-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 02016ed
Showing
16 changed files
with
1,649 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
language: python | ||
python: "2.7" | ||
|
||
# Use the new container infrastructure | ||
sudo: false | ||
|
||
# Install ansible | ||
addons: | ||
apt: | ||
packages: | ||
- python-pip | ||
|
||
install: | ||
# Install ansible | ||
- pip install ansible | ||
|
||
# Check ansible version | ||
- ansible --version | ||
|
||
# Create ansible.cfg with correct roles_path | ||
- printf '[defaults]\nroles_path=../' >ansible.cfg | ||
|
||
script: | ||
# Basic role syntax check | ||
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check | ||
|
||
notifications: | ||
webhooks: https://galaxy.ansible.com/api/v1/notifications/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
CIS - CentOs | ||
========= | ||
|
||
Asible role to apply CIS Benchmark on RHEL 8 based systems (Under Development) | ||
|
||
|
||
Requirements | ||
------------ | ||
|
||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. | ||
|
||
Role Variables | ||
-------------- | ||
|
||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. | ||
|
||
Dependencies | ||
------------ | ||
|
||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. | ||
|
||
Example Playbook | ||
---------------- | ||
|
||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: | ||
|
||
- hosts: servers | ||
roles: | ||
- { role: username.rolename, x: 42 } | ||
|
||
License | ||
------- | ||
|
||
BSD | ||
|
||
Author Information | ||
------------------ | ||
|
||
An optional section for the role authors to include contact information, or a website (HTML is not allowed). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,160 @@ | ||
--- | ||
# defaults file for cis-centos | ||
|
||
# | ||
section_1: true | ||
section_2: true | ||
section_3: true | ||
section_4: true | ||
section_5: true | ||
section_6: true | ||
|
||
# Section 1 rules | ||
rule_1_1_1_1: true # Ensure mounting of cramfs filesystems is disabled | ||
rule_1_1_1_2: true # Ensure mounting of vFAT filesystems is disabled | ||
rule_1_1_1_3: true # Ensure mounting of squashfs filesystems is disabled | ||
rule_1_1_1_4: true # Ensure mounting of udf filesystems is disabled | ||
rule_1_1_2: true # Ensure separate partition exists for /tmp | enable and start/restart tmp.mount | ||
rule_1_1_3: true # Ensure nodev option set on /tmp partition | ||
rule_1_1_4: true # Ensure nosuid option set on /tmp partition | ||
rule_1_1_5: true # Ensure noexec option set on /tmp partition | ||
rule_1_1_6: true # Ensure separate partition exists for /var | ||
rule_1_1_7: true # Ensure separate partition exists for /var/tmp | ||
rule_1_1_8: true # Ensure nodev option set on /var/tmp partition | ||
rule_1_1_9: true # Ensure nosuid option set on /var/tmp partition | ||
rule_1_1_10: true # Ensure noexec option set on /var/tmp partition | ||
rule_1_1_11: true # Ensure separate partition exists for /var/log | ||
rule_1_1_12: true # Ensure separate partition exists for /var/log/audit | ||
rule_1_1_13: true # Ensure separate partition exists for /home | ||
rule_1_1_14: true # Ensure nodev option set on /home | ||
rule_1_1_15: true # Ensure nodev option set on /dev/shm partition | ||
rule_1_1_16: true # Ensure nosuid option set on /dev/shm partition | ||
rule_1_1_17: true # Ensure noexec option set on /dev/shm partition | ||
rule_1_1_18: true # Ensure nodev option set on removable media partitions | ||
rule_1_1_19: true # Ensure nosuid option set on removable media partitions | ||
rule_1_1_20: true # Ensure noexec option set on removable media partitions | ||
rule_1_1_21: true # Ensure sticky bit is set on all world-writable directories | ||
rule_1_1_22: true # Diable automounting | ||
rule_1_1_23: false # Disable USB Storage | ||
rule_1_2_1: true # Ensure Red Hat Subscription Manager connection is configured | ||
rule_1_2_2: true # Disable the RHNSD daemon | ||
rule_1_2_3: true # Ensure gpg keys are configured | ||
rule_1_2_4: true # Ensure gpgcheck is globally activated | ||
rule_1_2_5: true # Ensure package manager repositories are configured | ||
rule_1_3_1: true # Ensure sudo is installed | ||
rule_1_3_2: true # Ensure sudo commands user pty | ||
rule_1_3_3: true # Ensure sudo log file exists | ||
rule_1_4_1: true # Ensure aide is installed | ||
rule_1_4_2: true # Ensure filesystem integrity is regularly checked | ||
rule_1_5_1: true # Ensure permissions on bootloader config are configured | ||
rule_1_5_2: true # Ensure bootloader password is set --> not idempotent | ||
rule_1_5_3: true # Ensure authentication required for single user mode | ||
rule_1_6_1: true # Ensure core dumps are restricted | ||
rule_1_6_2: true # Ensure address space layout randomization (ASLR) is enabled | ||
rule_1_7_1_1: true # Ensure selinux is installed | ||
rule_1_7_1_2: true # Ensure selinux is not disabled in bootloader configuration | ||
rule_1_7_1_3: true # Ensure selinux policy is configured | ||
rule_1_7_1_4: true # Ensure the selinux state is enforcing | ||
rule_1_7_1_5: true # Ensure no unconfined services exist | ||
rule_1_7_1_6: true # Ensure SETroubleshoot is not installed | ||
rule_1_7_1_7: true # Ensure the MCS Translation Service (mcstrans) is not installed | ||
rule_1_8_1_1: true # Ensure message of the day is configured properly | ||
rule_1_8_1_2: true # Ensure local login warning banner is configured properly | ||
rule_1_8_1_3: true # Ensure remote login warning banner is configured properly | ||
rule_1_8_1_4: true # Ensure permissions on /etc/motd are configured | ||
rule_1_8_1_5: true # Ensure permissions on /etc/issue are configured | ||
rule_1_8_1_6: true # Ensure permissions on /etc/issue.net are configured | ||
rule_1_8_2: true # Ensure GDM login banner is configured | ||
rule_1_9: false # Ensure updates, patches, and additional security software are installed | ||
rule_1_10: true # Ensure system-wide crypto policy is not legacy | ||
rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS --> not idempotent | ||
|
||
# Section 2 rules | ||
rule_2_1_1: true # Ensure xinetd is not installed | ||
rule_2_2_1_1: true # Ensure time synchronization is in use | ||
rule_2_2_1_2: true # Ensure chrony is configured | ||
rule_2_2_2: true # Ensure X Window System is not installed | ||
rule_2_2_3: true # Ensure rsync service is not enabled | ||
rule_2_2_4: true # Ensure Avahi Server is not enabled | ||
rule_2_2_5: true # Ensure SNMP Server is not enabled" | ||
rule_2_2_6: true # Ensure HTTP Proxy Server is not enabled | ||
rule_2_2_7: true # Ensure Samba is not enabled | ||
rule_2_2_8: true # Ensure IMAP and POP3 server is not enabled | ||
rule_2_2_9: true # Ensure HTTP server is not enabled | ||
rule_2_2_10: true # Ensure FTP server is not enabled | ||
rule_2_2_11: true # Ensure DNS Server is not enabled | ||
rule_2_2_12: true # Ensure NFS is not enabled | ||
rule_2_2_13: true # Ensure RPC is not enabled | ||
rule_2_2_14: true # Ensure LDAP service is not enabled | ||
rule_2_2_15: true # Ensure DHCP is not enabled | ||
rule_2_2_16: true # Ensure CUPS is not enabled | ||
rule_2_2_17: true # Ensure NIS Server is not enabled | ||
rule_2_2_18: true # Ensure mail transfer agent is configured for local-only mode | ||
rule_2_3_1: true # Ensure NIS Client is not installed | ||
rule_2_3_2: true # Ensure telnet client is not installed | ||
rule_2_3_3: true # Ensure LDAP client is not installed | ||
|
||
##################################################################### | ||
# 1.4.2 Bootloader password | ||
bootloader_password: random | ||
set_boot_pass: true | ||
|
||
# AIDE | ||
config_aide: true | ||
# AIDE cron settings | ||
aide_cron: | ||
cron_user: root | ||
cron_file: /etc/crontab | ||
aide_job: '/usr/sbin/aide --check' | ||
aide_minute: 0 | ||
aide_hour: 5 | ||
aide_day: '*' | ||
aide_month: '*' | ||
aide_weekday: '*' | ||
|
||
crypto_policy: FIPS #FUTURE | ||
|
||
# SELinux policy | ||
selinux_state: enforcing | ||
selinux_policy: targeted | ||
|
||
# Set to 'true' if X Windows is needed in your environment | ||
xwindows_required: false | ||
|
||
# Time Synchronization | ||
time_synchronization: chrony | ||
time_synchronization_servers: | ||
- 0.pool.ntp.org | ||
- 1.pool.ntp.org | ||
- 2.pool.ntp.org | ||
- 3.pool.ntp.org | ||
|
||
|
||
# Warning Banner Content (motd) | ||
warning_banner_motd: | | ||
Authorized uses only. All activity may be monitored and reported. | ||
# End Banner | ||
|
||
# Warning Banner Content (issue, issue.net) | ||
warning_banner_issue: | | ||
WARNING: This system is for use of authorized users only. | ||
Individuals using this computer system without authority, or in | ||
excess of their authority, are subject to having all of their | ||
activities on this system monitored and recorded by system personnel. | ||
In the course of Monitoring individuals improperly using this system, | ||
or in the course of system maintenance, the activity of authorized | ||
users may also be monitored. | ||
Anyone using this system expressly consents to such monitoring and is | ||
adviced that if such monitoring reveals possible evidence of criminal | ||
activity, system personnel may provide the evidence of such monitoring | ||
to law enforcement officials. | ||
# End Banner | ||
|
||
vartmp: | ||
source: /tmp | ||
fstype: none | ||
opts: "defaults,nodev,nosuid,noexec,bind" | ||
enabled: no | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
# handlers file for cis-centos | ||
|
||
- name: systemd restart tmp.mount | ||
become: yes | ||
systemd: | ||
name: tmp.mount | ||
daemon_reload: yes | ||
enabled: yes | ||
masked: no | ||
state: reloaded | ||
|
||
- name: generate new grub config | ||
become: yes | ||
command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
galaxy_info: | ||
role_name: cis-centos | ||
author: iquzart | ||
description: CIS Benchmark for RHEL 8 Based Systems | ||
license: MIT | ||
min_ansible_version: 2.9 | ||
platforms: | ||
- name: EL | ||
versions: | ||
- 8 | ||
galaxy_tags: | ||
- docker | ||
- compose | ||
- containers | ||
dependencies: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
--- | ||
# tasks file for cis-centos | ||
|
||
- name: Check OS version and family | ||
fail: | ||
msg: "This role can only be run agaist CentOS or RHEL. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." | ||
when: | ||
- not ansible_os_family == "RedHat" | ||
- not ansible_distribution_major_version == "8" | ||
tags: | ||
- always | ||
|
||
- name: Check ansible version | ||
fail: | ||
msg: You must use ansible 2.9 or greater! | ||
when: not ansible_version.full is version_compare('2.9', '>=') | ||
tags: | ||
- always | ||
|
||
- name: "Set package facts" | ||
package_facts: | ||
manager: "auto" | ||
|
||
- name: "Set service facts" | ||
service_facts: | ||
|
||
- include: section_1.yml | ||
become: true | ||
when: section_1 | ||
tags: | ||
- section_1 | ||
|
||
- include: section_2.yml | ||
become: true | ||
when: section_2 | ||
tags: | ||
- section_2 |
Oops, something went wrong.