Skip to content

Commit

Permalink
local project
Browse files Browse the repository at this point in the history
  • Loading branch information
iquzart committed Oct 27, 2020
0 parents commit 02016ed
Show file tree
Hide file tree
Showing 16 changed files with 1,649 additions and 0 deletions.
29 changes: 29 additions & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
language: python
python: "2.7"

# Use the new container infrastructure
sudo: false

# Install ansible
addons:
apt:
packages:
- python-pip

install:
# Install ansible
- pip install ansible

# Check ansible version
- ansible --version

# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg

script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check

notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
39 changes: 39 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
CIS - CentOs
=========

Asible role to apply CIS Benchmark on RHEL 8 based systems (Under Development)


Requirements
------------

Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.

Role Variables
--------------

A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.

Dependencies
------------

A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.

Example Playbook
----------------

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: servers
roles:
- { role: username.rolename, x: 42 }

License
-------

BSD

Author Information
------------------

An optional section for the role authors to include contact information, or a website (HTML is not allowed).
160 changes: 160 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
---
# defaults file for cis-centos

#
section_1: true
section_2: true
section_3: true
section_4: true
section_5: true
section_6: true

# Section 1 rules
rule_1_1_1_1: true # Ensure mounting of cramfs filesystems is disabled
rule_1_1_1_2: true # Ensure mounting of vFAT filesystems is disabled
rule_1_1_1_3: true # Ensure mounting of squashfs filesystems is disabled
rule_1_1_1_4: true # Ensure mounting of udf filesystems is disabled
rule_1_1_2: true # Ensure separate partition exists for /tmp | enable and start/restart tmp.mount
rule_1_1_3: true # Ensure nodev option set on /tmp partition
rule_1_1_4: true # Ensure nosuid option set on /tmp partition
rule_1_1_5: true # Ensure noexec option set on /tmp partition
rule_1_1_6: true # Ensure separate partition exists for /var
rule_1_1_7: true # Ensure separate partition exists for /var/tmp
rule_1_1_8: true # Ensure nodev option set on /var/tmp partition
rule_1_1_9: true # Ensure nosuid option set on /var/tmp partition
rule_1_1_10: true # Ensure noexec option set on /var/tmp partition
rule_1_1_11: true # Ensure separate partition exists for /var/log
rule_1_1_12: true # Ensure separate partition exists for /var/log/audit
rule_1_1_13: true # Ensure separate partition exists for /home
rule_1_1_14: true # Ensure nodev option set on /home
rule_1_1_15: true # Ensure nodev option set on /dev/shm partition
rule_1_1_16: true # Ensure nosuid option set on /dev/shm partition
rule_1_1_17: true # Ensure noexec option set on /dev/shm partition
rule_1_1_18: true # Ensure nodev option set on removable media partitions
rule_1_1_19: true # Ensure nosuid option set on removable media partitions
rule_1_1_20: true # Ensure noexec option set on removable media partitions
rule_1_1_21: true # Ensure sticky bit is set on all world-writable directories
rule_1_1_22: true # Diable automounting
rule_1_1_23: false # Disable USB Storage
rule_1_2_1: true # Ensure Red Hat Subscription Manager connection is configured
rule_1_2_2: true # Disable the RHNSD daemon
rule_1_2_3: true # Ensure gpg keys are configured
rule_1_2_4: true # Ensure gpgcheck is globally activated
rule_1_2_5: true # Ensure package manager repositories are configured
rule_1_3_1: true # Ensure sudo is installed
rule_1_3_2: true # Ensure sudo commands user pty
rule_1_3_3: true # Ensure sudo log file exists
rule_1_4_1: true # Ensure aide is installed
rule_1_4_2: true # Ensure filesystem integrity is regularly checked
rule_1_5_1: true # Ensure permissions on bootloader config are configured
rule_1_5_2: true # Ensure bootloader password is set --> not idempotent
rule_1_5_3: true # Ensure authentication required for single user mode
rule_1_6_1: true # Ensure core dumps are restricted
rule_1_6_2: true # Ensure address space layout randomization (ASLR) is enabled
rule_1_7_1_1: true # Ensure selinux is installed
rule_1_7_1_2: true # Ensure selinux is not disabled in bootloader configuration
rule_1_7_1_3: true # Ensure selinux policy is configured
rule_1_7_1_4: true # Ensure the selinux state is enforcing
rule_1_7_1_5: true # Ensure no unconfined services exist
rule_1_7_1_6: true # Ensure SETroubleshoot is not installed
rule_1_7_1_7: true # Ensure the MCS Translation Service (mcstrans) is not installed
rule_1_8_1_1: true # Ensure message of the day is configured properly
rule_1_8_1_2: true # Ensure local login warning banner is configured properly
rule_1_8_1_3: true # Ensure remote login warning banner is configured properly
rule_1_8_1_4: true # Ensure permissions on /etc/motd are configured
rule_1_8_1_5: true # Ensure permissions on /etc/issue are configured
rule_1_8_1_6: true # Ensure permissions on /etc/issue.net are configured
rule_1_8_2: true # Ensure GDM login banner is configured
rule_1_9: false # Ensure updates, patches, and additional security software are installed
rule_1_10: true # Ensure system-wide crypto policy is not legacy
rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS --> not idempotent

# Section 2 rules
rule_2_1_1: true # Ensure xinetd is not installed
rule_2_2_1_1: true # Ensure time synchronization is in use
rule_2_2_1_2: true # Ensure chrony is configured
rule_2_2_2: true # Ensure X Window System is not installed
rule_2_2_3: true # Ensure rsync service is not enabled
rule_2_2_4: true # Ensure Avahi Server is not enabled
rule_2_2_5: true # Ensure SNMP Server is not enabled"
rule_2_2_6: true # Ensure HTTP Proxy Server is not enabled
rule_2_2_7: true # Ensure Samba is not enabled
rule_2_2_8: true # Ensure IMAP and POP3 server is not enabled
rule_2_2_9: true # Ensure HTTP server is not enabled
rule_2_2_10: true # Ensure FTP server is not enabled
rule_2_2_11: true # Ensure DNS Server is not enabled
rule_2_2_12: true # Ensure NFS is not enabled
rule_2_2_13: true # Ensure RPC is not enabled
rule_2_2_14: true # Ensure LDAP service is not enabled
rule_2_2_15: true # Ensure DHCP is not enabled
rule_2_2_16: true # Ensure CUPS is not enabled
rule_2_2_17: true # Ensure NIS Server is not enabled
rule_2_2_18: true # Ensure mail transfer agent is configured for local-only mode
rule_2_3_1: true # Ensure NIS Client is not installed
rule_2_3_2: true # Ensure telnet client is not installed
rule_2_3_3: true # Ensure LDAP client is not installed

#####################################################################
# 1.4.2 Bootloader password
bootloader_password: random
set_boot_pass: true

# AIDE
config_aide: true
# AIDE cron settings
aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'

crypto_policy: FIPS #FUTURE

# SELinux policy
selinux_state: enforcing
selinux_policy: targeted

# Set to 'true' if X Windows is needed in your environment
xwindows_required: false

# Time Synchronization
time_synchronization: chrony
time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org


# Warning Banner Content (motd)
warning_banner_motd: |
Authorized uses only. All activity may be monitored and reported.
# End Banner

# Warning Banner Content (issue, issue.net)
warning_banner_issue: |
WARNING: This system is for use of authorized users only.
Individuals using this computer system without authority, or in
excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system personnel.
In the course of Monitoring individuals improperly using this system,
or in the course of system maintenance, the activity of authorized
users may also be monitored.
Anyone using this system expressly consents to such monitoring and is
adviced that if such monitoring reveals possible evidence of criminal
activity, system personnel may provide the evidence of such monitoring
to law enforcement officials.
# End Banner

vartmp:
source: /tmp
fstype: none
opts: "defaults,nodev,nosuid,noexec,bind"
enabled: no


16 changes: 16 additions & 0 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
# handlers file for cis-centos

- name: systemd restart tmp.mount
become: yes
systemd:
name: tmp.mount
daemon_reload: yes
enabled: yes
masked: no
state: reloaded

- name: generate new grub config
become: yes
command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}"

15 changes: 15 additions & 0 deletions meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
galaxy_info:
role_name: cis-centos
author: iquzart
description: CIS Benchmark for RHEL 8 Based Systems
license: MIT
min_ansible_version: 2.9
platforms:
- name: EL
versions:
- 8
galaxy_tags:
- docker
- compose
- containers
dependencies: []
37 changes: 37 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
# tasks file for cis-centos

- name: Check OS version and family
fail:
msg: "This role can only be run agaist CentOS or RHEL. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
when:
- not ansible_os_family == "RedHat"
- not ansible_distribution_major_version == "8"
tags:
- always

- name: Check ansible version
fail:
msg: You must use ansible 2.9 or greater!
when: not ansible_version.full is version_compare('2.9', '>=')
tags:
- always

- name: "Set package facts"
package_facts:
manager: "auto"

- name: "Set service facts"
service_facts:

- include: section_1.yml
become: true
when: section_1
tags:
- section_1

- include: section_2.yml
become: true
when: section_2
tags:
- section_2
Loading

0 comments on commit 02016ed

Please sign in to comment.