Merge pull request #1 from iquzart/development

Development
iquzart · Nov 17, 2020 · e9e9fb0 · e9e9fb0
2 parents 02016ed + 216429d
commit e9e9fb0
Show file tree

Hide file tree

Showing 28 changed files with 2,961 additions and 218 deletions.
diff --git a/README.md b/README.md
@@ -1,39 +1,74 @@
-CIS - CentOs
+CIS - RHEL 8 Based Systems
 =========
 
-Asible role to apply CIS Benchmark on RHEL 8 based systems (Under Development)
+Asible role to apply CIS Benchmark on RHEL 8 based systems.
 
 
 Requirements
 ------------
 
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Create below partitions at the time of installation. The role will not create any of these partitions. 
+
+```
+1.1.6   | Ensure separate partition exists for /var (Scored)
+1.1.7   | Ensure separate partition exists for /var/tmp (Scored)
+1.1.11  | Ensure separate partition exists for /var/log (Scored)
+1.1.12  | Ensure separate partition exists for /var/log/audit (Scored)
+1.1.13  | Ensure separate partition exists for /home (Scored)
+
+```
+
+Support Matrix
+--------------
+
+| Destro | Status |
+| --- | --- |
+| CentOS 8 | Supported (Tested) | 
+| RHEL 8 | Supported (Tested) |
+| Oracle Linux 8 | Supported (Under Testing) |
+
 
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+deafult/main.yml variables are pretty self explanatory. 
 
-Dependencies
-------------
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+Notes
+------
+
+
+The role will setup Authselect with a custom profile when you enable CIS rules 5.3.1, 5.3.2, 5.4.2, 5.4.3, 5.4.4. 
+
+The recommended approch to join the node to an Active Directory domain with 'realmd'
+
+Update realmd-distro conf (/usr/lib/realmd/realmd-distro.conf) with below.
+```
+[commands]
+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service
+&& /usr/bin/systemctl start oddjobd.service"
 
+sssd-disable-logins = /bin/true
+```
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+```
+  - name: CIS Baseline Setup
+    hosts: cis
+    remote_user: vagrant
+    become: yes
 
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
+    roles:
+      - cis-centos
+```
 
 License
 -------
 
-BSD
+MIT
 
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Muhammed Iqbal <[email protected]>
diff --git a/defaults/main.yml b/defaults/main.yml
diff --git a/files/etc/nftables/nftables.rules b/files/etc/nftables/nftables.rules
@@ -0,0 +1,49 @@
+#!/sbin/nft -f
+
+# This nftables.rules config should be saved as /etc/nftables/nftables.rules
+
+# flush nftables rulesset
+flush ruleset
+
+# Load nftables ruleset
+
+# nftables config with inet table named filter
+
+table inet filter {
+        # Base chain for input hook named input (Filters inbound network packets)
+        chain input {
+                type filter hook input priority 0; policy drop;
+
+                # Ensure loopback traffic is configured
+                iif "lo" accept
+                ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
+                ip6 saddr ::1 counter packets 0 bytes 0 drop
+
+                # Ensure established connections are configured
+                ip protocol tcp ct state established accept
+                ip protocol udp ct state established accept
+                ip protocol icmp ct state established accept
+
+                # Accept port 22(SSH) traffic from anywhere
+                tcp dport ssh accept
+
+                # Accept ICMP and IGMP from anywhere
+                icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
+                icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
+                ip protocol igmp accept
+        }
+
+        # Base chain for hook forward named forward (Filters forwarded network packets)
+        chain forward {
+                type filter hook forward priority 0; policy drop;
+        }
+
+        # Base chain for hook output named output (Filters outbount network packets)
+        chain output {
+                type filter hook output priority 0; policy drop;
+                # Ensure outbound and established connections are configured
+                ip protocol tcp ct state established,related,new accept
+                ip protocol udp ct state established,related,new accept
+                ip protocol icmp ct state established,related,new accept
+        }
+}
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -12,5 +12,27 @@
 
 - name: generate new grub config
   become: yes
-  command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}"
+  command: grub2-mkconfig -o {{ grub_config_file }}
 
+- name: reload dconf
+  become: yes
+  command: dconf update
+
+- name: restart auditd
+  become: yes
+  command: /sbin/service auditd restart
+  changed_when: no
+  check_mode: no
+  failed_when: no
+  args:
+    warn: no
+
+- name: restart sshd
+  become: yes
+  service:
+      name: sshd
+      state: restarted
+
+- name: authselect apply changes
+  become: yes
+  command: authselect apply-changes
diff --git a/meta/main.yml b/meta/main.yml
@@ -9,7 +9,9 @@ galaxy_info:
       versions:
         - 8
   galaxy_tags:
-    - docker
-    - compose
-    - containers
+    - cis
+    - rhel8
+    - centos8
+    - ol8
+    - baseline
 dependencies: []
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -17,12 +17,28 @@
   tags:
       - always
 
-- name: "Set package facts"
+- name: "Set facts | Packages"
   package_facts:
     manager: "auto"
+  tags:
+    - always
 
-- name: "Set service facts"
+- name: "Set facts | Service"
   service_facts:
+  tags:
+    - always
+
+- name: Check if the system booted with UEFI or BIOS
+  set_fact:
+    booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
+  tags:
+    - always
+
+- name: Set facts | Grub config file 
+  set_fact:
+    grub_config_file: "{{ '/boot/efi/EFI/{{ ansible_distribution | lower }}/grub.cfg' if booted_with_efi  else '/boot/grub2/grub.cfg' }}"
+  tags:
+    - always
 
 - include: section_1.yml
   become: true
@@ -35,3 +51,27 @@
   when: section_2
   tags: 
     - section_2
+
+- include: section_3.yml
+  become: true
+  when: section_3
+  tags: 
+    - section_3
+
+- include: section_4.yml
+  become: true
+  when: section_4
+  tags: 
+    - section_4
+
+- include: section_5.yml
+  become: true
+  when: section_5
+  tags: 
+    - section_5
+
+- include: section_6.yml
+  become: true
+  when: section_6
+  tags: 
+    - section_6