_2_2 }} -ubtu22cis_rule_3_5_3_2_3: {{ ubtu22cis_rule_3_5_3_2_3 }} -ubtu22cis_rule_3_5_3_2_4: {{ ubtu22cis_rule_3_5_3_2_4 }} -ubtu22cis_rule_3_5_3_3_1: {{ ubtu22cis_rule_3_5_3_3_1 }} -ubtu22cis_rule_3_5_3_3_2: {{ ubtu22cis_rule_3_5_3_3_2 }} -ubtu22cis_rule_3_5_3_3_3: {{ ubtu22cis_rule_3_5_3_3_3 }} -ubtu22cis_rule_3_5_3_3_4: {{ ubtu22cis_rule_3_5_3_3_4 }} - -# Section 4 Fixes -# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) -ubtu22cis_rule_4_1_1_1: {{ ubtu22cis_rule_4_1_1_1 }} -ubtu22cis_rule_4_1_1_2: {{ ubtu22cis_rule_4_1_1_2 }} -ubtu22cis_rule_4_1_1_3: {{ ubtu22cis_rule_4_1_1_3 }} -ubtu22cis_rule_4_1_1_4: {{ ubtu22cis_rule_4_1_1_4 }} -ubtu22cis_rule_4_1_2_1: {{ ubtu22cis_rule_4_1_2_1 }} -ubtu22cis_rule_4_1_2_2: {{ ubtu22cis_rule_4_1_2_2 }} -ubtu22cis_rule_4_1_2_3: {{ ubtu22cis_rule_4_1_2_3 }} -# Auditd rules -ubtu22cis_rule_4_1_3_1: {{ ubtu22cis_rule_4_1_3_1 }} -ubtu22cis_rule_4_1_3_2: {{ ubtu22cis_rule_4_1_3_2 }} -ubtu22cis_rule_4_1_3_3: {{ ubtu22cis_rule_4_1_3_3 }} -ubtu22cis_rule_4_1_3_4: {{ ubtu22cis_rule_4_1_3_4 }} -ubtu22cis_rule_4_1_3_5: {{ ubtu22cis_rule_4_1_3_5 }} -ubtu22cis_rule_4_1_3_6: {{ ubtu22cis_rule_4_1_3_6 }} -ubtu22cis_rule_4_1_3_7: {{ ubtu22cis_rule_4_1_3_7 }} -ubtu22cis_rule_4_1_3_8: {{ ubtu22cis_rule_4_1_3_8 }} -ubtu22cis_rule_4_1_3_9: {{ ubtu22cis_rule_4_1_3_9 }} -ubtu22cis_rule_4_1_3_10: {{ ubtu22cis_rule_4_1_3_10 }} -ubtu22cis_rule_4_1_3_11: {{ ubtu22cis_rule_4_1_3_11 }} -ubtu22cis_rule_4_1_3_12: {{ ubtu22cis_rule_4_1_3_12 }} -ubtu22cis_rule_4_1_3_13: {{ ubtu22cis_rule_4_1_3_13 }} -ubtu22cis_rule_4_1_3_14: {{ ubtu22cis_rule_4_1_3_14 }} -ubtu22cis_rule_4_1_3_15: {{ ubtu22cis_rule_4_1_3_15 }} -ubtu22cis_rule_4_1_3_16: {{ ubtu22cis_rule_4_1_3_16 }} -ubtu22cis_rule_4_1_3_17: {{ ubtu22cis_rule_4_1_3_17 }} -ubtu22cis_rule_4_1_3_18: {{ ubtu22cis_rule_4_1_3_18 }} -ubtu22cis_rule_4_1_3_19: {{ ubtu22cis_rule_4_1_3_19 }} -ubtu22cis_rule_4_1_3_20: {{ ubtu22cis_rule_4_1_3_20 }} -ubtu22cis_rule_4_1_3_21: {{ ubtu22cis_rule_4_1_3_21 }} -# Auditd file access -ubtu22cis_rule_4_1_4_1: {{ ubtu22cis_rule_4_1_4_1 }} -ubtu22cis_rule_4_1_4_2: {{ ubtu22cis_rule_4_1_4_2 }} -ubtu22cis_rule_4_1_4_3: {{ ubtu22cis_rule_4_1_4_3 }} -ubtu22cis_rule_4_1_4_4: {{ ubtu22cis_rule_4_1_4_4 }} -ubtu22cis_rule_4_1_4_5: {{ ubtu22cis_rule_4_1_4_5 }} -ubtu22cis_rule_4_1_4_6: {{ ubtu22cis_rule_4_1_4_6 }} -ubtu22cis_rule_4_1_4_7: {{ ubtu22cis_rule_4_1_4_7 }} -ubtu22cis_rule_4_1_4_8: {{ ubtu22cis_rule_4_1_4_8 }} -ubtu22cis_rule_4_1_4_9: {{ ubtu22cis_rule_4_1_4_9 }} -ubtu22cis_rule_4_1_4_10: {{ ubtu22cis_rule_4_1_4_10 }} -ubtu22cis_rule_4_1_4_11: {{ ubtu22cis_rule_4_1_4_11 }} -# Configure Logging -## journald -ubtu22cis_rule_4_2_1_1_1: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1_2: {{ ubtu22cis_rule_4_2_1_1_2 }} -ubtu22cis_rule_4_2_1_1_3: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1_4: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1: {{ ubtu22cis_rule_4_2_1_1 }} -ubtu22cis_rule_4_2_1_2: {{ ubtu22cis_rule_4_2_1_2 }} -ubtu22cis_rule_4_2_1_3: {{ ubtu22cis_rule_4_2_1_3 }} -ubtu22cis_rule_4_2_1_4: {{ ubtu22cis_rule_4_2_1_4 }} -ubtu22cis_rule_4_2_1_5: {{ ubtu22cis_rule_4_2_1_5 }} -ubtu22cis_rule_4_2_1_6: {{ ubtu22cis_rule_4_2_1_6 }} -ubtu22cis_rule_4_2_1_7: {{ ubtu22cis_rule_4_2_1_7 }} -# rsyslog -ubtu22cis_rule_4_2_2_1: {{ ubtu22cis_rule_4_2_2_1 }} -ubtu22cis_rule_4_2_2_2: {{ ubtu22cis_rule_4_2_2_2 }} -ubtu22cis_rule_4_2_2_3: {{ ubtu22cis_rule_4_2_2_3 }} -ubtu22cis_rule_4_2_2_4: {{ ubtu22cis_rule_4_2_2_4 }} -ubtu22cis_rule_4_2_2_5: {{ ubtu22cis_rule_4_2_2_5 }} -ubtu22cis_rule_4_2_2_6: {{ ubtu22cis_rule_4_2_2_6 }} -ubtu22cis_rule_4_2_2_7: {{ ubtu22cis_rule_4_2_2_7 }} +ubtu22cis_rule_3_3_10: {{ ubtu22cis_rule_3_3_10 }} +ubtu22cis_rule_3_3_11: {{ ubtu22cis_rule_3_3_11 }} + +## Section 4 Host Based Firewall +# 4.1 Configure UncomplicatedFirewall +ubtu22cis_rule_4_1_1: {{ ubtu22cis_rule_4_1_1 }} +ubtu22cis_rule_4_1_2: {{ ubtu22cis_rule_4_1_2 }} +ubtu22cis_rule_4_1_3: {{ ubtu22cis_rule_4_1_3 }} +ubtu22cis_rule_4_1_4: {{ ubtu22cis_rule_4_1_4 }} +ubtu22cis_rule_4_1_5: {{ ubtu22cis_rule_4_1_5 }} +ubtu22cis_rule_4_1_6: {{ ubtu22cis_rule_4_1_6 }} +ubtu22cis_rule_4_1_7: {{ ubtu22cis_rule_4_1_7 }} +# 4.2 Configure nftables +ubtu22cis_rule_4_2_1: {{ ubtu22cis_rule_4_2_1 }} +ubtu22cis_rule_4_2_2: {{ ubtu22cis_rule_4_2_2 }} ubtu22cis_rule_4_2_3: {{ ubtu22cis_rule_4_2_3 }} -ubtu22cis_rule_4_3: {{ ubtu22cis_rule_4_3}} -ubtu22cis_rule_4_4: {{ ubtu22cis_rule_4_4 }} - -# Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM -# and User Accounts and Environment) +ubtu22cis_rule_4_2_4: {{ ubtu22cis_rule_4_2_4 }} +ubtu22cis_rule_4_2_5: {{ ubtu22cis_rule_4_2_5 }} +ubtu22cis_rule_4_2_6: {{ ubtu22cis_rule_4_2_6 }} +ubtu22cis_rule_4_2_7: {{ ubtu22cis_rule_4_2_7 }} +ubtu22cis_rule_4_2_8: {{ ubtu22cis_rule_4_2_8 }} +ubtu22cis_rule_4_2_9: {{ ubtu22cis_rule_4_2_9 }} +ubtu22cis_rule_4_2_10: {{ ubtu22cis_rule_4_2_10 }} +# Configure iptables software +ubtu22cis_rule_4_3_1_1: {{ ubtu22cis_rule_4_3_1_1 }} +ubtu22cis_rule_4_3_1_2: {{ ubtu22cis_rule_4_3_1_2 }} +ubtu22cis_rule_4_3_1_3: {{ ubtu22cis_rule_4_3_1_3 }} + +# Configure IPv4 iptables +ubtu22cis_rule_4_3_2_1: {{ ubtu22cis_rule_4_3_2_1 }} +ubtu22cis_rule_4_3_2_2: {{ ubtu22cis_rule_4_3_2_2 }} +ubtu22cis_rule_4_3_2_3: {{ ubtu22cis_rule_4_3_2_3 }} +ubtu22cis_rule_4_3_2_4: {{ ubtu22cis_rule_4_3_2_4 }} +# Configure IPv5 iptables +ubtu22cis_rule_4_3_3_1: {{ ubtu22cis_rule_4_3_3_1 }} +ubtu22cis_rule_4_3_3_2: {{ ubtu22cis_rule_4_3_3_2 }} +ubtu22cis_rule_4_3_3_3: {{ ubtu22cis_rule_4_3_3_3 }} +ubtu22cis_rule_4_3_3_4: {{ ubtu22cis_rule_4_3_3_4 }} + +## Section 5 Access Control +# 5.1 Configure SSH Server ubtu22cis_rule_5_1_1: {{ ubtu22cis_rule_5_1_1 }} ubtu22cis_rule_5_1_2: {{ ubtu22cis_rule_5_1_2 }} ubtu22cis_rule_5_1_3: {{ ubtu22cis_rule_5_1_3 }} @@ -274,7 +258,20 @@ ubtu22cis_rule_5_1_6: {{ ubtu22cis_rule_5_1_6 }} ubtu22cis_rule_5_1_7: {{ ubtu22cis_rule_5_1_7 }} ubtu22cis_rule_5_1_8: {{ ubtu22cis_rule_5_1_8 }} ubtu22cis_rule_5_1_9: {{ ubtu22cis_rule_5_1_9 }} - +ubtu22cis_rule_5_1_10: {{ ubtu22cis_rule_5_1_10 }} +ubtu22cis_rule_5_1_11: {{ ubtu22cis_rule_5_1_11 }} +ubtu22cis_rule_5_1_12: {{ ubtu22cis_rule_5_1_12 }} +ubtu22cis_rule_5_1_13: {{ ubtu22cis_rule_5_1_13 }} +ubtu22cis_rule_5_1_14: {{ ubtu22cis_rule_5_1_14 }} +ubtu22cis_rule_5_1_15: {{ ubtu22cis_rule_5_1_15 }} +ubtu22cis_rule_5_1_16: {{ ubtu22cis_rule_5_1_16 }} +ubtu22cis_rule_5_1_17: {{ ubtu22cis_rule_5_1_17 }} +ubtu22cis_rule_5_1_18: {{ ubtu22cis_rule_5_1_18 }} +ubtu22cis_rule_5_1_19: {{ ubtu22cis_rule_5_1_19 }} +ubtu22cis_rule_5_1_20: {{ ubtu22cis_rule_5_1_20 }} +ubtu22cis_rule_5_1_21: {{ ubtu22cis_rule_5_1_21 }} +ubtu22cis_rule_5_1_22: {{ ubtu22cis_rule_5_1_22 }} +# 5.2 Configure privilege escalation ubtu22cis_rule_5_2_1: {{ ubtu22cis_rule_5_2_1 }} ubtu22cis_rule_5_2_2: {{ ubtu22cis_rule_5_2_2 }} ubtu22cis_rule_5_2_3: {{ ubtu22cis_rule_5_2_3 }} @@ -282,240 +279,378 @@ ubtu22cis_rule_5_2_4: {{ ubtu22cis_rule_5_2_4 }} ubtu22cis_rule_5_2_5: {{ ubtu22cis_rule_5_2_5 }} ubtu22cis_rule_5_2_6: {{ ubtu22cis_rule_5_2_6 }} ubtu22cis_rule_5_2_7: {{ ubtu22cis_rule_5_2_7 }} -ubtu22cis_rule_5_2_8: {{ ubtu22cis_rule_5_2_8 }} -ubtu22cis_rule_5_2_9: {{ ubtu22cis_rule_5_2_9 }} -ubtu22cis_rule_5_2_10: {{ ubtu22cis_rule_5_2_10 }} -ubtu22cis_rule_5_2_11: {{ ubtu22cis_rule_5_2_11 }} -ubtu22cis_rule_5_2_12: {{ ubtu22cis_rule_5_2_12 }} -ubtu22cis_rule_5_2_13: {{ ubtu22cis_rule_5_2_13 }} -ubtu22cis_rule_5_2_14: {{ ubtu22cis_rule_5_2_14 }} -ubtu22cis_rule_5_2_15: {{ ubtu22cis_rule_5_2_15 }} -ubtu22cis_rule_5_2_16: {{ ubtu22cis_rule_5_2_16 }} -ubtu22cis_rule_5_2_17: {{ ubtu22cis_rule_5_2_17 }} -ubtu22cis_rule_5_2_18: {{ ubtu22cis_rule_5_2_18 }} -ubtu22cis_rule_5_2_19: {{ ubtu22cis_rule_5_2_19 }} -ubtu22cis_rule_5_2_20: {{ ubtu22cis_rule_5_2_20 }} -ubtu22cis_rule_5_2_21: {{ ubtu22cis_rule_5_2_21 }} -ubtu22cis_rule_5_2_22: {{ ubtu22cis_rule_5_2_22 }} -ubtu22cis_rule_5_3_1: {{ ubtu22cis_rule_5_3_1 }} -ubtu22cis_rule_5_3_2: {{ ubtu22cis_rule_5_3_2 }} -ubtu22cis_rule_5_3_3: {{ ubtu22cis_rule_5_3_3 }} -ubtu22cis_rule_5_3_4: {{ ubtu22cis_rule_5_3_4 }} -ubtu22cis_rule_5_3_5: {{ ubtu22cis_rule_5_3_5 }} -ubtu22cis_rule_5_3_6: {{ ubtu22cis_rule_5_3_6 }} -ubtu22cis_rule_5_3_7: {{ ubtu22cis_rule_5_3_7 }} -ubtu22cis_rule_5_4_1: {{ ubtu22cis_rule_5_4_1 }} -ubtu22cis_rule_5_4_2: {{ ubtu22cis_rule_5_4_2 }} -ubtu22cis_rule_5_4_3: {{ ubtu22cis_rule_5_4_3 }} -ubtu22cis_rule_5_4_4: {{ ubtu22cis_rule_5_4_4 }} -ubtu22cis_rule_5_4_5: {{ ubtu22cis_rule_5_4_5 }} -ubtu22cis_rule_5_5_1_1: {{ ubtu22cis_rule_5_5_1_1 }} -ubtu22cis_rule_5_5_1_2: {{ ubtu22cis_rule_5_5_1_2 }} -ubtu22cis_rule_5_5_1_3: {{ ubtu22cis_rule_5_5_1_3 }} -ubtu22cis_rule_5_5_1_4: {{ ubtu22cis_rule_5_5_1_4 }} -ubtu22cis_rule_5_5_1_5: {{ ubtu22cis_rule_5_5_1_5 }} -ubtu22cis_rule_5_5_2: {{ ubtu22cis_rule_5_5_2 }} -ubtu22cis_rule_5_5_3: {{ ubtu22cis_rule_5_5_3 }} -ubtu22cis_rule_5_5_4: {{ ubtu22cis_rule_5_5_4 }} -ubtu22cis_rule_5_5_5: {{ ubtu22cis_rule_5_5_5 }} -ubtu22cis_rule_5_6: {{ ubtu22cis_rule_5_6 }} -ubtu22cis_rule_5_7: {{ ubtu22cis_rule_5_7 }} - -# Section 6 Fixes -# Section is Systme Maintenance (System File Permissions and User and Group Settings) +# 5.3.1 Configure PAM software packages +ubtu22cis_rule_5_3_1_1: {{ ubtu22cis_rule_5_3_1_1 }} +ubtu22cis_rule_5_3_1_2: {{ ubtu22cis_rule_5_3_1_2 }} +ubtu22cis_rule_5_3_1_3: {{ ubtu22cis_rule_5_3_1_3 }} +# 5.3.2 Configure pam-auth-update profiles +ubtu22cis_rule_5_3_2_1: {{ ubtu22cis_rule_5_3_2_1 }} +ubtu22cis_rule_5_3_2_2: {{ ubtu22cis_rule_5_3_2_2 }} +ubtu22cis_rule_5_3_2_3: {{ ubtu22cis_rule_5_3_2_3 }} +ubtu22cis_rule_5_3_2_4: {{ ubtu22cis_rule_5_3_2_4 }} +# 5.3.3.1 Configure pam_faillock module +ubtu22cis_rule_5_3_3_1_1: {{ ubtu22cis_rule_5_3_3_1_1 }} +ubtu22cis_rule_5_3_3_1_2: {{ ubtu22cis_rule_5_3_3_1_2 }} +ubtu22cis_rule_5_3_3_1_3: {{ ubtu22cis_rule_5_3_3_1_3 }} +# 5.3.3.2 Configure pam_quality module +ubtu22cis_rule_5_3_3_2_1: {{ ubtu22cis_rule_5_3_3_2_1 }} +ubtu22cis_rule_5_3_3_2_2: {{ ubtu22cis_rule_5_3_3_2_2 }} +ubtu22cis_rule_5_3_3_2_3: {{ ubtu22cis_rule_5_3_3_2_3 }} +ubtu22cis_rule_5_3_3_2_4: {{ ubtu22cis_rule_5_3_3_2_4 }} +ubtu22cis_rule_5_3_3_2_5: {{ ubtu22cis_rule_5_3_3_2_5 }} +ubtu22cis_rule_5_3_3_2_6: {{ ubtu22cis_rule_5_3_3_2_6 }} +ubtu22cis_rule_5_3_3_2_7: {{ ubtu22cis_rule_5_3_3_2_7 }} +ubtu22cis_rule_5_3_3_2_8: {{ ubtu22cis_rule_5_3_3_2_8 }} +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu22cis_rule_5_3_3_3_1: {{ ubtu22cis_rule_5_3_3_3_1 }} +ubtu22cis_rule_5_3_3_3_2: {{ ubtu22cis_rule_5_3_3_3_2 }} +ubtu22cis_rule_5_3_3_3_3: {{ ubtu22cis_rule_5_3_3_3_3 }} +# 5.3.3.4 Configure pam_unix module +ubtu22cis_rule_5_3_3_4_1: {{ ubtu22cis_rule_5_3_3_4_1 }} +ubtu22cis_rule_5_3_3_4_2: {{ ubtu22cis_rule_5_3_3_4_2 }} +ubtu22cis_rule_5_3_3_4_3: {{ ubtu22cis_rule_5_3_3_4_3 }} +ubtu22cis_rule_5_3_3_4_4: {{ ubtu22cis_rule_5_3_3_4_4 }} +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu22cis_rule_5_4_1_1: {{ ubtu22cis_rule_5_4_1_1 }} +ubtu22cis_rule_5_4_1_2: {{ ubtu22cis_rule_5_4_1_2 }} +ubtu22cis_rule_5_4_1_3: {{ ubtu22cis_rule_5_4_1_3 }} +ubtu22cis_rule_5_4_1_4: {{ ubtu22cis_rule_5_4_1_4 }} +ubtu22cis_rule_5_4_1_5: {{ ubtu22cis_rule_5_4_1_5 }} +ubtu22cis_rule_5_4_1_6: {{ ubtu22cis_rule_5_4_1_6 }} +# 5.4.2 Configure root and system accounts and environment +ubtu22cis_rule_5_4_2_1: {{ ubtu22cis_rule_5_4_2_1 }} +ubtu22cis_rule_5_4_2_2: {{ ubtu22cis_rule_5_4_2_2 }} +ubtu22cis_rule_5_4_2_3: {{ ubtu22cis_rule_5_4_2_3 }} +ubtu22cis_rule_5_4_2_4: {{ ubtu22cis_rule_5_4_2_4 }} +ubtu22cis_rule_5_4_2_5: {{ ubtu22cis_rule_5_4_2_5 }} +ubtu22cis_rule_5_4_2_6: {{ ubtu22cis_rule_5_4_2_6 }} +ubtu22cis_rule_5_4_2_7: {{ ubtu22cis_rule_5_4_2_7 }} +ubtu22cis_rule_5_4_2_8: {{ ubtu22cis_rule_5_4_2_8 }} +# 5.4.2 Configure user default environment +ubtu22cis_rule_5_4_3_1: {{ ubtu22cis_rule_5_4_3_1 }} +ubtu22cis_rule_5_4_3_2: {{ ubtu22cis_rule_5_4_3_2 }} +ubtu22cis_rule_5_4_3_3: {{ ubtu22cis_rule_5_4_3_3 }} + +## Section 6 +# 6.1 Configure Filesystem Integrity Checking ubtu22cis_rule_6_1_1: {{ ubtu22cis_rule_6_1_1 }} ubtu22cis_rule_6_1_2: {{ ubtu22cis_rule_6_1_2 }} ubtu22cis_rule_6_1_3: {{ ubtu22cis_rule_6_1_3 }} -ubtu22cis_rule_6_1_4: {{ ubtu22cis_rule_6_1_4 }} -ubtu22cis_rule_6_1_5: {{ ubtu22cis_rule_6_1_5 }} -ubtu22cis_rule_6_1_6: {{ ubtu22cis_rule_6_1_6 }} -ubtu22cis_rule_6_1_7: {{ ubtu22cis_rule_6_1_7 }} -ubtu22cis_rule_6_1_8: {{ ubtu22cis_rule_6_1_8 }} -ubtu22cis_rule_6_1_9: {{ ubtu22cis_rule_6_1_9 }} -ubtu22cis_rule_6_1_10: {{ ubtu22cis_rule_6_1_10 }} -ubtu22cis_rule_6_1_11: {{ ubtu22cis_rule_6_1_11 }} -ubtu22cis_rule_6_1_12: {{ ubtu22cis_rule_6_1_12 }} -ubtu22cis_rule_6_1_13: {{ ubtu22cis_rule_6_1_13 }} -ubtu22cis_rule_6_2_1: {{ ubtu22cis_rule_6_2_1 }} -ubtu22cis_rule_6_2_2: {{ ubtu22cis_rule_6_2_2 }} -ubtu22cis_rule_6_2_3: {{ ubtu22cis_rule_6_2_3 }} -ubtu22cis_rule_6_2_4: {{ ubtu22cis_rule_6_2_4 }} -ubtu22cis_rule_6_2_5: {{ ubtu22cis_rule_6_2_5 }} -ubtu22cis_rule_6_2_6: {{ ubtu22cis_rule_6_2_6 }} -ubtu22cis_rule_6_2_7: {{ ubtu22cis_rule_6_2_7 }} -ubtu22cis_rule_6_2_8: {{ ubtu22cis_rule_6_2_8 }} -ubtu22cis_rule_6_2_9: {{ ubtu22cis_rule_6_2_9 }} -ubtu22cis_rule_6_2_10: {{ ubtu22cis_rule_6_2_10 }} -ubtu22cis_rule_6_2_11: {{ ubtu22cis_rule_6_2_11 }} -ubtu22cis_rule_6_2_12: {{ ubtu22cis_rule_6_2_12 }} -ubtu22cis_rule_6_2_13: {{ ubtu22cis_rule_6_2_13 }} -ubtu22cis_rule_6_2_14: {{ ubtu22cis_rule_6_2_14 }} -ubtu22cis_rule_6_2_15: {{ ubtu22cis_rule_6_2_15 }} -ubtu22cis_rule_6_2_16: {{ ubtu22cis_rule_6_2_16 }} -ubtu22cis_rule_6_2_17: {{ ubtu22cis_rule_6_2_17 }} +# 6.2.1.1 Configure systemd-journald service +ubtu22cis_rule_6_2_1_1_1: {{ ubtu22cis_rule_6_2_1_1_1 }} +ubtu22cis_rule_6_2_1_1_2: {{ ubtu22cis_rule_6_2_1_1_2 }} +ubtu22cis_rule_6_2_1_1_3: {{ ubtu22cis_rule_6_2_1_1_3 }} +ubtu22cis_rule_6_2_1_1_4: {{ ubtu22cis_rule_6_2_1_1_4 }} +ubtu22cis_rule_6_2_1_1_5: {{ ubtu22cis_rule_6_2_1_1_5 }} +ubtu22cis_rule_6_2_1_1_6: {{ ubtu22cis_rule_6_2_1_1_6 }} +# 6.2.1.2 Configure systemd-journald service +ubtu22cis_rule_6_2_1_2_1: {{ ubtu22cis_rule_6_2_1_2_1 }} +ubtu22cis_rule_6_2_1_2_2: {{ ubtu22cis_rule_6_2_1_2_2 }} +ubtu22cis_rule_6_2_1_2_3: {{ ubtu22cis_rule_6_2_1_2_3 }} +ubtu22cis_rule_6_2_1_2_4: {{ ubtu22cis_rule_6_2_1_2_4 }} +# 6.2.2 Configure Logfiles +ubtu22cis_rule_6_2_2_1: {{ ubtu22cis_rule_6_2_2_1 }} +# 6.3.1 Configure auditd Service +ubtu22cis_rule_6_3_1_1: {{ ubtu22cis_rule_6_3_1_1 }} +ubtu22cis_rule_6_3_1_2: {{ ubtu22cis_rule_6_3_1_2 }} +ubtu22cis_rule_6_3_1_3: {{ ubtu22cis_rule_6_3_1_3 }} +ubtu22cis_rule_6_3_1_4: {{ ubtu22cis_rule_6_3_1_4 }} +# 6.3.2 Configure data retention +ubtu22cis_rule_6_3_2_1: {{ ubtu22cis_rule_6_3_2_1 }} +ubtu22cis_rule_6_3_2_2: {{ ubtu22cis_rule_6_3_2_2 }} +ubtu22cis_rule_6_3_2_3: {{ ubtu22cis_rule_6_3_2_3 }} +ubtu22cis_rule_6_3_2_4: {{ ubtu22cis_rule_6_3_2_4 }} +# 6.3.3 Configure auditd rules +ubtu22cis_rule_6_3_3_1: {{ ubtu22cis_rule_6_3_3_1 }} +ubtu22cis_rule_6_3_3_2: {{ ubtu22cis_rule_6_3_3_2 }} +ubtu22cis_rule_6_3_3_3: {{ ubtu22cis_rule_6_3_3_3 }} +ubtu22cis_rule_6_3_3_4: {{ ubtu22cis_rule_6_3_3_4 }} +ubtu22cis_rule_6_3_3_5: {{ ubtu22cis_rule_6_3_3_5 }} +ubtu22cis_rule_6_3_3_6: {{ ubtu22cis_rule_6_3_3_6 }} +ubtu22cis_rule_6_3_3_7: {{ ubtu22cis_rule_6_3_3_7 }} +ubtu22cis_rule_6_3_3_8: {{ ubtu22cis_rule_6_3_3_8 }} +ubtu22cis_rule_6_3_3_9: {{ ubtu22cis_rule_6_3_3_9 }} +ubtu22cis_rule_6_3_3_10: {{ ubtu22cis_rule_6_3_3_10 }} +ubtu22cis_rule_6_3_3_11: {{ ubtu22cis_rule_6_3_3_11 }} +ubtu22cis_rule_6_3_3_12: {{ ubtu22cis_rule_6_3_3_12 }} +ubtu22cis_rule_6_3_3_13: {{ ubtu22cis_rule_6_3_3_13 }} +ubtu22cis_rule_6_3_3_14: {{ ubtu22cis_rule_6_3_3_14 }} +ubtu22cis_rule_6_3_3_15: {{ ubtu22cis_rule_6_3_3_15 }} +ubtu22cis_rule_6_3_3_16: {{ ubtu22cis_rule_6_3_3_16 }} +ubtu22cis_rule_6_3_3_17: {{ ubtu22cis_rule_6_3_3_17 }} +ubtu22cis_rule_6_3_3_18: {{ ubtu22cis_rule_6_3_3_18 }} +ubtu22cis_rule_6_3_3_19: {{ ubtu22cis_rule_6_3_3_19 }} +ubtu22cis_rule_6_3_3_20: {{ ubtu22cis_rule_6_3_3_20 }} +ubtu22cis_rule_6_3_3_21: {{ ubtu22cis_rule_6_3_3_21 }} +# 6.3.4 Configure audit file access +ubtu22cis_rule_6_3_4_1: {{ ubtu22cis_rule_6_3_4_1 }} +ubtu22cis_rule_6_3_4_2: {{ ubtu22cis_rule_6_3_4_2 }} +ubtu22cis_rule_6_3_4_3: {{ ubtu22cis_rule_6_3_4_3 }} +ubtu22cis_rule_6_3_4_4: {{ ubtu22cis_rule_6_3_4_4 }} +ubtu22cis_rule_6_3_4_5: {{ ubtu22cis_rule_6_3_4_5 }} +ubtu22cis_rule_6_3_4_6: {{ ubtu22cis_rule_6_3_4_6 }} +ubtu22cis_rule_6_3_4_7: {{ ubtu22cis_rule_6_3_4_7 }} +ubtu22cis_rule_6_3_4_8: {{ ubtu22cis_rule_6_3_4_8 }} +ubtu22cis_rule_6_3_4_9: {{ ubtu22cis_rule_6_3_4_9 }} +ubtu22cis_rule_6_3_4_10: {{ ubtu22cis_rule_6_3_4_10 }} + +## Section 7 +# 7.1 System File Permissions +ubtu22cis_rule_7_1_1: {{ ubtu22cis_rule_7_1_1 }} +ubtu22cis_rule_7_1_2: {{ ubtu22cis_rule_7_1_2 }} +ubtu22cis_rule_7_1_3: {{ ubtu22cis_rule_7_1_3 }} +ubtu22cis_rule_7_1_4: {{ ubtu22cis_rule_7_1_4 }} +ubtu22cis_rule_7_1_5: {{ ubtu22cis_rule_7_1_5 }} +ubtu22cis_rule_7_1_6: {{ ubtu22cis_rule_7_1_6 }} +ubtu22cis_rule_7_1_7: {{ ubtu22cis_rule_7_1_7 }} +ubtu22cis_rule_7_1_8: {{ ubtu22cis_rule_7_1_8 }} +ubtu22cis_rule_7_1_9: {{ ubtu22cis_rule_7_1_9 }} +ubtu22cis_rule_7_1_10: {{ ubtu22cis_rule_7_1_10 }} +ubtu22cis_rule_7_1_11: {{ ubtu22cis_rule_7_1_11 }} +ubtu22cis_rule_7_1_12: {{ ubtu22cis_rule_7_1_12 }} +ubtu22cis_rule_7_1_13: {{ ubtu22cis_rule_7_1_13 }} +# 7.2 Local User and Group Settings +ubtu22cis_rule_7_2_1: {{ ubtu22cis_rule_7_2_1 }} +ubtu22cis_rule_7_2_2: {{ ubtu22cis_rule_7_2_2 }} +ubtu22cis_rule_7_2_3: {{ ubtu22cis_rule_7_2_3 }} +ubtu22cis_rule_7_2_4: {{ ubtu22cis_rule_7_2_4 }} +ubtu22cis_rule_7_2_5: {{ ubtu22cis_rule_7_2_5 }} +ubtu22cis_rule_7_2_6: {{ ubtu22cis_rule_7_2_6 }} +ubtu22cis_rule_7_2_7: {{ ubtu22cis_rule_7_2_7 }} +ubtu22cis_rule_7_2_8: {{ ubtu22cis_rule_7_2_8 }} +ubtu22cis_rule_7_2_9: {{ ubtu22cis_rule_7_2_9 }} +ubtu22cis_rule_7_2_10: {{ ubtu22cis_rule_7_2_10 }} + + +## System functionality configuration variables +## +## There are certain functionalities of a system +## that may require either to skip certain CIS rules +## or install certain packages. +## Set the respective variable to `true` in order to +## enable a certain functionality on the system + +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages +# are skipped. +ubtu22cis_is_router: {{ ubtu22cis_is_router }} -# AIDE -ubtu22cis_config_aide: {{ ubtu22cis_config_aide }} +## IPv4 requirement toggle +# This variable governs whether ipv4 is enabled or disabled. +ubtu22cis_ipv4_required: {{ ubtu22cis_ipv4_required }} -# aide setup via - cron, timer -ubtu22cis_aide_scan: cron - -# AIDE cron settings -ubtu22_aide_cron: - cron_user: {{ ubtu22cis_aide_cron.cron_user }} - cron_file: {{ ubtu22cis_aide_cron.cron_file }} - aide_job: {{ ubtu22cis_aide_cron.aide_job }} - aide_minute: {{ ubtu22cis_aide_cron.aide_minute }} - aide_hour: {{ ubtu22cis_aide_cron.aide_hour }} - aide_day: '{{ ubtu22cis_aide_cron.aide_day }}' - aide_month: '{{ ubtu22cis_aide_cron.aide_month }}' - aide_weekday: '{{ ubtu22cis_aide_cron.aide_weekday }}' - -# 1.1 -ubtu22cis_allow_autofs: {{ ubtu22cis_allow_autofs }} - -# 1.4 -ubtu22cis_grub_user_file: {{ ubtu22cis_grub_user_file }} -ubtu22cis_grub_username: {{ ubtu22cis_grub_user }} -ubtu22cis_grub_hash: {{ ubtu22cis_bootloader_password_hash }} -# 1.5.1 Bootloader password -ubtu22cis_bootloader_password: {{ ubtu22cis_bootloader_password_hash }} - -# 1.6 - Only have apparmor enforcing +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. +ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }} + +## Desktop requirement toggle +# This variable governs, whether CIS rules regarding GDM +# and X-Windows are carried out. +ubtu22cis_desktop_required: {{ ubtu22cis_desktop_required }} + +## Section 1 + +# If system uses squahshfs e.gf. snap package manager set true +ubtu22cis_squashfs_required:{% if prelim_snap_pkg_mgr.rc == 0 %} true {% else %} false{% endif %} + +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode ubtu22cis_apparmor_disable: {{ ubtu22cis_apparmor_disable }} -ubtu22cis_apparmor_mode: {{ ubtu22cis_apparmor_mode }} -ubtu22cis_apparmor_enforce_only: {{ubtu22cis_apparmor_enforce_only}} -# Warning Banner Content (issue, issue.net, motd) -ubtu22_warning_banner: | - {{ ubtu22cis_warning_banner|indent(2, false) }} -# End Banner +## Controls 1.4.x - Boot password +# +# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT +# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! +# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! +ubtu22cis_grub_user: {{ ubtu22cis_grub_user }} +ubtu22cis_bootloader_password_hash: {{ grub_user_pass }} # pragma: allowlist secret + +## Controls 1.5.x -# If configured to stop dynamic loading of files in /etc/update-motd.d -# optional in remediation +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files +# by tightening the access rights. + +# This variable specifies the warning banner displayed to the user +# after local login, remote login, and as motd (message of the day) +# Noe that the banner text must not contain the below items in order to be +# compliant with CIS: \m, \r, \s, \v or references to the OS platform +ubtu22cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. + +# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) ubtu22cis_disable_dynamic_motd: {{ ubtu22cis_disable_dynamic_motd }} +## Controls 1.7.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local`. +ubtu22cis_dconf_db_name: local +## # Section 2 -# Time sync - can be timesync or chr0ny or ntp -ubtu22cis_time_service: {{ ubtu22cis_time_sync_tool }} +## + +## +## Service configuration variables. +## +## Set the respective variable to true to keep the service. +## otherwise the service is stopped and disabled +## +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu22cis_autofs_services: {{ ubtu22cis_autofs_services }} +ubtu22cis_autofs_mask: {{ ubtu22cis_autofs_mask }} +ubtu22cis_avahi_server: {{ ubtu22cis_avahi_server }} +ubtu22cis_avahi_mask: {{ ubtu22cis_avahi_mask }} +ubtu22cis_dhcp_server: {{ ubtu22cis_dhcp_server }} +ubtu22cis_dhcp_mask: {{ ubtu22cis_dhcp_mask }} +ubtu22cis_dns_server: {{ ubtu22cis_dns_server }} +ubtu22cis_dns_mask: {{ ubtu22cis_dns_mask }} +ubtu22cis_dnsmasq_server: {{ ubtu22cis_dnsmasq_server }} +ubtu22cis_dnsmasq_mask: {{ ubtu22cis_dnsmasq_mask }} +ubtu22cis_ftp_server: {{ ubtu22cis_ftp_server }} +ubtu22cis_ftp_mask: {{ ubtu22cis_ftp_mask }} +ubtu22cis_ldap_server: {{ ubtu22cis_ldap_server }} +ubtu22cis_ldap_mask: {{ ubtu22cis_ldap_mask }} +ubtu22cis_message_server: {{ ubtu22cis_message_server }} # This is for messaging dovecot and dovecot-pop3 +ubtu22cis_message_mask: {{ ubtu22cis_message_mask }} +ubtu22cis_nfs_server: {{ ubtu22cis_nfs_server }} +ubtu22cis_nfs_mask: {{ ubtu22cis_nfs_mask }} +ubtu22cis_nis_server: {{ ubtu22cis_nis_server }} # set to mask if nis client required +ubtu22cis_nis_mask: {{ ubtu22cis_nis_mask }} +ubtu22cis_print_server: {{ ubtu22cis_print_server }} # replaces cups +ubtu22cis_print_mask: {{ ubtu22cis_print_mask }} +ubtu22cis_rpc_server: {{ ubtu22cis_rpc_server }} +ubtu22cis_rpc_mask: {{ ubtu22cis_rpc_mask }} +ubtu22cis_rsync_server: {{ ubtu22cis_rsync_server }} +ubtu22cis_rsync_mask: {{ ubtu22cis_rsync_mask }} +ubtu22cis_samba_server: {{ ubtu22cis_samba_server }} +ubtu22cis_samba_mask: {{ ubtu22cis_samba_mask }} +ubtu22cis_snmp_server: {{ ubtu22cis_snmp_server }} +ubtu22cis_snmp_mask: {{ ubtu22cis_snmp_mask }} +ubtu22cis_telnet_server: {{ ubtu22cis_telnet_server }} +ubtu22cis_telnet_mask: {{ ubtu22cis_telnet_mask }} +ubtu22cis_tftp_server: {{ ubtu22cis_tftp_server }} +ubtu22cis_tftp_mask: {{ ubtu22cis_tftp_mask }} +ubtu22cis_squid_server: {{ ubtu22cis_squid_server }} +ubtu22cis_squid_mask: {{ ubtu22cis_squid_mask }} +ubtu22cis_apache2_server: {{ ubtu22cis_apache2_server }} +ubtu22cis_apache2_mask: {{ ubtu22cis_apache2_mask }} +ubtu22cis_nginx_server: {{ ubtu22cis_nginx_server }} +ubtu22cis_nginx_mask: {{ ubtu22cis_nginx_mask }} +ubtu22cis_xinetd_server: {{ ubtu22cis_xinetd_server }} +ubtu22cis_xinetd_mask: {{ ubtu22cis_xinetd_mask }} +ubtu22cis_xwindow_server: {{ ubtu22cis_xwindow_server }} # will remove mask not an option +ubtu22cis_is_mail_server: {{ ubtu22cis_is_mail_server }} -# Control 2.1.2.1 2.1.3.1 -# Time settings used for all versions +# Client Services +ubtu22cis_nis_client_required: {{ ubtu22cis_nis_client_required }} # Same package as NIS server +ubtu22cis_rsh_client: {{ ubtu22cis_rsh_client }} +ubtu22cis_talk_client: {{ ubtu22cis_talk_client }} +ubtu22cis_telnet_required: {{ ubtu22cis_telnet_required }} +ubtu22cis_ldap_clients_required: {{ ubtu22cis_ldap_clients_required }} +ubtu22cis_ftp_client: {{ ubtu22cis_ftp_client }} + +## Control 2.3.1.1 +# This variable choses the tool used for time synchronization +# The two options are `chrony`and `systemd-timesyncd`. +ubtu22cis_time_sync_tool: {{ ubtu22cis_time_sync_tool }} + +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd +# The following variable represents a list of of time server pools used +# for configuring chrony and timesyncd. +# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. +# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation +# of the time synchronization mechanism you are using. ubtu22cis_time_pool: {% for pool in ubtu22cis_time_pool %} - name: {{ pool.name }} options: {{ pool.options }} {% endfor %} +# The following variable represents a list of of time servers used +# for configuring chrony and timesyncd +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `iburst` -- please refer to the documentation +# of the time synchronization mechanism you are using. ubtu22cis_time_servers: -{% for server in ubtu22cis_time_servers %} -- name: {{ server.name }} - options: {{ server.options }} +{% for servers in ubtu22cis_time_servers %} +- name: {{ servers.name }} + options: {{ servers.options }} {% endfor %} -# Whether or not to run tasks related to auditing/patching the desktop environment -ubtu22cis_gui: {{ ubtu22cis_desktop_required }} - -# Service configuration booleans set true to keep service -ubtu22cis_avahi_server: {{ ubtu22cis_avahi_server }} -ubtu22cis_cups_server: {{ ubtu22cis_cups_server }} -ubtu22cis_nfs_server: {{ ubtu22cis_nfs_server }} -ubtu22cis_dhcp_server: {{ ubtu22cis_dhcp_server }} -ubtu22cis_ldap_server: {{ ubtu22cis_ldap_server }} -ubtu22cis_dns_server: {{ ubtu22cis_dns_server }} -ubtu22cis_vsftpd_server: {{ ubtu22cis_vsftpd_server }} -ubtu22cis_httpd_server: {{ ubtu22cis_httpd_server }} -ubtu22cis_is_mail_server: {{ ubtu22cis_is_mail_server }} -ubtu22cis_dovecot_server: {{ ubtu22cis_dovecot_server }} -ubtu22cis_samba_server: {{ ubtu22cis_smb_server }} -ubtu22cis_squid_server: {{ ubtu22cis_squid_server }} -ubtu22cis_snmp_server: {{ ubtu22cis_snmp_server }} - -# Mail Server config -{% if ubtu22_cis_mail_transfer_agent is defined %} -ubtu22cis_mailserver: {{ ubtu22_cis_mail_transfer_agent }} -{% else %} -ubtu22cis_mailserver: Not_defined -{% endif %} -ubtu22_exim_conf: - - dc_eximconfig_configtype='local' - - dc_local_interfaces='127.0.0.1 ; ::1' - - dc_readhost='' - - dc_relay_domains='' - - dc_minimaldns='false' - - dc_relay_nets='' - - dc_smarthost='' - - dc_use_split_config='false' - - dc_hide_mailname='' - - dc_mailname_in_oh='true' - - dc_localdelivery='mail_spool' - -ubtu22cis_rsyncd_server: {{ ubtu22cis_rsync_server }} -ubtu22cis_nis_server: {{ ubtu22cis_nis_server }} - -ubtu22cis_xwindows_required: false - -# 2.2 client services -ubtu22cis_rsh_required: {{ ubtu22cis_rsh_required }} -ubtu22cis_talk_required: {{ ubtu22cis_talk_required }} -ubtu22cis_telnet_required: {{ ubtu22cis_telnet_required }} -ubtu22cis_ldap_clients_required: {{ ubtu22cis_ldap_clients_required }} -ubtu22cis_rpc_required: {{ ubtu22cis_rpc_required }} - # Section 3 -# IPv6 required -ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }} -# How to disable ipv6 either via grub or sysctl settings options: grub or sysctl +## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled +# This variable governs the mechanism of how the disabling of IPV6 is carried out. +# Its possible values are `grub` and `sysctl`. ubtu22cis_ipv6_disable: {{ ubtu22cis_ipv6_disable }} - -# System network parameters (host only OR host and router) -ubtu22cis_is_router: {{ ubtu22cis_is_router }} - -ubtu22cis_firewall: {{ ubtu22cis_firewall_package }} - -ubtu22_default_firewall_zone: public -ubtu22_firewall_interface: - - ['ens224'] - - ['ens192'] -ubtu22_firewall_services: - - ssh - - dhcpv6-client - +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu22cis_bluetooth_service: {{ ubtu22cis_bluetooth_service }} +ubtu22cis_bluetooth_mask: {{ ubtu22cis_bluetooth_mask }} + +## Control 3.3.x - Networking configuration +# This variable contains the path to the file in which, sysctl saves its configurations. +# Its default value is `/etc/sysctl.conf`. +ubtu22cis_sysctl_network_conf: {{ ubtu22cis_sysctl_network_conf }} + +# ### Section 4 +# +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration +# This variable represents the toggle for which firewall package is used. +# The options that have an effect on the system are `ufw` and `iptables`. +# The option `nftables` is also possible, but will only result in a message, +# that `nftables` has been chosen; all settings have to be carried out manually. +# Any other value, e.g. `none` will skip all firewall-related controls. +ubtu22cis_firewall_package: {{ ubtu22cis_firewall_package }} + ## auditd settings ubtu22cis_auditd: - space_left_action: email - action_mail_acct: root - admin_space_left_action: {{ ubtu22cis_auditd.admin_space_left_action }} - max_log_file_action: {{ ubtu22cis_auditd.max_log_file_action }} + space_left_action: {{ ubtu22cis_auditd_space_left_action }} + admin_space_left_action: {{ ubtu22cis_auditd_admin_space_left_action }} + max_log_file_action: {{ ubtu22cis_auditd_max_log_file_action }} auditd_backlog_limit: {{ ubtu22cis_audit_back_log_limit }} ## syslog ubtu22cis_is_syslog_server: {{ ubtu22cis_system_is_log_server }} -ubtu22cis_syslog_service: "{{ ubtu22cis_syslog_service }}" -ubtu22cis_remote_log_server: "{{ ubtu22cis_remote_log_server }}" ### Section 5 -ubtu22cis_sshd_limited: false + # Note the following to understand precedence and layout ubtu22cis_sshd_access: - - AllowUser - - AllowGroup - - DenyUser - - DenyGroup + - AllowUser {{ ubtu22cis_sshd_allow_users }} + - AllowGroup {{ ubtu22cis_sshd_allow_groups }} + - DenyUser {{ ubtu22cis_sshd_deny_users }} + - DenyGroup {{ ubtu22cis_sshd_deny_groups }} ubtu22cis_ssh_strong_ciphers: -{% for cipher in ubtu22cis_sshd.ciphers %} - - {{ cipher }} -{% endfor %} + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr ubtu22cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour + - chacha20-poly1305@openssh.com - arcfour128 - arcfour256 - blowfish-cbc @@ -523,14 +658,13 @@ ubtu22cis_ssh_weak_ciphers: - rijndael-cbc@lysator.liu.se ubtu22cis_ssh_strong_macs: -{% for mac in ubtu22cis_sshd.macs %} - - {{ mac }} -{% endfor %} + - HMAC-SHA1 + - hmac-sha2-256 + - hmac-sha2-512 ubtu22cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com @@ -541,17 +675,21 @@ ubtu22cis_ssh_weak_macs: - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com ubtu22cis_ssh_strong_kex: -{% for kex in ubtu22cis_sshd.kex_algorithms %} - - {{ kex }} -{% endfor %} + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group14-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 ubtu22cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - ubtu22cis_ssh_aliveinterval: 300 ubtu22cis_ssh_countmax: 3 ## PAM @@ -561,22 +699,25 @@ ubtu22cis_pam_password: ubtu22cis_pam_passwd_retry: "3" -# choose one of below -ubtu22cis_pwhistory_so: "14" -ubtu22cis_unix_so: false -ubtu22cis_passwd_remember: {{ ubtu22cis_pamd_pwhistory_remember }} - # logins.def password settings ubtu22cis_pass: - max_days: {{ ubtu22cis_pass.max_days }} - min_days: {{ ubtu22cis_pass.min_days }} - warn_age: {{ ubtu22cis_pass.warn_age }} + max_days: {{ ubtu22cis_pass_max_days }} + min_days: {{ ubtu22cis_pass_min_days }} + warn_age: {{ ubtu22cis_pass_warn_age }} # set sugroup if differs from wheel -ubtu22cis_sugroup: {{ ubtu22cis_sugroup }} +ubtu22cis_sugroup: nosugroup -# sugroup users list -ubtu22_sugroup_users: "root" # var log location variable ubtu22_varlog_location: {{ ubtu22cis_sudo_logfile }} + +# Section 6 + +# 6.1.2 + +# AIDE +ubtu22cis_config_aide: {{ ubtu22cis_config_aide }} + +# aide setup via - cron, timer +ubtu22cis_aide_scan: {{ ubtu22cis_aide_scan }} diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 54c500b0..f0a0bc3e 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2992d208..952a62b6 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,27 +1,28 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC YOUR CHANGED WILL BE LOST! +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually -{% if ubtu22cis_rule_4_1_3_1 %} +{% if ubtu22cis_rule_6_3_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope {% endif %} -{% if ubtu22cis_rule_4_1_3_2 %} +{% if ubtu22cis_rule_6_3_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if ubtu22cis_rule_4_1_3_3 %} +{% if ubtu22cis_rule_6_3_3_3 %} -w {{ ubtu22cis_sudo_logfile }} -p wa -k sudo_log_file {% endif %} -{% if ubtu22cis_rule_4_1_3_4 %} +{% if ubtu22cis_rule_6_3_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change {% endif %} -{% if ubtu22cis_rule_4_1_3_5 %} +{% if ubtu22cis_rule_6_3_3_5 %} -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale @@ -29,73 +30,76 @@ -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale +-w /etc/netplan/ -p wa -k system-locale {% endif %} -{% if ubtu22cis_rule_4_1_3_6 %} -{% if priv_procs is defined %} -{% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +{% if ubtu22cis_rule_6_3_3_6 %} +{% if discovered_priv_procs is defined %} +{% for proc in discovered_priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} {% endif %} -{% if ubtu22cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +{% if ubtu22cis_rule_6_3_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% endif %} -{% if ubtu22cis_rule_4_1_3_8 %} +{% if ubtu22cis_rule_6_3_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -{% endif %} -{% if ubtu22cis_rule_4_1_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -{% endif %} -{% if ubtu22cis_rule_4_1_3_10 %} --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -{% endif %} -{% if ubtu22cis_rule_4_1_3_11 %} +-w /etc/nsswitch.conf -p wa -k identity +-w /etc/pam.conf -p wa -k identity +-w /etc/pam.d -p wa -k identity +{% endif %} +{% if ubtu22cis_rule_6_3_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +{% endif %} +{% if ubtu22cis_rule_6_3_3_10 %} +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +{% endif %} +{% if ubtu22cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session {% endif %} -{% if ubtu22cis_rule_4_1_3_12 %} +{% if ubtu22cis_rule_6_3_3_12 %} -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins {% endif %} -{% if ubtu22cis_rule_4_1_3_13 %} --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete +{% if ubtu22cis_rule_6_3_3_13 %} +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete {% endif %} -{% if ubtu22cis_rule_4_1_3_14 %} +{% if ubtu22cis_rule_6_3_3_14 %} -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy {% endif %} -{% if ubtu22cis_rule_4_1_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng +{% if ubtu22cis_rule_6_3_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng +{% if ubtu22cis_rule_6_3_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd +{% if ubtu22cis_rule_6_3_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod +{% if ubtu22cis_rule_6_3_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k usermod {% endif %} -{% if ubtu22cis_rule_4_1_3_19 %} --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules --a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules +{% if ubtu22cis_rule_6_3_3_19 %} +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k kernel_modules {% endif %} -{% if ubtu22cis_rule_4_1_3_20 %} +{% if ubtu22cis_rule_6_3_3_20 %} -e 2 {% endif %} diff --git a/templates/etc/chrony/sources.d/pool.sources.j2 b/templates/etc/chrony/sources.d/pool.sources.j2 index 3579658c..6d8cca72 100644 --- a/templates/etc/chrony/sources.d/pool.sources.j2 +++ b/templates/etc/chrony/sources.d/pool.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown {% for pool in ubtu22cis_time_pool %} pool {{ pool.name }} {{ pool.options }} diff --git a/templates/etc/chrony/sources.d/server.sources.j2 b/templates/etc/chrony/sources.d/server.sources.j2 index 8c3abe68..91a2a5d5 100644 --- a/templates/etc/chrony/sources.d/server.sources.j2 +++ b/templates/etc/chrony/sources.d/server.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown {% for server in ubtu22cis_time_servers %} server {{ server.name }} {{ server.options }} diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 3534474f..67a080ca 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 392af742..98313302 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 227498e7..f6ebb4c5 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index a8c297f7..2637869a 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 139c429c..c73d685c 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5d5869f7..c1f7e052 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/grub.d/00_user.j2 b/templates/etc/grub.d/00_user.j2 index 132ac33b..dcb5316e 100644 --- a/templates/etc/grub.d/00_user.j2 +++ b/templates/etc/grub.d/00_user.j2 @@ -1,6 +1,7 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! cat <