Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test merging upsteam #2

Open
wants to merge 92 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
92 commits
Select commit Hold shift + click to select a range
4f02266
Update ubuntu-18-type.yml
Kirkland-gh Nov 7, 2022
2f7efe4
Changed the name of the CIS-Oracle8.yml file to CIS-OracleLinux-8.yml…
Conundrum Jan 5, 2023
3bdc415
cleaning up before starting RHEL9 work
dsglaser Mar 30, 2023
fac5178
Merge pull request #45 from dsglaser/dev
dsglaser Mar 30, 2023
4bdc660
starting RHEL9 udpates
dsglaser Mar 30, 2023
41fcf62
Changes due to handler name changes
dsglaser Apr 6, 2023
190143e
Updates to rules files due to RHEL9 CIS controls
dsglaser Apr 6, 2023
3456d06
Update for handler name change
dsglaser Apr 6, 2023
3e3b72e
new variales for RHEL9, update for linting rules
dsglaser Apr 6, 2023
54e77a3
change to include_tasks for updated ansible
dsglaser Apr 6, 2023
2840382
changed handler lines due to name change
dsglaser Apr 10, 2023
2be51d5
new variables for RHEL 9
dsglaser Apr 10, 2023
e35a959
Removed reboot timeout
dsglaser Apr 10, 2023
8266d16
Updated Notify service names
dsglaser Apr 10, 2023
8f1e00e
New RHEL9 commit file - testing
dsglaser Apr 10, 2023
16018d9
fixed network settings issue
dsglaser Apr 10, 2023
9f3e580
updated for linter
dsglaser Apr 10, 2023
62b0c21
Syncing with RHEL 8 as needed
dsglaser Apr 11, 2023
9b7ae00
started to rework to v2.0.0
dsglaser Apr 11, 2023
d0e2269
Added new variables for RHEL9 and RHEL8
dsglaser Apr 13, 2023
808dae4
New rules file for RHEL 8/9
dsglaser Apr 13, 2023
87a93f3
New RHEL 9 v1.0 and RHEL8 v2.0 controls
dsglaser Apr 13, 2023
cea599c
Updates for RHEL9 rules
dsglaser Apr 17, 2023
8e4a98a
Added RHEL9 rules
dsglaser Apr 17, 2023
169ef25
Added mew versions
dsglaser Apr 17, 2023
d325e11
Merge pull request #46 from dsglaser/dev
dsglaser Apr 17, 2023
f51be61
Ran README.md through a linter
dsglaser Apr 17, 2023
36b5f6d
Ran file through linter
dsglaser Apr 17, 2023
b87599c
Merge pull request #43 from Conundrum/Oracle8
dsglaser Apr 17, 2023
72d95bb
Merge pull request #41 from Kirkland-gh/patch-1
dsglaser Apr 17, 2023
a260594
Update duplicate_groups.sh
Pierre-Gronau-ndaal Apr 25, 2023
1876f86
Update duplicate_guids.sh
Pierre-Gronau-ndaal Apr 25, 2023
6465e24
Update duplicate_uids.sh
Pierre-Gronau-ndaal Apr 25, 2023
e537c5a
Update duplicate_users.sh
Pierre-Gronau-ndaal Apr 25, 2023
74542e0
Update non_existant_homedirs.sh
Pierre-Gronau-ndaal Apr 25, 2023
461add5
Update path_check.sh
Pierre-Gronau-ndaal Apr 25, 2023
64e978e
Update undefined_groups.sh
Pierre-Gronau-ndaal Apr 25, 2023
e30ead3
Update README.md
dsglaser Apr 27, 2023
51173a7
Update README.md
dsglaser Apr 27, 2023
afde2f1
Updated with ubuntu 22, added a RHEL9 control.
dsglaser May 2, 2023
a74ac4f
do a daemon-reload on restarting aide
dsglaser May 2, 2023
ff83767
added 6.2.3 control, formatting and cleanup
dsglaser May 2, 2023
3ae1fd7
Updated to handle ubuntu 22.04+
dsglaser May 2, 2023
f778a83
updated with Ubuntu 22.04+ variables
dsglaser May 2, 2023
d375a30
added a standard rsyslog.conf config file
dsglaser May 2, 2023
86b1743
Initial controls for Ubuntu 22.04!
dsglaser May 2, 2023
ab7f2c9
Initial 22.04 controls
dsglaser May 2, 2023
24d6a72
minor formatting changes
dsglaser May 2, 2023
84cd29a
Merge pull request #54 from dsglaser/dev
dsglaser May 2, 2023
e0a2b7c
Merge pull request #53 from Pierre-Gronau-ndaal/patch-7
dsglaser May 2, 2023
32a3e6e
Merge pull request #52 from Pierre-Gronau-ndaal/patch-6
dsglaser May 2, 2023
becefa6
Merge pull request #51 from Pierre-Gronau-ndaal/patch-5
dsglaser May 2, 2023
6d7e716
Merge pull request #50 from Pierre-Gronau-ndaal/patch-4
dsglaser May 2, 2023
bb2526d
Merge pull request #49 from Pierre-Gronau-ndaal/patch-3
dsglaser May 2, 2023
72084f3
Merge pull request #48 from Pierre-Gronau-ndaal/patch-2
dsglaser May 2, 2023
2013ddc
Merge pull request #47 from Pierre-Gronau-ndaal/patch-1
dsglaser May 2, 2023
3a80c57
comment fix for Ubuntu 22.04 in Readme
dsglaser May 2, 2023
a46832a
fixed metadata for Ubuntu 22.04
dsglaser May 2, 2023
83bd47f
upped galaxy version number
dsglaser May 2, 2023
b16ecaa
Merge pull request #55 from dsglaser/dev
dsglaser May 2, 2023
749d3c1
fixed unused filesystems issue.
dsglaser May 10, 2023
e5e2de2
updated z stream number
dsglaser May 10, 2023
bdfefb0
Merge pull request #57 from dsglaser/dev
dsglaser May 10, 2023
ace826f
updated /bin/true tests to /bin/false per controls
dsglaser May 12, 2023
334943e
change dconf dir from local to distro
dsglaser May 12, 2023
561f4b0
Merge pull request #63 from dsglaser/dev
dsglaser May 12, 2023
4cbf19a
handling machines with disabled Linux
dsglaser May 12, 2023
7981509
bump release number
dsglaser May 12, 2023
4840687
Merge pull request #65 from dsglaser/dev
dsglaser May 12, 2023
d90b751
updates to handle mount_options correctly
dsglaser May 12, 2023
0a8bdd5
fixes for rhel8 passalgo and 5.6.5
dsglaser May 12, 2023
2806ec9
Merge pull request #68 from dsglaser/dev
dsglaser May 12, 2023
46fa906
fixed restart auditd service handler
dsglaser May 12, 2023
1dca8ed
Merge pull request #69 from dsglaser/dev
dsglaser May 12, 2023
7012b49
Fix control 3.3.2
dsglaser May 15, 2023
594153d
Merge pull request #71 from dsglaser/dev
dsglaser May 15, 2023
9505b4e
added blacklist to unused filesystems per v2.0.0
dsglaser May 16, 2023
efcb155
Merge pull request #74 from dsglaser/dev
dsglaser May 16, 2023
51aa977
minor fixes and typo fixes
dsglaser May 16, 2023
9d8329c
Remove spaces from issue file to meet CIS remedetion
mogamal1 May 18, 2023
84b8d3e
Update banner
mogamal1 May 18, 2023
6115b24
Merge pull request #75 from mogamal1/patch-1
dsglaser Jun 8, 2023
176ff15
updated with lint fixes
dsglaser Jun 28, 2023
763e009
updates for jinja rules
dsglaser Jun 28, 2023
ced796b
Update controls_list_win.md
devops-nick Aug 23, 2023
13213a1
Merge pull request #81 from devops-nick/dev
dsglaser Sep 28, 2023
99ecc11
Merge branch 'dev' of github.com:dsglaser/cis-security into dev
dsglaser Sep 28, 2023
13c3cab
Finished the error in Issue #80
dsglaser Sep 28, 2023
7a78024
formatting fixes per Issue #72
dsglaser Sep 28, 2023
bda8054
fixed symllnk location per Issue #78
dsglaser Sep 28, 2023
a1ebd90
for some reason I need to push them again?
dsglaser Sep 28, 2023
d7609c1
Merge pull request #82 from dsglaser/dev
dsglaser Sep 28, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 30 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# cis_security

A role to implement Center for Internet Security (CIS) controls for RHEL (7-8) and RHEL clones (Oracle, CentOS), recent Fedora (31-32), SLES 15, and Ubuntu 18.04 / 20.04 LTS and certain Windows servers.
A role to implement Center for Internet Security (CIS) controls for RHEL (7-9) and RHEL clones (Oracle, CentOS), recent Fedora (31-32), SLES 15, and Ubuntu \[18-22\].04 LTS and certain Windows servers.

### Introduction
## Introduction

The [Center for Internet Security](https://www.cisecurity.org/) provides a set of
security benchmarks for operating systems designed to decrease the vulnerability vectors of a system.
Expand All @@ -20,7 +20,8 @@ Benchmark Versions:
| Operating System | OS Benchmark version |
| -----------------|--------------------- |
| RHEL 7 | v2.2.0 |
| RHEL 8 | v1.0.1 |
| RHEL 8 | v2.0.1 |
| RHEL 9 | V1.0.0 |
| CentOS 7 | v2.2.0 |
| CentOS 8 | v1.0.0 |
| Fedora 31 | \(Fedora 28\) v1.1.0 |
Expand All @@ -30,21 +31,25 @@ Benchmark Versions:
| SUSE Linux Enterprise 15 SP1 | \(SUSE Linux Enterprise 12\) v2.1.0 |
| Ubuntu 18.04 LTS | v2.0.1 |
| Ubuntu 20.04 LTS | \(Ubuntu 18.04 LTS\) v2.0.1 |
| Ubuntu 22.04 LTS | v1.0.0 |
| Windows Server 2019 | v1.8.1 |
| Windows 10 | \(Windows Server 2019\) v1.8.1 |

- Some distributions use older CIS benchmarks that were the most recent at the time of creation. Efforts have
been made to update the controls to work with the newer operating systems. Older versions of the benchmarks are listed in parenthesis.
- SUSE Linux Enterprise 15 SP1 uses the RHEL 7 task file since their controls are so similar. If you want to exclude a SUSE tag, make sure you use the associated RHEL 7 tag number if they are different. Tags can be found in the appropriate controls_list file found in the docs directory.

### Requirements
## Requirements

To implement the collection correctly, you will require the following

Control machine:
- Ansible 2.9+

- Ansible 2.11+
- Machine connected to a package repository source (Satellite or yum repo)

Target machine:

- SSH connection with prviiledge escalation on Linux machines.
- Python interpreter
- WinRM connection with user with admin priviledge for Windows. Alternatively you can use an SSH connection.
Expand All @@ -55,30 +60,34 @@ Some of the Ansible modules that are used require Ansible 2.7 and newer.
For most of the collection to work, you will need to have a package repo where you can install packages for
the target machine. Registering with Satellite, a package repository, SCM, or a local package collection is recommended before using this, unless you exclude any tags that install packages.

### Use and Care
## Use and Care

The collection is designed to run on the machines in the chart above. It may run on other Red Hat and Ubuntu deriviatives, but it has not been tested on them. Upon initiation, the collection will automatically detect the OS and run the appropriate task list.

As the role runs, you will see an output listing the control number and a brief description of the
task being performed (or skipped):

```
```bash
TASK [security-rollup : 1.7.1.3 - Set SELinux policy to targeted] ******************************
ok: [192.168.122.252]
```

The controls are implemented as Ansible tags. By default all tags are run on a given system. To
disable a tag from running, run the playbook with the tag excluded (--skip-tags "x.y.z"):

```
```bash
ansible-playbook -i <inventory> <playbook.yml> --skip-tags "x.y.z"
```

Multiple tags can be listed, separated by commas:
```

```bash
ansible-playbook -i <inventory> <playbook.yml> --skip-tags "x.y.z,a.b.c"
```

Note: Some automation tasks handle multiple controls. In the role you may see something like this:

```
```yaml
- name: 6.1.[2,4] - Ensure permissions on /etc/passwd /etc/group
file:
path: /etc/{{item}}
Expand All @@ -92,12 +101,14 @@ Note: Some automation tasks handle multiple controls. In the role you may see so
- 6.1.2
- 6.1.4
```
* In this control, two tags are being processed, '6.1.2' and '6.1.4' if you want this control to not

- In this control, two tags are being processed, '6.1.2' and '6.1.4' if you want this control to not
run, you must exclude both tags:

```
```bash
ansible-playbook -i <inventory> <playbook.yml> --skip-tags "6.1.2,6.1.4"
```

Some controls are surrouned by Ansible blocks that themselves have tags. Excluding the tag that applies
to the block will exclude all of the tasks inside of the block. If the block's tag is **not** excluded,
then individual tasks inside of the block can be excluded by excluding their tags.
Expand All @@ -110,18 +121,20 @@ tasks, or set values. These are explained and given default values in the **role
file. Do not set these values in that file, but create and include your own variable file to override the
defaults or set them as host variables.

### Idempotency
## Idempotency

Every effort has been made to make the controls idempotent, however some Ansible modules do not have the ability
to measure every need as currently written and shell or command has been utilized to implement controls. This
has the effect of bringing down the quality score on Ansible Galaxy, but the roles can be run multiple times
without fear of breaking.

### Learning Tool
## Learning Tool

A secondary purpose of this collection is to show numerous ways that Ansible can be used to
manage systems with various modules. The first time a module is used it is commented on many times
to explain what the module is doing. Other times you may see something like the following:

```
```yaml
- name: 5.4.4 - Ensure umask is set
replace:
path: "{{ item }}"
Expand All @@ -146,12 +159,13 @@ to explain what the module is doing. Other times you may see something like the
tags:
- 5.4.5
```

Both of these tasks manipulate the same file in the same way. They could have been written
with the same module, even in the same task with a loop, but here it illustrates different
ways files can be manipuldated with modules.

## Change Log

### Change Log
- 1/20/2020 - [email protected] - Initial creation
- 1/22/2020 - [email protected] - Added enhanced selinux controls
- 2/18/2020 - [email protected] - Added support for Ubuntu 18.04 LTS, added RHEL clone links
Expand Down
Loading