From 3a0164a3821853e6e211aa55fda6e8a59ed82a23 Mon Sep 17 00:00:00 2001 From: iquzart Date: Thu, 5 Nov 2020 12:05:30 +0400 Subject: [PATCH 01/30] Fix Rule 2.2.2 --- defaults/main.yml | 8 ++++---- tasks/section_1.yml | 6 +++--- tasks/section_2.yml | 24 ++++++------------------ 3 files changed, 13 insertions(+), 25 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ea96791..65f4a58 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -73,7 +73,7 @@ rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FI rule_2_1_1: true # Ensure xinetd is not installed rule_2_2_1_1: true # Ensure time synchronization is in use rule_2_2_1_2: true # Ensure chrony is configured -rule_2_2_2: true # Ensure X Window System is not installed +rule_2_2_2: true # Ensure X Window System is not installed rule_2_2_3: true # Ensure rsync service is not enabled rule_2_2_4: true # Ensure Avahi Server is not enabled rule_2_2_5: true # Ensure SNMP Server is not enabled" @@ -99,6 +99,9 @@ rule_2_3_3: true # Ensure LDAP client is not installed bootloader_password: random set_boot_pass: true +# GUI Enabled system +#gui_enabled: true + # AIDE config_aide: true # AIDE cron settings @@ -118,9 +121,6 @@ crypto_policy: FIPS #FUTURE selinux_state: enforcing selinux_policy: targeted -# Set to 'true' if X Windows is needed in your environment -xwindows_required: false - # Time Synchronization time_synchronization: chrony time_synchronization_servers: diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 271b675..cf9e4c3 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -828,10 +828,10 @@ - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ warning_banner }}' " } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='Authorized uses only. All activity may be monitored and reported.'" } when: - - gui|bool - - rule_1_8_2|bool + - not rule_2_2_2 | bool + - rule_1_8_2 tags: - level1 - level2 diff --git a/tasks/section_2.yml b/tasks/section_2.yml index 43d43fd..c90971d 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -35,23 +35,13 @@ - rule_2.2.1.2 - name: "2.2.2 | Ensure X Window System is not installed" - package: - state: absent - name: - - "xorg-x11*" - when: - - not xwindows_required | bool - - "'xorg-x11' in ansible_facts.packages" - - rule_2_2_2 - tags: - - section_2 - - level1 - - scored - - xwindows - - rule_2.2.2 - -- name: "Update facts" block: + - name: "2.2.2 | Ensure X Window System is not installed" + package: + state: absent + name: + - "xorg-x11*" + - name: "Update package facts" package_facts: manager: "auto" @@ -59,8 +49,6 @@ - name: "Update service facts" service_facts: when: - - not xwindows_required | bool - - "'xorg-x11' in ansible_facts.packages" - rule_2_2_2 tags: - section_2 From be8613d288002b3edcc694573730b26a18df47df Mon Sep 17 00:00:00 2001 From: iquzart Date: Thu, 5 Nov 2020 17:21:16 +0400 Subject: [PATCH 02/30] Fixed Rule 2.2.2 --- defaults/main.yml | 5 +---- tasks/main.yml | 4 ++++ tasks/section_2.yml | 18 +++++++++++++----- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 65f4a58..ab4e715 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -96,12 +96,9 @@ rule_2_3_3: true # Ensure LDAP client is not installed ##################################################################### # 1.4.2 Bootloader password -bootloader_password: random +bootloader_password: p@ssw0rd set_boot_pass: true -# GUI Enabled system -#gui_enabled: true - # AIDE config_aide: true # AIDE cron settings diff --git a/tasks/main.yml b/tasks/main.yml index 73db05d..38232c1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,10 @@ package_facts: manager: "auto" +- name: "Debug" + debug: + msg: "{{ ansible_facts.packages }}" + - name: "Set service facts" service_facts: diff --git a/tasks/section_2.yml b/tasks/section_2.yml index c90971d..fd99b93 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -41,14 +41,22 @@ state: absent name: - "xorg-x11*" - + + - name: Refresh destination information + setup: + + - name: "Update service facts" + service_facts: + - name: "Update package facts" package_facts: manager: "auto" - - name: "Update service facts" - service_facts: + - name: "Debug" + debug: + msg: "{{ ansible_facts.services }}" when: + - "'xorg-x11-server-common' in ansible_facts.packages" - rule_2_2_2 tags: - section_2 @@ -56,7 +64,7 @@ - scored - xwindows - rule_2.2.2 - + - name: "2.2.3 | Ensure rsync service is not enabled " systemd: @@ -253,7 +261,7 @@ state: stopped enabled: no when: - - "'cups.service' in ansible_facts.services" + - "'cups' in ansible_facts.packages" - rule_2_2_16 tags: - section_2 From f3a6f1a2e38cd8acb2271585813cb6a0b074b23d Mon Sep 17 00:00:00 2001 From: iquzart Date: Thu, 5 Nov 2020 17:37:32 +0400 Subject: [PATCH 03/30] Fixed Rule 2.2.4, 2.2.12 --- tasks/section_2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_2.yml b/tasks/section_2.yml index fd99b93..a8a2c82 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -85,7 +85,7 @@ state: stopped enabled: no when: - - "'avahi-daemon' in ansible_facts.services" + - "'avahi-daemon.service' in ansible_facts.services" - rule_2_2_4 tags: - section_2 @@ -191,11 +191,11 @@ - name: "2.2.12 | Ensure NFS is not enabled" systemd: - name: nfs + name: nfs-server state: stopped enabled: no when: - - "'nfs.service' in ansible_facts.services" + - "'nfs-server.service' in ansible_facts.services" - rule_2_2_12 tags: - section_2 From 166bf1d0abbe19ecc6b66eadda537a1fe8cf9980 Mon Sep 17 00:00:00 2001 From: iquzart Date: Thu, 5 Nov 2020 17:46:58 +0400 Subject: [PATCH 04/30] Fixed Rule 1.5.3 --- tasks/section_1.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1.yml b/tasks/section_1.yml index cf9e4c3..cfdf54b 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -562,22 +562,22 @@ - grub - rule_1.5.2 -- name: "NOT1.5.3 | Ensure authentication required for single user mode (Scored)" +- name: "1.5.3 | Ensure authentication required for single user mode (Scored)" block: - - name: "NOT1.5.3 | Ensure authentication required for single user mode (Scored) - emergency" + - name: "1.5.3 | Ensure authentication required for single user mode (Scored) - emergency" lineinfile: dest: /usr/lib/systemd/system/emergency.service regexp: '/sbin/sulogin' line: 'execstart=-/usr/lib/systemd/systemd-sulogin-shell rescue' - - name: "NOT1.5.3 | Ensure authentication required for single user mode (Scored) - rescue" + - name: "1.5.3 | Ensure authentication required for single user mode (Scored) - rescue" lineinfile: dest: /usr/lib/systemd/system/rescue.service regexp: '/sbin/sulogin' line: 'execstart=-/usr/lib/systemd/systemd-sulogin-shell rescue' when: - rule_1_5_3 - - ansible_distribution_major_version == 8 + - ansible_distribution_major_version == "8" tags: - level1 - level2 From 56e1df0fce50f0ecec1ea583a55589baec7d8a5b Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 9 Nov 2020 11:38:27 +0400 Subject: [PATCH 05/30] Setup Section_3 and Fixes on Section_1 and Section_2 --- defaults/main.yml | 57 +++- files/etc/nftables/nftables.rules | 49 +++ tasks/main.yml | 10 +- tasks/section_1.yml | 90 +++--- tasks/section_2.yml | 22 +- tasks/section_3.yml | 504 ++++++++++++++++++++++++++++++ 6 files changed, 662 insertions(+), 70 deletions(-) create mode 100644 files/etc/nftables/nftables.rules create mode 100644 tasks/section_3.yml diff --git a/defaults/main.yml b/defaults/main.yml index ab4e715..ffde3ff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,9 +15,9 @@ rule_1_1_1_2: true # Ensure mounting of vFAT filesystems is disabled rule_1_1_1_3: true # Ensure mounting of squashfs filesystems is disabled rule_1_1_1_4: true # Ensure mounting of udf filesystems is disabled rule_1_1_2: true # Ensure separate partition exists for /tmp | enable and start/restart tmp.mount -rule_1_1_3: true # Ensure nodev option set on /tmp partition -rule_1_1_4: true # Ensure nosuid option set on /tmp partition -rule_1_1_5: true # Ensure noexec option set on /tmp partition +rule_1_1_3: true # Ensure nodev option set on /tmp partition +rule_1_1_4: true # Ensure nosuid option set on /tmp partition +rule_1_1_5: true # Ensure noexec option set on /tmp partition rule_1_1_6: true # Ensure separate partition exists for /var rule_1_1_7: true # Ensure separate partition exists for /var/tmp rule_1_1_8: true # Ensure nodev option set on /var/tmp partition @@ -25,12 +25,12 @@ rule_1_1_9: true # Ensure nosuid option set on /var/tmp partition rule_1_1_10: true # Ensure noexec option set on /var/tmp partition rule_1_1_11: true # Ensure separate partition exists for /var/log rule_1_1_12: true # Ensure separate partition exists for /var/log/audit -rule_1_1_13: true # Ensure separate partition exists for /home -rule_1_1_14: true # Ensure nodev option set on /home +rule_1_1_13: true # Ensure separate partition exists for /home +rule_1_1_14: true # Ensure nodev option set on /home rule_1_1_15: true # Ensure nodev option set on /dev/shm partition rule_1_1_16: true # Ensure nosuid option set on /dev/shm partition rule_1_1_17: true # Ensure noexec option set on /dev/shm partition -rule_1_1_18: true # Ensure nodev option set on removable media partitions +rule_1_1_18: true # Ensure nodev option set on removable media partitions rule_1_1_19: true # Ensure nosuid option set on removable media partitions rule_1_1_20: true # Ensure noexec option set on removable media partitions rule_1_1_21: true # Ensure sticky bit is set on all world-writable directories @@ -40,7 +40,7 @@ rule_1_2_1: true # Ensure Red Hat Subscription Manager connection is c rule_1_2_2: true # Disable the RHNSD daemon rule_1_2_3: true # Ensure gpg keys are configured rule_1_2_4: true # Ensure gpgcheck is globally activated -rule_1_2_5: true # Ensure package manager repositories are configured +rule_1_2_5: true # Ensure package manager repositories are configured rule_1_3_1: true # Ensure sudo is installed rule_1_3_2: true # Ensure sudo commands user pty rule_1_3_3: true # Ensure sudo log file exists @@ -52,7 +52,7 @@ rule_1_5_3: true # Ensure authentication required for single user mode rule_1_6_1: true # Ensure core dumps are restricted rule_1_6_2: true # Ensure address space layout randomization (ASLR) is enabled rule_1_7_1_1: true # Ensure selinux is installed -rule_1_7_1_2: true # Ensure selinux is not disabled in bootloader configuration +rule_1_7_1_2: true # Ensure selinux is not disabled in bootloader configuration rule_1_7_1_3: true # Ensure selinux policy is configured rule_1_7_1_4: true # Ensure the selinux state is enforcing rule_1_7_1_5: true # Ensure no unconfined services exist @@ -94,6 +94,42 @@ rule_2_3_1: true # Ensure NIS Client is not installed rule_2_3_2: true # Ensure telnet client is not installed rule_2_3_3: true # Ensure LDAP client is not installed +# Section 3 rules +rule_3_1_1: true # Ensure IP forwarding is disabled +rule_3_1_2: true # Ensure packet redirect sending is disabled +rule_3_2_1: true # Ensure source routed packets are not accepted +rule_3_2_2: true # Ensure ICMP redirects are not accepted +rule_3_2_3: true # Ensure secure ICMP redirects are not accepted +rule_3_2_4: true # Ensure suspicious packets are logged +rule_3_2_5: true # Ensure broadcast ICMP requests are ignored +rule_3_2_6: true # Ensure bogus ICMP responses are ignored +rule_3_2_7: true # Ensure Reverse Path Filtering is enabled +rule_3_2_8: true # Ensure TCP SYN Cookies is enabled +rule_3_2_9: true # Ensure IPv6 router advertisements are not accepted +rule_3_3_1: true # Ensure DCCP is disabled +rule_3_3_2: true # Ensure SCTP is disabled +rule_3_3_3: true # Ensure RDS is disabled +rule_3_3_4: true # Ensure TIPC is disabled +rule_3_4_1_1: true # Ensure a Firewall package is installed +rule_3_4_2_1: true # Ensure firewalld service is enabled and running +rule_3_4_2_2: true # Ensure iptables is not enabled +rule_3_4_2_3: true # Ensure nftables is not enabled +rule_3_4_2_4: true # Ensure default zone is set +rule_3_4_2_5: true # Ensure network interfaces are assigned to the appropriate zone +rule_3_4_2_6: true # Ensure unnessary services and ports are not accepted +rule_3_4_3: true # Configure nftables +rule_3_4_3_1: true # Ensure iptables are flushed +rule_3_4_3_2: true # Ensure a table exists +rule_3_4_3_3: true # Ensure base chains exist +rule_3_4_3_4: true # Ensure loopback traffic is configured +rule_3_4_3_5: true # Ensure outbound and established connections are configured +rule_3_4_3_6: true # Ensure default deny firewall policy +rule_3_4_3_7: true # Ensure nftables service is enabled +rule_3_4_3_8: true # Ensure nftables rules are permanent +rule_3_5: true # Ensure wireless interfaces are disabled +rule_3_6: true # Ensure IPv6 is disabled + + ##################################################################### # 1.4.2 Bootloader password bootloader_password: p@ssw0rd @@ -115,7 +151,7 @@ aide_cron: crypto_policy: FIPS #FUTURE # SELinux policy -selinux_state: enforcing +selinux_state: disabled #enforcing selinux_policy: targeted # Time Synchronization @@ -154,4 +190,5 @@ vartmp: opts: "defaults,nodev,nosuid,noexec,bind" enabled: no - +# Firewall Configs +firewall: firewalld # Firewall module (firewalld, nftable) diff --git a/files/etc/nftables/nftables.rules b/files/etc/nftables/nftables.rules new file mode 100644 index 0000000..2bcd277 --- /dev/null +++ b/files/etc/nftables/nftables.rules @@ -0,0 +1,49 @@ +#!/sbin/nft -f + +# This nftables.rules config should be saved as /etc/nftables/nftables.rules + +# flush nftables rulesset +flush ruleset + +# Load nftables ruleset + +# nftables config with inet table named filter + +table inet filter { + # Base chain for input hook named input (Filters inbound network packets) + chain input { + type filter hook input priority 0; policy drop; + + # Ensure loopback traffic is configured + iif "lo" accept + ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop + ip6 saddr ::1 counter packets 0 bytes 0 drop + + # Ensure established connections are configured + ip protocol tcp ct state established accept + ip protocol udp ct state established accept + ip protocol icmp ct state established accept + + # Accept port 22(SSH) traffic from anywhere + tcp dport ssh accept + + # Accept ICMP and IGMP from anywhere + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept + icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept + ip protocol igmp accept + } + + # Base chain for hook forward named forward (Filters forwarded network packets) + chain forward { + type filter hook forward priority 0; policy drop; + } + + # Base chain for hook output named output (Filters outbount network packets) + chain output { + type filter hook output priority 0; policy drop; + # Ensure outbound and established connections are configured + ip protocol tcp ct state established,related,new accept + ip protocol udp ct state established,related,new accept + ip protocol icmp ct state established,related,new accept + } +} diff --git a/tasks/main.yml b/tasks/main.yml index 38232c1..0ff0fb9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,10 +21,6 @@ package_facts: manager: "auto" -- name: "Debug" - debug: - msg: "{{ ansible_facts.packages }}" - - name: "Set service facts" service_facts: @@ -39,3 +35,9 @@ when: section_2 tags: - section_2 + +- include: section_3.yml + become: true + when: section_3 + tags: + - section_3 \ No newline at end of file diff --git a/tasks/section_1.yml b/tasks/section_1.yml index cfdf54b..8fca786 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -6,7 +6,7 @@ line: "install cramfs /bin/true" create: yes when: - - rule_1_1_1_1|bool + - rule_1_1_1_1 tags: - section_1 - scored @@ -17,7 +17,7 @@ name: cramfs state: absent when: - - rule_1_1_1_1|bool + - rule_1_1_1_1 - ansible_connection != 'docker' tags: - section_1 @@ -31,7 +31,7 @@ line: "install vfat /bin/true" create: yes when: - - rule_1_1_1_2|bool + - rule_1_1_1_2 tags: - section_1 - not_scored @@ -42,7 +42,7 @@ name: vfat state: absent when: - - rule_1_1_1_2|bool + - rule_1_1_1_2 - ansible_connection != 'docker' tags: - section_1 @@ -56,7 +56,7 @@ line: "install squashfs /bin/true" create: yes when: - - rule_1_1_1_3|bool + - rule_1_1_1_3 tags: - section_1 - scored @@ -67,7 +67,7 @@ name: squashfs state: absent when: - - rule_1_1_1_3|bool + - rule_1_1_1_3 - ansible_connection != 'docker' tags: - section_1 @@ -82,18 +82,18 @@ line: "install udf /bin/true" create: yes when: - - rule_1_1_1_4|bool + - rule_1_1_1_4 tags: - section_1 - scored - udf -- name: "1.1.1.4 | Remove udf module" +- name: "1.1.1.4 | Remove udf module (Scored)" modprobe: name: udf state: absent when: - - rule_1_1_1_4|bool + - rule_1_1_1_4 - ansible_connection != 'docker' tags: - section_1 @@ -101,7 +101,7 @@ - udf -- name: "1.1.2 | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" +- name: "1.1.2 | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount (Scored)" systemd: name: tmp.mount daemon_reload: yes @@ -109,13 +109,13 @@ masked: no state: started when: - - rule_1_1_2|bool + - rule_1_1_2 tags: - section_1 - scored - rule_1.1.2 -- name: "1.1.3 | 1.1.4 | 1.1.5 | Ensure nodev,nosuid,noexec options set on /tmp partition" +- name: "1.1.3 | 1.1.4 | 1.1.5 | Ensure nodev,nosuid,noexec options set on /tmp partition (Scored)" template: src: tmp.mount.j2 dest: /etc/systemd/system/tmp.mount @@ -123,9 +123,9 @@ group: root mode: 0644 notify: systemd restart tmp.mount - when: rule_1_1_3|bool or - rule_1_1_4|bool or - rule_1_1_5|bool + when: rule_1_1_3 or + rule_1_1_4 or + rule_1_1_5 tags: - section_1 - scored @@ -175,9 +175,9 @@ fstype: "{{ vartmp['fstype'] }}" opts: "{{ vartmp['opts'] }}" when: - - rule_1_1_8|bool - - rule_1_1_9|bool - - rule_1_1_10|bool + - rule_1_1_8 + - rule_1_1_9 + - rule_1_1_10 tags: - level1 - scored @@ -226,7 +226,7 @@ changed_when: no failed_when: no when: - - rule_1_1_13|bool + - rule_1_1_13 tags: - level2 - scored @@ -242,7 +242,7 @@ fstype: "{{ item.fstype }}" opts: "nodev" when: - - rule_1_1_14|bool + - rule_1_1_14 - item.mount == "/home" with_items: "{{ ansible_mounts }}" tags: @@ -327,7 +327,7 @@ enabled: no when: - "'autofs.service' in ansible_facts.services" - - rule_1_1_22|bool + - rule_1_1_22 tags: - level1 - patch @@ -337,7 +337,7 @@ command: rmmod usb-storage ignore_errors: yes when: - - rule_1_1_23|bool + - rule_1_1_23 tags: - level1 - scored @@ -464,7 +464,7 @@ name: aide state: present when: - - rule_1_4_1|bool + - rule_1_4_1 tags: - level1 - scored @@ -481,8 +481,8 @@ async: 45 poll: 0 when: - - config_aide|bool - - rule_1_4_1|bool + - config_aide + - rule_1_4_1 tags: - level1 - scored @@ -502,7 +502,7 @@ weekday: "{{ aide_cron['aide_weekday'] | default('*') }}" job: "{{ aide_cron['aide_job'] }}" when: - - rule_1_4_2|bool + - rule_1_4_2 tags: - level1 - scored @@ -516,7 +516,7 @@ path: /etc/grub2.cfg register: grub_cfg when: - - rule_1_5_1|bool + - rule_1_5_1 | bool tags: - level1 - scored @@ -532,7 +532,7 @@ mode: 0600 when: - grub_cfg.stat.exists and grub_cfg.stat.islnk - - rule_1_5_1|bool + - rule_1_5_1 tags: - level1 - scored @@ -592,7 +592,7 @@ line: '* hard core 0' insertbefore: '^# End of file' when: - - rule_1_6_1|bool + - rule_1_6_1 tags: - level1 - scored @@ -609,7 +609,7 @@ sysctl_set: yes ignoreerrors: yes when: - - rule_1_6_1|bool + - rule_1_6_1 tags: - level1 - scored @@ -626,7 +626,7 @@ sysctl_set: yes ignoreerrors: yes when: - - rule_1_6_2|bool + - rule_1_6_2 tags: - level1 - scored @@ -643,7 +643,7 @@ notify: generate new grub config when: - selinux_state == "enforcing" - - rule_1_7_1_2|bool + - rule_1_7_1_2 tags: - level2 - scored @@ -660,7 +660,7 @@ # msg: "--> Not relevant" # changed_when: no # when: -# - rule_1_7_1_3|bool +# - rule_1_7_1_3 # tags: # - level2 # - scored @@ -674,7 +674,7 @@ policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" when: - - rule_1_7_1_4|bool + - rule_1_7_1_4 tags: - level2 - scored @@ -688,7 +688,7 @@ changed_when: no failed_when: no when: - - rule_1_7_1_5|bool + - rule_1_7_1_5 tags: - level2 - scored @@ -700,7 +700,7 @@ name: setroubleshoot state: absent when: - - rule_1_7_1_6|bool + - rule_1_7_1_6 tags: - level2 - scored @@ -713,7 +713,7 @@ name: mcstrans state: absent when: - - rule_1_7_1_7|bool + - rule_1_7_1_7 tags: - level2 - scored @@ -725,7 +725,7 @@ name: libselinux state: present when: - - rule_1_7_1_1|bool + - rule_1_7_1_1 tags: - level2 - scored @@ -737,7 +737,7 @@ src: etc/motd.j2 dest: /etc/motd when: - - rule_1_8_1_1|bool + - rule_1_8_1_1 tags: - level1 - banner @@ -749,7 +749,7 @@ src: etc/issue.j2 dest: /etc/issue when: - - rule_1_8_1_2|bool + - rule_1_8_1_2 tags: - level1 - patch @@ -760,7 +760,7 @@ src: etc/issue.net.j2 dest: /etc/issue.net when: - - rule_1_8_1_3|bool + - rule_1_8_1_3 tags: - level1 - banner @@ -775,7 +775,7 @@ group: root mode: 0644 when: - - rule_1_8_1_4|bool + - rule_1_8_1_4 tags: - level1 - perms @@ -790,7 +790,7 @@ group: root mode: 0644 when: - - rule_1_8_1_5|bool + - rule_1_8_1_5 tags: - level1 - perms @@ -805,7 +805,7 @@ group: root mode: 0644 when: - - rule_1_8_1_6|bool + - rule_1_8_1_6 tags: - level1 - perms @@ -875,7 +875,7 @@ update-crypto-policies --set {{ crypto_policy }} update-crypto-policies when: - - rule_1_11|bool + - rule_1_11 tags: - level1 - level2 diff --git a/tasks/section_2.yml b/tasks/section_2.yml index a8a2c82..1588657 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -176,7 +176,7 @@ - scored - rule_2.2.10 -- name: "2.2.11 | Ensure DNS Server is not enabled" +- name: "2.2.11 | Ensure DNS Server is not enabled (Scored)" systemd: name: named state: stopped @@ -189,7 +189,7 @@ - level1 - rule_2.2.11 -- name: "2.2.12 | Ensure NFS is not enabled" +- name: "2.2.12 | Ensure NFS is not enabled (Scored)" systemd: name: nfs-server state: stopped @@ -206,7 +206,7 @@ - services - rule_2.2.12 -- name: "2.2.13 | Ensure RPC is not enabled" +- name: "2.2.13 | Ensure RPC is not enabled (Scored)" systemd: name: rpcbind state: stopped @@ -223,7 +223,7 @@ - services - rule_2.2.13 -- name: "2.2.14 | Ensure LDAP server is not enabled" +- name: "2.2.14 | Ensure LDAP server is not enabled (Scored)" service: name: slapd state: stopped @@ -239,7 +239,7 @@ - services - rule_2.2.14 -- name: "2.2.15 | Ensure DHCP Server is not enabled" +- name: "2.2.15 | Ensure DHCP Server is not enabled (Scored)" systemd: name: dhcpd state: stopped @@ -255,7 +255,7 @@ - services - rule_2.2.14 -- name: "2.2.16 | Ensure CUPS is not enabled" +- name: "2.2.16 | Ensure CUPS is not enabled (Scored)" systemd: name: cups state: stopped @@ -271,7 +271,7 @@ - services - rule_2.2.16 -- name: "2.2.17 | Ensure NIS Server is not enabled" +- name: "2.2.17 | Ensure NIS Server is not enabled (Scored)" systemd: name: ypserv state: stopped @@ -284,7 +284,7 @@ - level1 - rule_2.2.17 -- name: "2.2.18 | Ensure mail transfer agent is configured for local-only mode" +- name: "2.2.18 | Ensure mail transfer agent is configured for local-only mode (Scored)" lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" @@ -297,7 +297,7 @@ - level1 - rule_2.2.18 -- name: "2.3.1 | Ensure NIS Client is not installed" +- name: "2.3.1 | Ensure NIS Client is not installed (Scored)" dnf: name: ypbind state: absent @@ -309,7 +309,7 @@ - level1 - rule_2.3.1 -- name: "2.3.2 | Ensure telnet client is not installed" +- name: "2.3.2 | Ensure telnet client is not installed (Scored)" dnf: name: telnet state: absent @@ -321,7 +321,7 @@ - level1 - rule_2.3.2 -- name: "2.3.3 | Ensure LDAP client is not installed" +- name: "2.3.3 | Ensure LDAP client is not installed (Scored)" dnf: name: openldap-clients state: absent diff --git a/tasks/section_3.yml b/tasks/section_3.yml new file mode 100644 index 0000000..61e915d --- /dev/null +++ b/tasks/section_3.yml @@ -0,0 +1,504 @@ +- name: "3.1.1 | Ensure IP forwarding is disabled (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.ip_forward, value: 0 } + - { name: net.ipv6.ip_forward, value: 0 } + - { name: net.ipv4.conf.all.ip_forward, value: 0 } + - { name: net.ipv6.conf.all.ip_forward, value: 0 } + when: + - rule_3_1_1 + tags: + - level1 + - sysctl + - rule_3.1.1 + - section_3 + +- name: "3.1.2 | Ensure packet redirect sending is disabled (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } + when: + - rule_3_1_2 + tags: + - level1 + - sysctl + - rule_3.1.2 + - section_3 + +- name: "3.2.1 | Ensure source routed packets are not accepted (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.accept_source_route, value: 0 } + - { name: net.ipv4.conf.default.accept_source_route, value: 0 } + - { name: net.ipv6.conf.all.accept_source_route, value: 0 } + - { name: net.ipv6.conf.default.accept_source_route, value: 0 } + when: + - rule_3_2_1 + tags: + - level1 + - sysctl + - rule_3.2.1 + - section_3 + +- name: "3.2.2 | Ensure ICMP redirects are not accepted (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.accept_redirects, value: 0 } + - { name: net.ipv4.conf.default.accept_redirects, value: 0 } + - { name: net.ipv6.conf.all.accept_redirects, value: 0 } + - { name: net.ipv6.conf.default.accept_redirects, value: 0 } + when: + - rule_3_2_2 + tags: + - level1 + - sysctl + - rule_3.2.2 + - section_3 + +- name: "3.2.3 | Ensure secure ICMP redirects are not accepted (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.secure_redirects, value: 0 } + - { name: net.ipv4.conf.default.secure_redirects, value: 0 } + when: + - rule_3_2_3 + tags: + - level1 + - sysctl + - rule_3.2.3 + - section_3 + +- name: "3.2.4 | Ensure suspicious packets are logged (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.log_martians, value: 1 } + - { name: net.ipv4.conf.default.log_martians, value: 1 } + when: + - rule_3_2_4 + tags: + - level1 + - sysctl + - rule_3.2.4 + - section_3 + +- name: "3.2.5 | Ensure broadcast ICMP requests are ignored (Scored)" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: "1" + state: present + reload: yes + ignoreerrors: yes + when: + - rule_3_2_5 + tags: + - level1 + - sysctl + - rule_3.2.5 + - section_3 + +- name: "3.2.6 | Ensure bogus ICMP responses are ignored (Scored)" + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: "1" + state: present + reload: yes + ignoreerrors: yes + when: + - rule_3_2_6 + tags: + - level1 + - sysctl + - rule_3.2.6 + - section_3 + +- name: "3.2.7 | Ensure Reverse Path Filtering is enabled (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.rp_filter, value: 1 } + - { name: net.ipv4.conf.default.rp_filter, value: 1 } + when: + - rule_3_2_7 + tags: + - level1 + - sysctl + - rule_3.2.7 + - section_3 + +- name: "3.2.8 | Ensure TCP SYN Cookies is enabled (Scored)" + sysctl: + name: net.ipv4.tcp_syncookies + value: "1" + state: present + reload: yes + ignoreerrors: yes + when: + - rule_3_2_8 + tags: + - level1 + - sysctl + - rule_3.2.8 + - section_3 + +- name: "3.2.9 | Ensure IPv6 router advertisements are not accepted (Scored)" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv6.conf.all.accept_ra, value: 0 } + - { name: net.ipv6.conf.default.accept_ra, value: 0 } + when: + - rule_3_2_9 + tags: + - level1 + - sysctl + - rule_3.2.9 + - section_3 + +- name: "3.3.1 | Ensure DCCP is disabled (Scored)" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install dccp(\\s|$)" + line: "install dccp /bin/true" + create: yes + when: + - rule_3_3_1 + tags: + - level1 + - rule_3.3.1 + - section_3 + +- name: "3.3.2 | Ensure SCTP is disabled (Scored)" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install sctp(\\s|$)" + line: "install sctp /bin/true" + create: yes + when: + - rule_3_3_2 + tags: + - level1 + - rule_3.3.2 + - section_3 + +- name: "3.3.3 | Ensure RDS is disabled (Scored)" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install rds(\\s|$)" + line: "install rds /bin/true" + create: yes + when: + - rule_3_3_3 + tags: + - level1 + - rule_3.3.3 + - section_3 + +- name: "3.3.4 | Ensure TIPC is disabled (Scored)" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install tipc(\\s|$)" + line: "install tipc /bin/true" + create: yes + when: + - rule_3_3_4 + tags: + - level1 + - rule_3.3.4 + - section_3 + + +- name: "3.4.1.1 | Ensure a Firewall package is installed (Scored)" + dnf: + name: firewalld + state: present + when: + - rule_3_4_1_1 + tags: + - level1 + - rule_3.4.1.1 + - section_3 + +- name: "3.4.2.1 | Ensure firewalld service is enabled and running (Scored)" + systemd: + name: firewalld + state: started + enabled: yes + when: + - firewall == 'firewalld' + - rule_3_4_2_1 + tags: + - level1 + - rule_3.4.2.1 + - section_3 + +- name: "3.4.2.2 | Ensure iptables is not enabled (Scored)" + systemd: + name: iptables + enabled: no + masked: yes + when: + - packages['iptables-services'] is defined + - rule_3_4_2_2 + tags: + - level1 + - rule_3.4.2.2 + - section_3 + +- name: "3.4.2.3 | Ensure nftables is not enabled (Scored)" + systemd: + name: nftables + enabled: no + masked: yes + when: + - firewall == 'firewalld' + - rule_3_4_2_3 + tags: + - level1 + - rule_3.4.2.3 + - section_3 + +- name: "3.4.2.4 | Ensure default zone is set (Scored)" + block: + - name: "Get default Firewalld zone" + command: firewall-cmd --get-default-zone + register: firewalld_zone + + - name: "Set default Firewalld zone" + command: firewall-cmd --set-default-zone=public + when: + - firewalld_zone.stdout != "public" + when: + - firewall == 'firewalld' + - rule_3_4_2_4 + tags: + - level1 + - rule_3.4.2.4 + - section_3 + +- name: "3.4.2.5 | Ensure network interfaces are assigned to appropriate zone (Not Scored)" + command: /bin/true + when: + - firewall == 'firewalld' + - rule_3_4_2_5 + tags: + - level1 + - rule_3.4.2.5 + - section_3 + +- name: "3.4.2.6 | Ensure unnecessary services and ports are not accepted (Not Scored)" + command: /bin/true + when: + - firewall == 'firewalld' + - rule_3_4_2_6 + tags: + - level1 + - rule_3.4.2.6 + - section_3 + +- name: "3.4.3 | Configure nftables" + block: + - name: "3.4.3 | Configure nftables | Nftables Rules" + copy: + src: etc/nftables/nftables.rules + dest: /etc/nftables/nftables.rules + owner: root + group: root + mode: 0644 + + - name: "3.4.3 | Configure nftables | Load Nftables Rules" + command: nft -f /etc/nftables/nftables.rules + + - name: "3.4.3 | Configure nftables | Make Nftables Rules Permanent" + shell: nft list ruleset > /etc/nftables/nftables.rules + + - name: "3.4.3 | Configure nftables | Configure nftables.conf" + lineinfile: + dest: /etc/sysconfig/nftables.conf + regexp: ^(#)?include\s+"\/etc/nftables/nftables.rules\" + line: include "/etc/nftables/nftables.rules" + when: + - firewall == 'nftables' + - rule_3_4_3 + tags: + - level1 + - rule_3.4.3 + - section_3 + - notimplemented + +- name: "3.4.3.1 | Ensure iptables are flushed (Not Scored)" + iptables: + flush: yes + when: + - rule_3_4_3_1 + tags: + - level1 + - rule_3.4.3.1 + - section_3 + +- name: "3.4.3.2 | Ensure a table exists (Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_2 + tags: + - level1 + - rule_3.4.3.2 + - section_3 + +- name: "3.4.3.3 | Ensure base chains exist (Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_3 + tags: + - level1 + - rule_3.4.3.3 + - section_3 + +- name: "3.4.3.4 | Ensure loopback traffic is configured (Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_4 + tags: + - level1 + - rule_3.4.3.4 + - section_3 + +- name: "3.4.3.5 | Ensure outbound and established connections are configured (Not Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_5 + tags: + - level1 + - rule_3.4.3.5 + - section_3 + +- name: "3.4.3.6 | Ensure default deny firewall policy (Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_6 + tags: + - level1 + - rule_3.4.3.6 + - section_3 + +- name: "3.4.3.7 | Ensure nftables service is enabled (Scored)" + systemd: + name: nftables + state: started + enabled: yes + when: + - firewall == 'nftables' + - rule_3_4_3_7 + tags: + - level1 + - rule_3.4.3.7 + - section_3 + +- name: "3.4.3.8 | Ensure nftables rules are permanent (Scored)" + command: /bin/true + changed_when: no + when: + - firewall == 'nftables' + - rule_3_4_3_8 + tags: + - level1 + - rule_3.4.3.8 + - section_3 + +- name: "3.5 | Ensure wireless interfaces are disabled (Scored)" + command: /bin/true + changed_when: no + when: + - rule_3_5 + tags: + - level1 + - rule_3.5 + - section_3 + - notimplemented + +- name: "3.6 | Disable IPv6 (Not Scored)" + block: + - name: "3.6 | Ensure permissions on bootloader config are configured" + stat: + path: /etc/grub2.cfg + register: grub_cfg + + - name: "3.6 | Ensure permissions on bootloader config are configured" + file: + path: "{{ grub_cfg.stat.lnk_source }}" + owner: root + group: root + mode: 0600 + when: + - grub_cfg.stat.exists and grub_cfg.stat.islnk + + - name: "3.6 | Ensure permissions on bootloader config are configured" + replace: + dest: /etc/default/grub + regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? Date: Mon, 9 Nov 2020 11:45:11 +0400 Subject: [PATCH 06/30] fixes on Section_1 --- defaults/main.yml | 2 +- tasks/section_1.yml | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ffde3ff..b6a18af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -151,7 +151,7 @@ aide_cron: crypto_policy: FIPS #FUTURE # SELinux policy -selinux_state: disabled #enforcing +selinux_state: enforcing selinux_policy: targeted # Time Synchronization diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 8fca786..1a42d92 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -12,13 +12,12 @@ - scored - cramfs -- name: "1.1.1.1 | Remove cramfs module" +- name: "1.1.1.1 | Remove cramfs module (Scored)" modprobe: name: cramfs state: absent when: - rule_1_1_1_1 - - ansible_connection != 'docker' tags: - section_1 - scored @@ -43,7 +42,6 @@ state: absent when: - rule_1_1_1_2 - - ansible_connection != 'docker' tags: - section_1 - not_scored @@ -62,13 +60,12 @@ - scored - squashfs -- name: "1.1.1.3 | Remove squashfs module" +- name: "1.1.1.3 | Remove squashfs module (Scored)" modprobe: name: squashfs state: absent when: - rule_1_1_1_3 - - ansible_connection != 'docker' tags: - section_1 - scored @@ -94,7 +91,6 @@ state: absent when: - rule_1_1_1_4 - - ansible_connection != 'docker' tags: - section_1 - scored From cf5ec7b8a813e9efb1d810cd7839f04d65022f65 Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 9 Nov 2020 11:53:06 +0400 Subject: [PATCH 07/30] fixes on Section_3 --- tasks/section_2.yml | 22 +++++++++++----------- tasks/section_3.yml | 32 ++++++++------------------------ 2 files changed, 19 insertions(+), 35 deletions(-) diff --git a/tasks/section_2.yml b/tasks/section_2.yml index 1588657..e1fe7bc 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -1,5 +1,5 @@ --- -- name: "2.1.1 | Ensure xinetd is not installed" +- name: "2.1.1 | Ensure xinetd is not installed (Scored)" dnf: name: xinetd state: absent @@ -11,7 +11,7 @@ - scored - rule_2.1.1 -- name: "2.2.1.1 | Ensure time synchronization is in use" +- name: "2.2.1.1 | Ensure time synchronization is in use (Not Scored)" dnf: name: chrony state: present @@ -20,7 +20,7 @@ - level1 - rule_2.2.1.1 -- name: "2.2.1.2 | Ensure chrony is configured" +- name: "2.2.1.2 | Ensure chrony is configured (Scored)" template: src: etc/chrony.conf.j2 dest: /etc/chrony.conf @@ -34,9 +34,9 @@ - level1 - rule_2.2.1.2 -- name: "2.2.2 | Ensure X Window System is not installed" +- name: "2.2.2 | Ensure X Window System is not installed (Scored)" block: - - name: "2.2.2 | Ensure X Window System is not installed" + - name: "2.2.2 | Ensure X Window System is not installed (Scored)" package: state: absent name: @@ -66,7 +66,7 @@ - rule_2.2.2 -- name: "2.2.3 | Ensure rsync service is not enabled " +- name: "2.2.3 | Ensure rsync service is not enabled (Scored)" systemd: name: rsyncd state: stopped @@ -79,7 +79,7 @@ - level1 - rule_2.2.3 -- name: "2.2.4 | Ensure Avahi Server is not enabled" +- name: "2.2.4 | Ensure Avahi Server is not enabled (Scored)" systemd: name: avahi-daemon state: stopped @@ -95,7 +95,7 @@ - services - rule_2.2.4 -- name: "2.2.5 | Ensure SNMP Server is not enabled" +- name: "2.2.5 | Ensure SNMP Server is not enabled (Scored)" systemd: name: snmpd state: stopped @@ -108,7 +108,7 @@ - level1 - rule_2.2.5 -- name: "2.2.6 | Ensure HTTP Proxy Server is not enabled" +- name: "2.2.6 | Ensure HTTP Proxy Server is not enabled (Scored)" systemd: name: squid state: stopped @@ -121,7 +121,7 @@ - level1 - rule_2.2.6 -- name: "2.2.7 | Ensure Samba is not enabled" +- name: "2.2.7 | Ensure Samba is not enabled (Scored)" systemd: name: smb state: stopped @@ -134,7 +134,7 @@ - level1 - rule_2.2.7 -- name: "2.2.8 | Ensure IMAP and POP3 server is not enabled" +- name: "2.2.8 | Ensure IMAP and POP3 server is not enabled (Scored)" systemd: name: dovecot state: stopped diff --git a/tasks/section_3.yml b/tasks/section_3.yml index 61e915d..78227bb 100644 --- a/tasks/section_3.yml +++ b/tasks/section_3.yml @@ -473,32 +473,16 @@ - notimplemented - name: "3.6 | Disable IPv6 (Not Scored)" - block: - - name: "3.6 | Ensure permissions on bootloader config are configured" - stat: - path: /etc/grub2.cfg - register: grub_cfg - - - name: "3.6 | Ensure permissions on bootloader config are configured" - file: - path: "{{ grub_cfg.stat.lnk_source }}" - owner: root - group: root - mode: 0600 - when: - - grub_cfg.stat.exists and grub_cfg.stat.islnk - - - name: "3.6 | Ensure permissions on bootloader config are configured" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? Date: Mon, 9 Nov 2020 12:45:46 +0400 Subject: [PATCH 08/30] Create Section_4 --- defaults/main.yml | 33 +++++++++++++++++++++++++++++++++ tasks/section_4.yml | 0 2 files changed, 33 insertions(+) create mode 100644 tasks/section_4.yml diff --git a/defaults/main.yml b/defaults/main.yml index b6a18af..74a3b57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -129,6 +129,39 @@ rule_3_4_3_8: true # Ensure nftables rules are permanent rule_3_5: true # Ensure wireless interfaces are disabled rule_3_6: true # Ensure IPv6 is disabled +# Section 4 rules +rule_4_1_1_1: true # Ensure auditd is installed +rule_4_1_1_2: true # Ensure auditd service is enabled +rule_4_1_1_3: true # Ensure auditing for processes that start prior to auditd is enabled +rule_4_1_2_1: true # Ensure audit log storage size is configured +rule_4_1_2_2: true # Ensure audit logs are not automatically deleted +rule_4_1_2_3: true # Ensure system is disabled when audit logs are full +rule_4_1_3: true # Ensure changes to system administration scope (sudoers) is collected +rule_4_1_4: true # Ensure login and logout events are collected (Scored) +rule_4_1_5: true # Ensure session initiation information is collected (Scored) +rule_4_1_6: true # Ensure events that modify date and time information are collected +rule_4_1_7: true # Ensure events that modify the system's Mandatory Access Controls are collected +rule_4_1_8: true # Ensure events that modify the system's network environment are collected +rule_4_1_9: true # Ensure discretionary access control permission modification events are collected +rule_4_1_10: true # Ensure unsuccessful unauthorized file access attempts are collected +rule_4_1_11: true # Ensure events that modify user/group information are collected +rule_4_1_12: true # Ensure successful file system mounts are collected +rule_4_1_13: true # Ensure use of privileged commands is collected +rule_4_1_14: true # Ensure file deletion events by users are collected +rule_4_1_15: true # Ensure kernel module loading and unloading is collected +rule_4_1_16: true # Ensure system administrator actions (sudolog) are collected +rule_4_1_17: true # Ensure the audit configuration is immutable +rule_4_2_1_1: true # Ensure rsyslog is installed +rule_4_2_1_2: true # Ensure rsyslog Service is enabled +rule_4_2_1_3: true # Ensure rsyslog default file permissions configured +rule_4_2_1_4: true # Ensure logging is configured +rule_4_2_1_5: false # Ensure rsyslog is configured to send logs to a remote log host +rule_4_2_1_6: true # Ensure remote rsyslog messages are only accepted on designated log hosts +rule_4_2_2_1: true # Ensure journald is configured to send logs to rsyslog +rule_4_2_2_2: true # Ensure journald is configured to compress large log files +rule_4_2_2_3: true # Ensure journald is configured to write logfiles to persistent disk +rule_4_2_3: true # Ensure permissions on all logfiles are configured +rule_4_3: true # Ensure logrotate is configured ##################################################################### # 1.4.2 Bootloader password diff --git a/tasks/section_4.yml b/tasks/section_4.yml new file mode 100644 index 0000000..e69de29 From 7965c988b8f10c60ad66572e507ad3b915a1f9fe Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 9 Nov 2020 12:46:16 +0400 Subject: [PATCH 09/30] Create Section_4 --- tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0ff0fb9..65d5013 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -40,4 +40,10 @@ become: true when: section_3 tags: - - section_3 \ No newline at end of file + - section_3 + +- include: section_4.yml + become: true + when: section_4 + tags: + - section_4 \ No newline at end of file From 6ae6ebdf45a028dde4767ba252b69624edb4920d Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 9 Nov 2020 14:15:29 +0400 Subject: [PATCH 10/30] section_4 --- defaults/main.yml | 8 + handlers/main.yml | 11 +- tasks/section_1.yml | 1 + tasks/section_4.yml | 514 +++++++++++++++++++++++++++ templates/audit/rule_4_1_10.rules.j2 | 6 + templates/audit/rule_4_1_11.rules.j2 | 5 + templates/audit/rule_4_1_12.rules.j2 | 4 + templates/audit/rule_4_1_13.rules.j2 | 3 + templates/audit/rule_4_1_14.rules.j2 | 4 + templates/audit/rule_4_1_15.rules.j2 | 6 + templates/audit/rule_4_1_16.rules.j2 | 1 + templates/audit/rule_4_1_17.rules.j2 | 1 + templates/audit/rule_4_1_3.rules.j2 | 2 + templates/audit/rule_4_1_4.rules.j2 | 2 + templates/audit/rule_4_1_5.rules.j2 | 3 + templates/audit/rule_4_1_6.rules.j2 | 7 + templates/audit/rule_4_1_7.rules.j2 | 2 + templates/audit/rule_4_1_8.rules.j2 | 9 + templates/audit/rule_4_1_9.rules.j2 | 10 + 19 files changed, 598 insertions(+), 1 deletion(-) create mode 100644 templates/audit/rule_4_1_10.rules.j2 create mode 100644 templates/audit/rule_4_1_11.rules.j2 create mode 100644 templates/audit/rule_4_1_12.rules.j2 create mode 100644 templates/audit/rule_4_1_13.rules.j2 create mode 100644 templates/audit/rule_4_1_14.rules.j2 create mode 100644 templates/audit/rule_4_1_15.rules.j2 create mode 100644 templates/audit/rule_4_1_16.rules.j2 create mode 100644 templates/audit/rule_4_1_17.rules.j2 create mode 100644 templates/audit/rule_4_1_3.rules.j2 create mode 100644 templates/audit/rule_4_1_4.rules.j2 create mode 100644 templates/audit/rule_4_1_5.rules.j2 create mode 100644 templates/audit/rule_4_1_6.rules.j2 create mode 100644 templates/audit/rule_4_1_7.rules.j2 create mode 100644 templates/audit/rule_4_1_8.rules.j2 create mode 100644 templates/audit/rule_4_1_9.rules.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 74a3b57..1089993 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -225,3 +225,11 @@ vartmp: # Firewall Configs firewall: firewalld # Firewall module (firewalld, nftable) + +# Log +logrotate: "daily" +rsyslog_dest: x.x.x.x +auditd: + admin_space_left_action: halt # Halts the system when the audit logs are ful + max_log_file_action: keep_logs # Handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. + max_log_file: 10 # Configure the maximum size (MB of audit log file. diff --git a/handlers/main.yml b/handlers/main.yml index 8125801..404030e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -12,5 +12,14 @@ - name: generate new grub config become: yes - command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}" + command: grub2-mkconfig -o /boot/grub2/grub.cfg +- name: reload dconf + become: yes + command: dconf update + +- name: restart auditd + become: yes + service: + name: auditd + state: restarted diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 1a42d92..ce7918e 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -828,6 +828,7 @@ when: - not rule_2_2_2 | bool - rule_1_8_2 + notify: reload dconf tags: - level1 - level2 diff --git a/tasks/section_4.yml b/tasks/section_4.yml index e69de29..486c467 100644 --- a/tasks/section_4.yml +++ b/tasks/section_4.yml @@ -0,0 +1,514 @@ +- name: "4.1.1.1 | Ensure auditd is installed (Scored)" + yum: + name: + - "audit" + - "audit-libs" + state: present + when: + - rule_4_1_1_1 + tags: + - level1 + - level2 + - rule_4.1.1.1 + - section_4 + +- name: "4.1.1.2 | Ensure auditd service is enabled (Scored)" + systemd: + name: auditd + state: started + enabled: yes + when: + - rule_4_1_1_2 + tags: + - level2 + - auditd + - rule_4.1.1.2 + - section_4 + +- name: "4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled (Scored)" + replace: + dest: /etc/default/grub + regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?/dev/null; done + register: priv_procs + changed_when: no + check_mode: no + when: + - rule_4_1_13 + tags: + - level2 + - auditd + - rule_4.1.13 + - section_4 + +- name: "4.1.13 | Ensure use of privileged commands is collected (Scored)" + template: + src: audit/rule_4_1_13.rules.j2 + dest: /etc/audit/rules.d/rule_4_1_13.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - rule_4_1_13 + tags: + - level2 + - auditd + - rule_4.1.13 + - section_4 + +- name: "4.1.14 | Ensure file deletion events by users are collected (Scored)" + template: + src: audit/rule_4_1_14.rules.j2 + dest: /etc/audit/rules.d/rule_4_1_14.rules + owner: root + group: root + mode: 0600 + when: + - rule_4_1_14 + notify: restart auditd + tags: + - level2 + - auditd + - rule_4.1.14 + - section_4 + +- name: "4.1.15 | Ensure kernel module loading and unloading is collected (Scored)" + template: + src: audit/rule_4_1_15.rules.j2 + dest: /etc/audit/rules.d/rule_4_1_15.rules + owner: root + group: root + mode: 0600 + when: + - rule_4_1_15 + notify: restart auditd + tags: + - level2 + - auditd + - rule_4.1.15 + - section_4 + +- name: "4.1.16 | Ensure system administrator actions (sudolog) are collected (Scored)" + template: + src: audit/rule_4_1_16.rules.j2 + dest: /etc/audit/rules.d/rule_4_1_16.rules + owner: root + group: root + mode: 0600 + when: + - rule_4_1_16 + notify: restart auditd + tags: + - level2 + - auditd + - rule_4.1.16 + - section_4 + +- name: "4.1.17 | Ensure the audit configuration is immutable (Scored)" + template: + src: audit/rule_4_1_17.rules.j2 + dest: /etc/audit/rules.d/rule_4_1_17.rules + owner: root + group: root + mode: 0600 + when: + - rule_4_1_17 + notify: restart auditd + tags: + - level2 + - auditd + - rule_4.1.17 + - section_4 + + +- name: "4.2.1.1 | Ensure rsyslog is installed (Scored)" + dnf: + name: rsyslog + state: present + when: + - rule_4_2_1_1 + tags: + - level1 + - level2 + - rule_4.2.1.1 + - section_4 + +- name: "4.2.1.2 | Ensure rsyslog Service is enabled (Scored)" + systemd: + name: rsyslog + state: started + enabled: yes + when: + - rule_4_2_1_2 + tags: + - level1 + - level2 + - rule_4.2.1.2 + - section_4 + - notimplemented + +- name: "4.2.1.3 | Ensure rsyslog default file permissions configured (Scored)" + lineinfile: + dest: /etc/rsyslog.conf + regexp: '^\$FileCreateMode' + line: '$FileCreateMode 0640' + when: + - rule_4_2_1_3 + tags: + - level1 + - level2 + - rule_4.2.1.3 + - section_4 + +- name: "4.2.1.4 | Ensure logging is configured (Not Scored)" + command: /bin/true + changed_when: no + when: + - rule_4_2_1_4 + tags: + - level1 + - level2 + - rule_4.2.1.4 + - section_4 + +- name: "4.2.1.5 | Ensure rsyslog is configured to send logs to a remote log host (Scored)" + lineinfile: + dest: /etc/rsyslog.conf + insertbefore: '^$FileCreateMode 0640' + line: '*.* @{{ rsyslog_dest }}' + when: + - rule_4_2_1_5 + tags: + - level1 + - level2 + - rule_4.2.1.5 + - section_4 + +- name: "4.2.1.6 | Ensure remote rsyslog messages are only accepted on designated log hosts (Not Scored)" + command: /bin/true + changed_when: no + when: + - rule_4_2_1_6 + tags: + - level1 + - level2 + - rule_4.2.1.6 + - section_4 + - notimplemented + +- name: "4.2.2.1 | Ensure journald is configured to send logs to rsyslog (Scored)" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^ForwardToSyslog" + line: "ForwardToSyslog=yes" + state: present + when: + - rule_4_2_2_1 + tags: + - level1 + - rule_4.2.2.1 + - section_4 + +- name: "4.2.2.2 | Ensure journald is configured to compress large log files (Scored)" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^Compress" + line: "Compress=yes" + state: present + when: + - rule_4_2_2_2 + tags: + - level1 + - rule_4.2.2.2 + - section_4 + +- name: "4.2.2.3 | Ensure journald is configured to write logfiles to persistent disk (Scored)" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "^Storage" + line: "Storage=persistent" + state: present + when: + - rule_4_2_2_3 + tags: + - level1 + - rule_4.2.2.3 + - section_4 + +- name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored)" + command: find /var/log -type f -exec chmod g-wx,o-rwx {} + + changed_when: no + failed_when: no + when: + - rule_4_2_3 + tags: + - level1 + - level2 + - rule_4.2.3 + - section_4 + +- name: "4.3 | Ensure logrotate is configured (Not Scored)" + block: + - name: "4.3 | Ensure logrotate is configured (Not Scored)" + find: + paths: /etc/logrotate.d/ + register: log_rotates + + - name: "4.3 | Ensure logrotate is configured (Not Scored)" + replace: + path: "{{ item.path }}" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ logrotate }}" + with_items: + - "{{ log_rotates.files }}" + - { path: "/etc/logrotate.conf" } + tags: + - level1 + - level2 + - rule_4.3 + - section_4 diff --git a/templates/audit/rule_4_1_10.rules.j2 b/templates/audit/rule_4_1_10.rules.j2 new file mode 100644 index 0000000..17635e1 --- /dev/null +++ b/templates/audit/rule_4_1_10.rules.j2 @@ -0,0 +1,6 @@ +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +{% endif %} diff --git a/templates/audit/rule_4_1_11.rules.j2 b/templates/audit/rule_4_1_11.rules.j2 new file mode 100644 index 0000000..358f999 --- /dev/null +++ b/templates/audit/rule_4_1_11.rules.j2 @@ -0,0 +1,5 @@ +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity diff --git a/templates/audit/rule_4_1_12.rules.j2 b/templates/audit/rule_4_1_12.rules.j2 new file mode 100644 index 0000000..fa95efb --- /dev/null +++ b/templates/audit/rule_4_1_12.rules.j2 @@ -0,0 +1,4 @@ +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +{% endif %} diff --git a/templates/audit/rule_4_1_13.rules.j2 b/templates/audit/rule_4_1_13.rules.j2 new file mode 100644 index 0000000..a005b3c --- /dev/null +++ b/templates/audit/rule_4_1_13.rules.j2 @@ -0,0 +1,3 @@ +{% for proc in priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +{% endfor %} diff --git a/templates/audit/rule_4_1_14.rules.j2 b/templates/audit/rule_4_1_14.rules.j2 new file mode 100644 index 0000000..cd0018d --- /dev/null +++ b/templates/audit/rule_4_1_14.rules.j2 @@ -0,0 +1,4 @@ +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +{% endif %} diff --git a/templates/audit/rule_4_1_15.rules.j2 b/templates/audit/rule_4_1_15.rules.j2 new file mode 100644 index 0000000..0d5cbaa --- /dev/null +++ b/templates/audit/rule_4_1_15.rules.j2 @@ -0,0 +1,6 @@ +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% endif %} diff --git a/templates/audit/rule_4_1_16.rules.j2 b/templates/audit/rule_4_1_16.rules.j2 new file mode 100644 index 0000000..4dfe8b1 --- /dev/null +++ b/templates/audit/rule_4_1_16.rules.j2 @@ -0,0 +1 @@ +-w /var/log/sudo.log -p wa -k actions diff --git a/templates/audit/rule_4_1_17.rules.j2 b/templates/audit/rule_4_1_17.rules.j2 new file mode 100644 index 0000000..bc95eba --- /dev/null +++ b/templates/audit/rule_4_1_17.rules.j2 @@ -0,0 +1 @@ +-e 2 diff --git a/templates/audit/rule_4_1_3.rules.j2 b/templates/audit/rule_4_1_3.rules.j2 new file mode 100644 index 0000000..0ae21fd --- /dev/null +++ b/templates/audit/rule_4_1_3.rules.j2 @@ -0,0 +1,2 @@ +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope diff --git a/templates/audit/rule_4_1_4.rules.j2 b/templates/audit/rule_4_1_4.rules.j2 new file mode 100644 index 0000000..dda9d98 --- /dev/null +++ b/templates/audit/rule_4_1_4.rules.j2 @@ -0,0 +1,2 @@ +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins diff --git a/templates/audit/rule_4_1_5.rules.j2 b/templates/audit/rule_4_1_5.rules.j2 new file mode 100644 index 0000000..51d7254 --- /dev/null +++ b/templates/audit/rule_4_1_5.rules.j2 @@ -0,0 +1,3 @@ +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins diff --git a/templates/audit/rule_4_1_6.rules.j2 b/templates/audit/rule_4_1_6.rules.j2 new file mode 100644 index 0000000..0004fd1 --- /dev/null +++ b/templates/audit/rule_4_1_6.rules.j2 @@ -0,0 +1,7 @@ +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +{% endif %} +-w /etc/localtime -p wa -k time-change diff --git a/templates/audit/rule_4_1_7.rules.j2 b/templates/audit/rule_4_1_7.rules.j2 new file mode 100644 index 0000000..640c21a --- /dev/null +++ b/templates/audit/rule_4_1_7.rules.j2 @@ -0,0 +1,2 @@ +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy diff --git a/templates/audit/rule_4_1_8.rules.j2 b/templates/audit/rule_4_1_8.rules.j2 new file mode 100644 index 0000000..51b74dc --- /dev/null +++ b/templates/audit/rule_4_1_8.rules.j2 @@ -0,0 +1,9 @@ +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-w /etc/sysconfig/network-scripts/ -p wa -k system-locale +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +{% endif %} diff --git a/templates/audit/rule_4_1_9.rules.j2 b/templates/audit/rule_4_1_9.rules.j2 new file mode 100644 index 0000000..601251d --- /dev/null +++ b/templates/audit/rule_4_1_9.rules.j2 @@ -0,0 +1,10 @@ +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 +{% if ansible_architecture == 'x86_64' -%} +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +{% endif %} + + From 9f720c513e88516d14f088f88796d9a98cc92d94 Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 9 Nov 2020 14:46:03 +0400 Subject: [PATCH 11/30] fixes section_4 --- handlers/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 404030e..3efa062 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -20,6 +20,9 @@ - name: restart auditd become: yes - service: - name: auditd - state: restarted + command: /sbin/service auditd restart + changed_when: no + check_mode: no + failed_when: no + args: + warn: no From bc75c8592a4505744c93c5c55afc99079d31f462 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 16:01:22 +0400 Subject: [PATCH 12/30] added Section_6 and Fixes --- defaults/main.yml | 168 ++++- files/etc/pam.d/password-auth | 26 + files/etc/pam.d/system-auth | 26 + handlers/main.yml | 12 +- tasks/main.yml | 14 +- tasks/section_1.yml | 60 +- tasks/section_3.yml | 14 +- tasks/section_4.yml | 29 +- tasks/section_5.yml | 747 ++++++++++++++++++++ tasks/section_6.yml | 521 ++++++++++++++ templates/etc/dm3/greeter.dconf-defaults.j2 | 3 + 11 files changed, 1573 insertions(+), 47 deletions(-) create mode 100644 files/etc/pam.d/password-auth create mode 100644 files/etc/pam.d/system-auth create mode 100644 tasks/section_5.yml create mode 100644 tasks/section_6.yml create mode 100644 templates/etc/dm3/greeter.dconf-defaults.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 1089993..5784380 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,7 +35,7 @@ rule_1_1_19: true # Ensure nosuid option set on removable media partiti rule_1_1_20: true # Ensure noexec option set on removable media partitions rule_1_1_21: true # Ensure sticky bit is set on all world-writable directories rule_1_1_22: true # Diable automounting -rule_1_1_23: false # Disable USB Storage +rule_1_1_23: true # Disable USB Storage rule_1_2_1: true # Ensure Red Hat Subscription Manager connection is configured rule_1_2_2: true # Disable the RHNSD daemon rule_1_2_3: true # Ensure gpg keys are configured @@ -65,7 +65,7 @@ rule_1_8_1_4: true # Ensure permissions on /etc/motd are configured rule_1_8_1_5: true # Ensure permissions on /etc/issue are configured rule_1_8_1_6: true # Ensure permissions on /etc/issue.net are configured rule_1_8_2: true # Ensure GDM login banner is configured -rule_1_9: false # Ensure updates, patches, and additional security software are installed +rule_1_9: true # Ensure updates, patches, and additional security software are installed rule_1_10: true # Ensure system-wide crypto policy is not legacy rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS --> not idempotent @@ -163,6 +163,90 @@ rule_4_2_2_3: true # Ensure journald is configured to write logfiles to rule_4_2_3: true # Ensure permissions on all logfiles are configured rule_4_3: true # Ensure logrotate is configured +# Section 5 rules +rule_5_1_1: true # Ensure cron daemon is enabled +rule_5_1_2: true # Ensure permissions on /etc/crontab are configured +rule_5_1_3: true # Ensure permissions on /etc/cron.hourly are configured +rule_5_1_4: true # Ensure permissions on /etc/cron.daily are configured +rule_5_1_5: true # Ensure permissions on /etc/cron.weekly are configured +rule_5_1_6: true # Ensure permissions on /etc/cron.monthly are configured +rule_5_1_7: true # Ensure permissions on /etc/cron.d are configured +rule_5_1_8: true # Ensure at/cron is restricted to authorized users +rule_5_2_1: true # Ensure permissions on /etc/ssh/sshd_config are configured +rule_5_2_2: true # Ensure SSH access is limited +rule_5_2_3: true # Ensure permissions on SSH private host key files are configured +rule_5_2_4: true # Ensure permissions on SSH public host key files are configured +rule_5_2_5: true # Ensure SSH LogLevel is appropriate +rule_5_2_6: true # Ensure SSH X11 forwarding is disabled +rule_5_2_7: true # Ensure SSH MaxAuthTries is set to 4 or less +rule_5_2_8: true # Ensure SSH IgnoreRhosts is enabled +rule_5_2_9: true # Ensure SSH HostbasedAuthentication is disabled +rule_5_2_10: true # Ensure SSH root login is disabled +rule_5_2_11: true # Ensure SSH PermitEmptyPasswords is disable +rule_5_2_12: true # Ensure SSH PermitUserEnvironment is disabled +rule_5_2_13: true # Ensure SSH Idle Timeout Interval is configured +rule_5_2_14: true # Ensure SSH LoginGraceTime is set to one minute or les +rule_5_2_15: true # Ensure SSH warning banner is configured +rule_5_2_16: true # Ensure SSH PAM is enabled +rule_5_2_17: true # Ensure SSH AllowTcpForwarding is disabled +rule_5_2_18: true # Ensure SSH MaxStartups is configured +rule_5_2_19: true # Ensure SSH MaxSessions is set to 4 or less +rule_5_2_20: true # Ensure system-wide crypto policy is not over-ridden +rule_5_3_1: true # Create custom authselect profile +rule_5_3_2: true # Select authselect profile +rule_5_3_3: true # Ensure authselect includes with-faillock +rule_5_4_1: true # Ensure password creation requirements are configured +rule_5_4_2: true # Ensure lockout for failed password attempts is configured +rule_5_4_3: true # Ensure password reuse is limited +rule_5_4_4: true # Ensure password hashing algorithm is SHA-512 +rule_5_5_1_1: true # Ensure password expiration is 365 days or less +rule_5_5_1_2: true # Ensure minimum days between password changes is 0 or more +rule_5_5_1_3: true # Ensure password expiration warning days is 14 or more +rule_5_5_1_4: true # Ensure inactive password lock is 90 days or less +rule_5_5_1_5: true # Ensure all users last password change date is in the past +rule_5_5_2: true # Ensure system accounts are secured +rule_5_5_3: true # Ensure default user shell timeout is 900 seconds or less +rule_5_5_4: true # Ensure default group for the root account is GID 0 +rule_5_5_5: true # Ensure default user umask is 027 or more restrictive +rule_5_6: true # Ensure root login is restricted to system console +rule_5_7: true # Ensure access to the su command is restricted - wheel group contains root + +# Section 6 rules +rule_6_1_1: true # Audit system file permissions +rule_6_1_2: true # Ensure permissions on /etc/passwd are configured +rule_6_1_3: true # Ensure permissions on /etc/shadow are configured +rule_6_1_4: true # Ensure permissions on /etc/group are configured +rule_6_1_5: true # Ensure permissions on /etc/gshadow are configured +rule_6_1_6: true # Ensure permissions on /etc/passwd- are configured +rule_6_1_7: true # Ensure permissions on /etc/shadow- are configured +rule_6_1_8: true # Ensure permissions on /etc/group- are configured +rule_6_1_9: true # Ensure permissions on /etc/gshadow- are configured +rule_6_1_10: true # Ensure no world writable files exist +rule_6_1_11: true # Ensure no unowned files or directories exist +rule_6_1_12: true # Ensure no ungrouped files or directories exist +rule_6_1_13: true # Audit SUID executables +rule_6_1_14: true # Audit SGID executables +rule_6_2_1: true # Ensure password fields are not empty +rule_6_2_2: true # Ensure no legacy '+' entries exist in /etc/passwd +rule_6_2_3: true # Ensure root PATH Integrity +rule_6_2_4: true # Ensure no legacy '+' entries exist in /etc/shadow +rule_6_2_5: true # Ensure no legacy '+' entries exist in /etc/group +rule_6_2_6: true # Ensure root is the only UID 0 account +rule_6_2_7: true # Ensure users' home directories permissions are 750 or more restrictive +rule_6_2_8: true # Ensure users own their home directories +rule_6_2_9: true # Ensure users' dot files are not group or world writable +rule_6_2_10: true # Ensure no users have .forward files +rule_6_2_11: true # Ensure no users have .netrc files +rule_6_2_12: true # Ensure users' .netrc Files are not group or world accessible +rule_6_2_13: true # Ensure no users have .rhosts files +rule_6_2_14: true # Ensure all groups in /etc/passwd exist in /etc/group +rule_6_2_15: true # Ensure no duplicate UIDs exist +rule_6_2_16: true # Ensure no duplicate GIDs exist +rule_6_2_17: true # Ensure no duplicate user names exist +rule_6_2_18: true # Ensure no duplicate group names exist +rule_6_2_19: true # Ensure shadow group is empt +rule_6_2_20: true # Ensure all users' home directories exist + ##################################################################### # 1.4.2 Bootloader password bootloader_password: p@ssw0rd @@ -201,6 +285,10 @@ warning_banner_motd: | Authorized uses only. All activity may be monitored and reported. # End Banner +# Warning Banner Content (GDM) +warning_banner: | + Authorized uses only. All activity may be monitored and reported. + # Warning Banner Content (issue, issue.net) warning_banner_issue: | WARNING: This system is for use of authorized users only. @@ -229,7 +317,83 @@ firewall: firewalld # Firewall module (firewalld, nftable) # Log logrotate: "daily" rsyslog_dest: x.x.x.x +audit_backlog_limit: 8192 auditd: admin_space_left_action: halt # Halts the system when the audit logs are ful max_log_file_action: keep_logs # Handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. max_log_file: 10 # Configure the maximum size (MB of audit log file. + +# Section5 Variables +sshd: + clientalivecountmax: 3 + clientaliveinterval: 300 + ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" + macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" + logingracetime: 60 + #allowusers: + allowgroups: wheel + #denyusers: + #denygroups: + +password_policy: + max_days: 90 + min_days: 7 + warn_age: 7 + +# User Accounts +default_useradd: + INACTIVE: 30 # Number of days for inactive account disable + +# 5.2.5 +sshd_log_level: INFO +# 5.2.7 +sshd_max_auth_tries: 4 +# 5.2.13 +sshd_client_alive_interval: 300 +sshd_client_alive_count_max: 0 +# 5.2.14 +sshd_login_grace_time: 60 +# 5.2.18 +sshd_max_startups: "10:30:60" +# 5.2.19 +sshd_max_sessions: 4 +# 5.3.1 +authselect_profile: cis-profile +# 5.4.1 +pwquality: + minlen: 14 + dcredit: -1 + ucredit: -1 + ocredit: -1 + lcredit: -1 + #minclass: 4 +# 5.4.2 +pam_failllock_deny: 3 +pam_failllock_timeout: 900 +# 5.4.3 +password_reuse: 5 +# 5.5.1.1 +pass_max_days: 60 +# 5.5.1.2 +pass_min_days: 1 +# 5.5.1.3 +pass_warn_age: 7 +# 5.5.1.4 +useradd_inactive: 30 +# 5.1.8 +cron_allow_users: [] +at_allow_users: [] +# 5.5.2 +min_uid: 1000 +# 5.5.3 +shell_timeout: 900 +# 5.5.5 +umask: "027" + + +# 6.1.1 +audit_rpms_permissions_output: /var/tmp/audit_rpms.log +# 6.1.11 +user_unowned_file: nobody +# 6.1.12 +group_ungrouped_file: nobody \ No newline at end of file diff --git a/files/etc/pam.d/password-auth b/files/etc/pam.d/password-auth new file mode 100644 index 0000000..a3bf1a6 --- /dev/null +++ b/files/etc/pam.d/password-auth @@ -0,0 +1,26 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth required pam_faillock.so preauth audit deny=5 unlock_time=900 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 +auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=5 authtok_type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6 +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/files/etc/pam.d/system-auth b/files/etc/pam.d/system-auth new file mode 100644 index 0000000..a3bf1a6 --- /dev/null +++ b/files/etc/pam.d/system-auth @@ -0,0 +1,26 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth required pam_faillock.so preauth audit deny=5 unlock_time=900 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 +auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=5 authtok_type= +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6 +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/handlers/main.yml b/handlers/main.yml index 3efa062..73907c6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,9 +14,9 @@ become: yes command: grub2-mkconfig -o /boot/grub2/grub.cfg -- name: reload dconf - become: yes - command: dconf update +#- name: reload dconf +# become: yes +# command: dconf update - name: restart auditd become: yes @@ -26,3 +26,9 @@ failed_when: no args: warn: no + +- name: restart sshd + become: yes + service: + name: sshd + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index 65d5013..9b89243 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -46,4 +46,16 @@ become: true when: section_4 tags: - - section_4 \ No newline at end of file + - section_4 + +- include: section_5.yml + become: true + when: section_5 + tags: + - section_5 + +- include: section_6.yml + become: true + when: section_6 + tags: + - section_6 \ No newline at end of file diff --git a/tasks/section_1.yml b/tasks/section_1.yml index ce7918e..074f36e 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -1,7 +1,7 @@ --- - name: "1.1.1.1 | Ensure mounting of cramfs filesystems is disabled (Scored)" lineinfile: - dest: /etc/modprobe.d/CIS.conf + dest: /etc/modprobe.d/cis.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: yes @@ -25,7 +25,7 @@ - name: "1.1.1.2 | Ensure mounting of vFAT filesystems is limited (Not Scored)" lineinfile: - dest: /etc/modprobe.d/CIS.conf + dest: /etc/modprobe.d/cis.conf regexp: "^(#)?install vfat(\\s|$)" line: "install vfat /bin/true" create: yes @@ -49,7 +49,7 @@ - name: "1.1.1.3 | Ensure mounting of squashfs filesystems is disabled (Scored)" lineinfile: - dest: /etc/modprobe.d/CIS.conf + dest: /etc/modprobe.d/cis.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: yes @@ -74,7 +74,7 @@ - name: "1.1.1.4 | Ensure mounting of udf filesystems is disabled (Scored)" lineinfile: - dest: /etc/modprobe.d/CIS.conf + dest: /etc/modprobe.d/cis.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: yes @@ -118,7 +118,7 @@ owner: root group: root mode: 0644 - notify: systemd restart tmp.mount +# notify: systemd restart tmp.mount when: rule_1_1_3 or rule_1_1_4 or rule_1_1_5 @@ -165,19 +165,21 @@ 1.1.9 | Ensure nosuid option set on /var/tmp partition (Scored)\n 1.1.10 | Ensure noexec option set on /var/tmp partition (Scored)" mount: - name: /var/tmp - src: "{{ vartmp['source'] }}" - state: present - fstype: "{{ vartmp['fstype'] }}" - opts: "{{ vartmp['opts'] }}" + name: "/var/tmp" + src: "{{ item.device }}" + state: mounted + fstype: "{{ item.fstype }}" + opts: "defaults{% if rule_1_1_8 %},nodev{% endif %}{% if rule_1_1_9 %},nosuid{% endif %}{% if rule_1_1_10 %},noexec{% endif %}" + with_items: "{{ ansible_mounts }}" when: - - rule_1_1_8 - - rule_1_1_9 - - rule_1_1_10 + - item.mount == "/var/tmp" + - rule_1_1_7 + - rule_1_1_8 or rule_1_1_9 or rule_1_1_10 tags: - level1 - scored - patch + - rule_1.1.7 - rule_1.1.8 - rule_1.1.9 - rule_1.1.10 @@ -330,8 +332,15 @@ - rule_1.1.22 - name: "1.1.23 | Disable USB Storage (Scored)" - command: rmmod usb-storage - ignore_errors: yes + lineinfile: + dest: /etc/modprobe.d/cis.conf + regexp: "^(#)?\\s*install\\s+usb-storage(\\s*|$)" + line: "install usb-storage /bin/true" + state: present + owner: root + group: root + mode: 0644 + create: true when: - rule_1_1_23 tags: @@ -809,26 +818,15 @@ - rule_1.8.1.6 - name: "1.8.2 | Ensure GDM login banner is configured (Scored)" - lineinfile: - dest: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: yes + template: + src: etc/dm3/greeter.dconf-defaults.j2 + dest: /etc/dm3/greeter.dconf-defaults owner: root group: root mode: 0644 - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='Authorized uses only. All activity may be monitored and reported.'" } - when: - - not rule_2_2_2 | bool + when: + - "'gdm' in ansible_facts.packages" - rule_1_8_2 - notify: reload dconf tags: - level1 - level2 diff --git a/tasks/section_3.yml b/tasks/section_3.yml index 78227bb..91b2c68 100644 --- a/tasks/section_3.yml +++ b/tasks/section_3.yml @@ -462,8 +462,18 @@ - section_3 - name: "3.5 | Ensure wireless interfaces are disabled (Scored)" - command: /bin/true - changed_when: no + block: + - name: 3.5 Ensure wireless interfaces are disabled (Scored) | Get status + shell: | + set -o pipefail + nmcli radio all | awk '$1 !~ /WIFI/{ print $2}' + register: wireless_status + changed_when: false + + - name: 3.5 Ensure wireless interfaces are disabled (Scored) + command: nmcli radio all off + when: + - wireless_status.stdout == 'enabled' when: - rule_3_5 tags: diff --git a/tasks/section_4.yml b/tasks/section_4.yml index 486c467..0864811 100644 --- a/tasks/section_4.yml +++ b/tasks/section_4.yml @@ -42,13 +42,26 @@ - section_4 - name: "4.1.1.4 | Ensure audit_backlog_limit is sufficient (Scored)" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?{{ pam_failllock_timeout }}\g<2>' + with_items: + - password-auth + - system-auth + - name: 5.4.2 Ensure lockout for failed password attempts is configured (Scored) - deny + replace: + path: /etc/authselect/custom/{{ authselect_profile }}/password-auth + regexp: '^(\s*auth\s+required\s+pam_faillock.so\s+.*deny=)\S+(\s*.*)$' + replace: '\g<1>{{ pam_failllock_deny }}\g<2>' + when: + - rule_5_3_2 + - rule_5_3_3 + - rule_5_4_2 + tags: + - level1 + - rule_5.4 + - rule_5.4.2 + - section_5 + +- name: "5.4.3 | Ensure password reuse is limited (Scored)" + command: /bin/true + changed_when: false + tags: + - level1 + - rule_5.4 + - rule_5.4.3 + - section_5 + +- name: "5.4.4 | Ensure password hashing algorithm is SHA-512 (Scored)" + command: /bin/true + changed_when: false + when: + - rule_5_4_4 + tags: + - level1 + - rule_5.4.4 + - section_5 + +- name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" + line: 'PASS_MAX_DAYS {{ pass_max_days }}' + state: present + when: + - rule_5_5_1_1 + tags: + - level1 + - rule_5.5.1.1 + - section_5 + +- name: "5.5.1.2 | Ensure minimum days between password changes is 7 or more (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_MIN_DAYS\\s*.*$" + line: 'PASS_MIN_DAYS {{ pass_min_days }}' + state: present + tags: + - level1 + - rule_5.5.1 + - rule_5.5.1.2 + - section_5 + +- name: "5.5.1.3 | Ensure password expiration warning days is 7 or more (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_WARN_AGE\\s*.*$" + line: 'PASS_WARN_AGE {{ pass_warn_age }}' + state: present + when: + - rule_5_5_1_3 + tags: + - level1 + - rule_5.5.1.3 + - section_5 + +- name: "5.5.1.4 | Ensure inactive password lock is 30 days or less (Scored)" + lineinfile: + dest: /etc/default/useradd + regexp: "^\\s*INACTIVE\\s*=\\s*.*$" + line: 'INACTIVE={{ useradd_inactive }}' + state: present + when: + - rule_5_5_1_4 + tags: + - level1 + - rule_5.5.1 + - rule_5.5.1.4 + - section_5 + +- name: "5.5.1.5 | Ensure all users last password change date is in the past (Scored)" + command: /bin/true + changed_when: no + when: + - rule_5_5_1_5 + tags: + - level1 + - rule_5_5_1_5 + - section_5 + - notimplemented + +- name: "5.5.2 | Ensure system accounts are secured (Scored)" + block: + - name: 5.5.2 Ensure system accounts are secured (Scored) - find users + shell: "awk -F: '($3 < {{ min_uid }}) {print $1 }' /etc/passwd" + changed_when: false + check_mode: false + register: system_account + + - name: 5.5.2 Ensure system accounts are secured (Scored) - lock users + user: + name: "{{ item }}" + password_lock: true + with_items: + - "{{ system_account.stdout_lines }}" + when: + - item != "root" + + - name: 5.5.2 Ensure system accounts are secured (Scored) - set shell to nologin + user: + name: "{{ item }}" + shell: /sbin/nologin + with_items: + - "{{ system_account.stdout_lines }}" + when: + - item != "root" + - item != "sync" + - item != "shutdown" + - item != "halt" + when: + - rule_5_5_2 + tags: + - level1 + - rule_5.5.2 + - section_5 + - notimplemented + +- name: "5.5.3 | Ensure default user shell timeout is 900 seconds or less (Scored)" + lineinfile: + state: present + dest: "{{ item }}" + create: true + regexp: '^TMOUT=' + line: "TMOUT={{ shell_timeout }} ; export TMOUT" + with_items: + - /etc/bashrc + - /etc/profile + when: + - rule_5_5_4 + tags: + - level1 + - rule_5.5.4 + - section_5 + +- name: "5.5.4 | Ensure default group for the root account is GID 0 (Scored)" + user: + name: root + group: "0" + when: + - rule_5_5_4 + tags: + - level1 + - rule_5.5.4 + - section_5 + - notimplemented + +- name: "5.5.5 | Ensure default user umask is 027 or more restrictive (Scored)" + replace: + dest: "{{ item }}" + regexp: '^(\s*umask\s+)\d+$' + replace: '\g<1>{{ umask }}' + with_items: + - /etc/bashrc + - /etc/profile + when: + - rule_5_5_5 + tags: + - level1 + - rule_5.5.5 + - section_5 + +- name: "5.6 | Ensure root login is restricted to system console (Not Scored)" + command: /bin/true + changed_when: no + tags: + - level1 + - rule_5.6 + - section_5 + +- name: "5.7 | Ensure access to the su command is restricted (Scored)" + block: + - name: 5.7 Ensure access to the su command is restricted (Scored) | Config PAM + lineinfile: + state: present + dest: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid' + + - name: 5.7 Ensure access to the su command is restricted (Scored) | Add root to Wheel Group + user: + name: root + groups: wheel + tags: + - level1 + - rule_5.7 + - section_5 diff --git a/tasks/section_6.yml b/tasks/section_6.yml new file mode 100644 index 0000000..6cd84cc --- /dev/null +++ b/tasks/section_6.yml @@ -0,0 +1,521 @@ +--- + +- name: Get users accounts + command: "awk -F: '{print $1}' /etc/passwd" + register: users + changed_when: false + tags: + - notscored + - level2 + - section_6 + + +- name: 6.1.1 Audit system file permissions (Not Scored) + cron: + name: CIS 6.1.1 Audit system file permissions + weekday: "*" + minute: "0" + hour: "3" + user: root + job: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > {{ audit_rpms_permissions_output }}" + when: + - rule_6_1_1 + tags: + - notscored + - level2 + - section_6 + +- name: 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) + file: + dest: /etc/passwd + owner: root + group: root + mode: 0644 + when: + - rule_6_1_2 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) + file: + dest: /etc/shadow + owner: root + group: root + mode: 0640 + when: + - rule_6_1_3 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.4 Ensure permissions on /etc/group are configured (Scored) + file: + dest: /etc/group + owner: root + group: root + mode: 0644 + when: + - rule_6_1_4 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) + file: + dest: /etc/gshadow + owner: root + group: root + mode: 0640 + when: + - rule_6_1_5 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) + file: + dest: /etc/passwd- + owner: root + group: root + mode: 0600 + when: + - rule_6_1_6 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) + file: + dest: /etc/shadow- + owner: root + group: root + mode: 0600 + when: + - rule_6_1_7 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.8 Ensure permissions on /etc/group- are configured (Scored) + file: + dest: /etc/group- + owner: root + group: root + mode: 0644 + when: + - rule_6_1_8 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) + file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0640 + when: + - rule_6_1_9 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.10 Ensure no world writable files exist (Scored) + block: + - name: 6.1.10 Ensure no world writable files exist (Scored) - find files + shell: | + set -o pipefail + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + args: + executable: /bin/bash + register: world_writable_files + changed_when: false + failed_when: false + + - name: 6.1.10 Ensure no world writable files exist (Scored) - fix permission + command: "chmod o-x '{{ item }}'" + args: + warn: false + when: + - world_writable_files.stdout_lines | length > 0 + with_items: + - "{{ world_writable_files.stdout_lines }}" + when: + - rule_6_1_10 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.11 Ensure no unowned files or directories exist (Scored) + block: + - name: 6.1.11 Ensure no unowned files or directories exist (Scored) - find files + shell: | + set -o pipefail + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser + args: + executable: /bin/bash + changed_when: false + failed_when: false + register: unowned_files + + - name: 6.1.11 Ensure no unowned files or directories exist (Scored) - fix permission + file: + path: "{{ item }}" + owner: "{{ rule_user_unowned_file }}" + when: + - unowned_files.stdout_lines | length > 0 + with_items: "{{ unowned_files.stdout_lines }}" + when: + - rule_6_1_11 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) + block: + - name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) - find files + shell: | + set -o pipefail + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup + args: + executable: /bin/bash + changed_when: false + failed_when: false + register: ungrouped_files + + - name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) - fix permission + file: + path: "{{ item }}" + group: "{{ rule_group_ungrouped_file }}" + with_items: "{{ ungrouped_files.stdout_lines }}" + when: + - ungrouped_files.stdout_lines | length > 0 + when: + - rule_6_1_12 + tags: + - scored + - level1 + - section_6 + +- name: 6.1.13 Audit SUID executables (Not Scored) + shell: | + set -o pipefail + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + args: + executable: /bin/bash + when: + - rule_6_1_13 + changed_when: false + failed_when: false + register: suid_files + tags: + - notscored + - level1 + - section_6 + +- name: 6.1.14 Audit SGID executables (Not Scored) + shell: | + set -o pipefail + df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + args: + executable: /bin/bash + when: + - rule_6_1_14 + changed_when: false + failed_when: false + register: sgid_files + tags: + - notscored + - level1 + - section_6 + +- name: 6.2.1 Ensure password fields are not empty (Scored) - find users + shell: | + set -o pipefail + getent shadow | grep -Po '^[^:]*(?=::)' + register: users_without_password + failed_when: false + changed_when: false + tags: + - scored + - level1 + - section_6 + +- name: 6.2.1 Ensure password fields are not empty (Scored) - lock password + user: + name: "{{ item }}" + password_lock: true + with_items: "{{ users_without_password.stdout_lines }}" + when: + - rule_6_2_1 + - users_without_password.stdout_lines | length > 0 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) + lineinfile: + dest: /etc/passwd + regexp: '^\+.*' + state: absent + when: + - rule_6_2_2 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.3 Ensure root PATH Integrity (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_3 + tags: + - scored + - level1 + - section_6 + - notimplmented + +- name: 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) + lineinfile: + dest: /etc/shadow + regexp: '^\+.*' + state: absent + when: + - rule_6_2_4 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) + lineinfile: + dest: /etc/group + regexp: '^\+.*' + state: absent + when: + - rule_6_2_5 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.6 Ensure root is the only UID 0 account (Scored) + block: + - name: 6.2.6 Ensure root is the only UID 0 account (Scored) - find users + shell: | + set -o pipefail + awk -F':' '($3 == 0) { print $1 }' /etc/passwd + register: users_uid_zero + changed_when: false + failed_when: false + + - name: 6.2.6 Ensure root is the only UID 0 account (Scored) - lock users + user: + name: "{{ item }}" + password_lock: true + with_items: "{{ users_uid_zero.stdout_lines }}" + when: + - item != 'root' + when: + - rule_6_2_6 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.7 Ensure users' home directories permissions are 750 or more restrictive (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_7 + tags: + - scored + - level1 + - section_6 + - notimplemented + +- name: 6.2.8 Ensure users own their home directories (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_8 + tags: + - scored + - level1 + - section_6 + - notimplemented + +- name: 6.2.9 Ensure users' dot files are not group or world writable (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_9 + tags: + - scored + - level1 + - section_6 + - notimplemented + +- name: 6.2.10 Ensure no users have .forward files (Scored) + file: + state: absent + dest: "~{{ item }}/.forward" + with_items: "{{ users }}" + when: + - rule_6_2_10 + tags: + - level1 + - scored + - section_6 + +- name: 6.2.11 Ensure no users have .netrc files (Scored) + file: + state: absent + dest: "~{{ item }}/.netrc" + with_items: "{{ users }}" + when: + - rule_6_2_11 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.12 Ensure users' .netrc Files are not group or world accessible (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_12 + tags: + - scored + - level1 + - section_6 + - notimplemented + +- name: 6.2.13 Ensure no users have .rhosts files (Scored) + file: + state: absent + dest: "~{{ item }}/.rhosts" + with_items: "{{ users }}" + when: + - rule_6_2_13 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.14 Ensure all groups in /etc/passwd exist in /etc/group (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_14 + tags: + - scored + - level1 + - section_6 + - notimplemented + +- name: 6.2.15 Ensure no duplicate UIDs exist (Scored) + block: + - name: Get uids + command: "awk -F: '{print $3}' /etc/passwd" + register: uids + changed_when: false + + - name: "6.2.15 Ensure no duplicate UIDs exist (Scored)" + shell: grep -cE "^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+:{{ item }}:" /etc/passwd + register: grep_uid + changed_when: "grep_uid.stdout != '1'" + with_items: "{{ uids.stdout_lines }}" + when: + - rule_6_2_15 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.16 Ensure no duplicate GIDs exist (Scored) + block: + - name: "6.2.16 Ensure no duplicate GIDs exist (Scored) | Get GIDs" + command: "awk -F: '{print $3}' /etc/group" + register: gids + changed_when: false + + - name: 6.2.16 Ensure no duplicate GIDs exist (Scored) + shell: grep -cE "^[A-Za-z0-9_-]+:x:{{ item }}:" /etc/group + register: grep_gid + changed_when: "grep_gid.stdout != '1'" + with_items: "{{ gids.stdout_lines }}" + when: + - rule_6_2_16 + tags: + - scored + - level1 + - section_6 + +- name: 6.2.17 Ensure no duplicate user names exist (Scored) + command: grep -cE "^{{ item }}:" /etc/passwd + register: grep_user_name + changed_when: "grep_user_name.stdout != '1'" + with_items: "{{ users.stdout_lines }}" + when: + - rule_6_2_17 + tags: + - scored + - level1 + - section_6 + - notimplmented + +- name: 6.2.18 Ensure no duplicate group names exist (Scored) + block: + - name: "6.2.18 Ensure no duplicate group names exist (Scored) | Get groups" + command: "awk -F: '{print $1}' /etc/group" + register: group_names + changed_when: false + + - name: "6.2.18 Ensure no duplicate group names exist (Scored)" + command: grep -cE "^{{ item }}:" /etc/group + register: grep_group_name + changed_when: "grep_group_name.stdout != '1'" + with_items: "{{ group_names.stdout_lines }}" + when: + - rule_6_2_18 + tags: + - scored + - level1 + - section_6 + - rule_6.2.18 + +- name: 6.2.19 Ensure shadow group is empty (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_19 + tags: + - scored + - level1 + - section_6 + - notimplmented + +- name: 6.2.20 Ensure all users' home directories exist (Scored) + command: /bin/true + changed_when: false + when: + - rule_6_2_20 + tags: + - scored + - level1 + - section_6 + - notimplmented \ No newline at end of file diff --git a/templates/etc/dm3/greeter.dconf-defaults.j2 b/templates/etc/dm3/greeter.dconf-defaults.j2 new file mode 100644 index 0000000..98679a6 --- /dev/null +++ b/templates/etc/dm3/greeter.dconf-defaults.j2 @@ -0,0 +1,3 @@ +[org/gnome/login-screen] +banner-message-enable=true +banner-message-text='{{ warning_banner }}' \ No newline at end of file From 523756c3520a665f953ca3a759a5d49d7cf817e4 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 16:06:38 +0400 Subject: [PATCH 13/30] fix rule_1.11 --- tasks/section_1.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 074f36e..cf6b9ab 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -850,14 +850,15 @@ - name: 1.10 | Ensure system-wide crypto policy is not legacy (Scored) | Check Current Crypto Policy slurp: src: /etc/crypto-policies/config - register: cryptopolicies + register: crypto_policy - name: 1.10 | Ensure system-wide crypto policy is not legacy (Scored) | Update if not to DEFAULT command: update-crypto-policies --set DEFAULT when: - - '"LEGACY" in cryptopolicies.content|b64decode' + - '"LEGACY" in crypto_policy.content|b64decode' when: - rule_1_10 + - rule_1_11 tags: - level1 - level2 @@ -871,6 +872,7 @@ update-crypto-policies when: - rule_1_11 + - crypto_policy.stdout == 'DEFAULT' or crypto_policy.stdout == 'LEGACY' tags: - level1 - level2 From f092f7db7db1811ed149d97da78d0e96ae9ee282 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 16:14:39 +0400 Subject: [PATCH 14/30] fix rule_3.6 --- tasks/section_3.yml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/tasks/section_3.yml b/tasks/section_3.yml index 91b2c68..7eaf57e 100644 --- a/tasks/section_3.yml +++ b/tasks/section_3.yml @@ -483,13 +483,26 @@ - notimplemented - name: "3.6 | Disable IPv6 (Not Scored)" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? Date: Wed, 11 Nov 2020 16:18:40 +0400 Subject: [PATCH 15/30] fix rule_4.1.1.4 --- defaults/main.yml | 1 + tasks/section_4.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5784380..5f2b3c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -133,6 +133,7 @@ rule_3_6: true # Ensure IPv6 is disabled rule_4_1_1_1: true # Ensure auditd is installed rule_4_1_1_2: true # Ensure auditd service is enabled rule_4_1_1_3: true # Ensure auditing for processes that start prior to auditd is enabled +rule_4_1_1_4: true # Ensure audit_backlog_limit is sufficient rule_4_1_2_1: true # Ensure audit log storage size is configured rule_4_1_2_2: true # Ensure audit logs are not automatically deleted rule_4_1_2_3: true # Ensure system is disabled when audit logs are full diff --git a/tasks/section_4.yml b/tasks/section_4.yml index 0864811..36973ea 100644 --- a/tasks/section_4.yml +++ b/tasks/section_4.yml @@ -63,11 +63,11 @@ when: - grep_audit_backlog_grub.rc == 1 when: - - rule_4_1_1_3 + - rule_4_1_1_4 tags: - level2 - auditd - - rule_4.1.1.3 + - rule_4.1.1.4 - section_4 - name: "4.1.2.1 | Ensure audit log storage size is configured (Scored)" From 33dd540a1cc6e4141393ed9d89fb4ce42081c154 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 16:35:10 +0400 Subject: [PATCH 16/30] fix rule_4.2.3 --- tasks/section_4.yml | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/tasks/section_4.yml b/tasks/section_4.yml index 36973ea..6606088 100644 --- a/tasks/section_4.yml +++ b/tasks/section_4.yml @@ -494,9 +494,33 @@ - section_4 - name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored)" - command: find /var/log -type f -exec chmod g-wx,o-rwx {} + - changed_when: no - failed_when: no + block: + - name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored) | Get files" + command: find /var/log -type f -perm /037 + register: logfile_wrong_permissions + failed_when: false + changed_when: false + + - name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored) | Get directories" + command: find /var/log -type d -perm /026 + register: logdir_wrong_permissions + failed_when: false + changed_when: false + + - name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored) | Set files permissions" + file: + dest: "{{ item }}" + mode: 0640 + with_items: "{{ logfile_wrong_permissions.stdout_lines }}" + when: logfile_wrong_permissions.stdout_lines | length > 0 + + - name: "4.2.3 | Ensure permissions on all logfiles are configured (Scored) | Set directories permissions" + file: + dest: "{{ item }}" + state: directory + mode: 0750 + with_items: "{{ logdir_wrong_permissions.stdout_lines }}" + when: logdir_wrong_permissions.stdout_lines | length > 0 when: - rule_4_2_3 tags: From 7bc59335f0849ea67c2b5855cf6666ca97ee1f2e Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 17:00:01 +0400 Subject: [PATCH 17/30] fix section-4 auditd --- templates/audit/rule_4_1_10.rules.j2 | 6 ++---- templates/audit/rule_4_1_11.rules.j2 | 2 +- templates/audit/rule_4_1_12.rules.j2 | 4 +--- templates/audit/rule_4_1_14.rules.j2 | 6 ++---- templates/audit/rule_4_1_15.rules.j2 | 4 +--- templates/audit/rule_4_1_4.rules.j2 | 2 +- templates/audit/rule_4_1_6.rules.j2 | 6 ++---- templates/audit/rule_4_1_8.rules.j2 | 7 ++----- templates/audit/rule_4_1_9.rules.j2 | 10 +++------- 9 files changed, 15 insertions(+), 32 deletions(-) diff --git a/templates/audit/rule_4_1_10.rules.j2 b/templates/audit/rule_4_1_10.rules.j2 index 17635e1..4a283cb 100644 --- a/templates/audit/rule_4_1_10.rules.j2 +++ b/templates/audit/rule_4_1_10.rules.j2 @@ -1,6 +1,4 @@ --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -{% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -{% endif %} +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access \ No newline at end of file diff --git a/templates/audit/rule_4_1_11.rules.j2 b/templates/audit/rule_4_1_11.rules.j2 index 358f999..f16cd78 100644 --- a/templates/audit/rule_4_1_11.rules.j2 +++ b/templates/audit/rule_4_1_11.rules.j2 @@ -2,4 +2,4 @@ -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity +-w /etc/security/opasswd -p wa -k identity \ No newline at end of file diff --git a/templates/audit/rule_4_1_12.rules.j2 b/templates/audit/rule_4_1_12.rules.j2 index fa95efb..eef2edd 100644 --- a/templates/audit/rule_4_1_12.rules.j2 +++ b/templates/audit/rule_4_1_12.rules.j2 @@ -1,4 +1,2 @@ --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -{% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -{% endif %} +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts \ No newline at end of file diff --git a/templates/audit/rule_4_1_14.rules.j2 b/templates/audit/rule_4_1_14.rules.j2 index cd0018d..4eb88be 100644 --- a/templates/audit/rule_4_1_14.rules.j2 +++ b/templates/audit/rule_4_1_14.rules.j2 @@ -1,4 +1,2 @@ --a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -{% if ansible_architecture == 'x86_64' -%} --a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -{% endif %} +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete \ No newline at end of file diff --git a/templates/audit/rule_4_1_15.rules.j2 b/templates/audit/rule_4_1_15.rules.j2 index 0d5cbaa..0ac9ba2 100644 --- a/templates/audit/rule_4_1_15.rules.j2 +++ b/templates/audit/rule_4_1_15.rules.j2 @@ -1,6 +1,4 @@ -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -{% if ansible_architecture == 'x86_64' -%} --a always,exit -F arch=b64 -S init_module -S delete_module -k modules -{% endif %} +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules \ No newline at end of file diff --git a/templates/audit/rule_4_1_4.rules.j2 b/templates/audit/rule_4_1_4.rules.j2 index dda9d98..9ecab22 100644 --- a/templates/audit/rule_4_1_4.rules.j2 +++ b/templates/audit/rule_4_1_4.rules.j2 @@ -1,2 +1,2 @@ -w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins \ No newline at end of file diff --git a/templates/audit/rule_4_1_6.rules.j2 b/templates/audit/rule_4_1_6.rules.j2 index 0004fd1..7f79962 100644 --- a/templates/audit/rule_4_1_6.rules.j2 +++ b/templates/audit/rule_4_1_6.rules.j2 @@ -1,7 +1,5 @@ +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -{% if ansible_architecture == 'x86_64' -%} --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change --a always,exit -F arch=b64 -S clock_settime -k time-change -{% endif %} -w /etc/localtime -p wa -k time-change diff --git a/templates/audit/rule_4_1_8.rules.j2 b/templates/audit/rule_4_1_8.rules.j2 index 51b74dc..ef28c58 100644 --- a/templates/audit/rule_4_1_8.rules.j2 +++ b/templates/audit/rule_4_1_8.rules.j2 @@ -1,9 +1,6 @@ +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale --w /etc/sysconfig/network-scripts/ -p wa -k system-locale -{% if ansible_architecture == 'x86_64' -%} --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -{% endif %} +-w /etc/sysconfig/network -p wa -k system-locale \ No newline at end of file diff --git a/templates/audit/rule_4_1_9.rules.j2 b/templates/audit/rule_4_1_9.rules.j2 index 601251d..2bab6dd 100644 --- a/templates/audit/rule_4_1_9.rules.j2 +++ b/templates/audit/rule_4_1_9.rules.j2 @@ -1,10 +1,6 @@ --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -{% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -{% endif %} - - +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod From 2dbe1c2a5abd9a1f3bf7a0d86a2da76cadf62ed8 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 18:01:32 +0400 Subject: [PATCH 18/30] fix rule 1.11 --- defaults/main.yml | 142 ++++++++++++++++++++------------------------ tasks/section_1.yml | 24 ++++---- tasks/section_5.yml | 18 +++--- 3 files changed, 84 insertions(+), 100 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5f2b3c8..79a573c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -67,7 +67,7 @@ rule_1_8_1_6: true # Ensure permissions on /etc/issue.net are configured rule_1_8_2: true # Ensure GDM login banner is configured rule_1_9: true # Ensure updates, patches, and additional security software are installed rule_1_10: true # Ensure system-wide crypto policy is not legacy -rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS --> not idempotent +rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS # Section 2 rules rule_2_1_1: true # Ensure xinetd is not installed @@ -216,40 +216,44 @@ rule_5_7: true # Ensure access to the su command is restricted - whe rule_6_1_1: true # Audit system file permissions rule_6_1_2: true # Ensure permissions on /etc/passwd are configured rule_6_1_3: true # Ensure permissions on /etc/shadow are configured -rule_6_1_4: true # Ensure permissions on /etc/group are configured -rule_6_1_5: true # Ensure permissions on /etc/gshadow are configured -rule_6_1_6: true # Ensure permissions on /etc/passwd- are configured -rule_6_1_7: true # Ensure permissions on /etc/shadow- are configured -rule_6_1_8: true # Ensure permissions on /etc/group- are configured -rule_6_1_9: true # Ensure permissions on /etc/gshadow- are configured -rule_6_1_10: true # Ensure no world writable files exist -rule_6_1_11: true # Ensure no unowned files or directories exist -rule_6_1_12: true # Ensure no ungrouped files or directories exist -rule_6_1_13: true # Audit SUID executables -rule_6_1_14: true # Audit SGID executables -rule_6_2_1: true # Ensure password fields are not empty -rule_6_2_2: true # Ensure no legacy '+' entries exist in /etc/passwd -rule_6_2_3: true # Ensure root PATH Integrity -rule_6_2_4: true # Ensure no legacy '+' entries exist in /etc/shadow -rule_6_2_5: true # Ensure no legacy '+' entries exist in /etc/group -rule_6_2_6: true # Ensure root is the only UID 0 account -rule_6_2_7: true # Ensure users' home directories permissions are 750 or more restrictive -rule_6_2_8: true # Ensure users own their home directories -rule_6_2_9: true # Ensure users' dot files are not group or world writable -rule_6_2_10: true # Ensure no users have .forward files -rule_6_2_11: true # Ensure no users have .netrc files -rule_6_2_12: true # Ensure users' .netrc Files are not group or world accessible -rule_6_2_13: true # Ensure no users have .rhosts files -rule_6_2_14: true # Ensure all groups in /etc/passwd exist in /etc/group -rule_6_2_15: true # Ensure no duplicate UIDs exist -rule_6_2_16: true # Ensure no duplicate GIDs exist -rule_6_2_17: true # Ensure no duplicate user names exist -rule_6_2_18: true # Ensure no duplicate group names exist -rule_6_2_19: true # Ensure shadow group is empt -rule_6_2_20: true # Ensure all users' home directories exist - -##################################################################### -# 1.4.2 Bootloader password +rule_6_1_4: true # Ensure permissions on /etc/group are configured +rule_6_1_5: true # Ensure permissions on /etc/gshadow are configured +rule_6_1_6: true # Ensure permissions on /etc/passwd- are configured +rule_6_1_7: true # Ensure permissions on /etc/shadow- are configured +rule_6_1_8: true # Ensure permissions on /etc/group- are configured +rule_6_1_9: true # Ensure permissions on /etc/gshadow- are configured +rule_6_1_10: true # Ensure no world writable files exist +rule_6_1_11: true # Ensure no unowned files or directories exist +rule_6_1_12: true # Ensure no ungrouped files or directories exist +rule_6_1_13: true # Audit SUID executables +rule_6_1_14: true # Audit SGID executables +rule_6_2_1: true # Ensure password fields are not empty +rule_6_2_2: true # Ensure no legacy '+' entries exist in /etc/passwd +rule_6_2_3: true # Ensure root PATH Integrity +rule_6_2_4: true # Ensure no legacy '+' entries exist in /etc/shadow +rule_6_2_5: true # Ensure no legacy '+' entries exist in /etc/group +rule_6_2_6: true # Ensure root is the only UID 0 account +rule_6_2_7: true # Ensure users' home directories permissions are 750 or more restrictive +rule_6_2_8: true # Ensure users own their home directories +rule_6_2_9: true # Ensure users' dot files are not group or world writable +rule_6_2_10: true # Ensure no users have .forward files +rule_6_2_11: true # Ensure no users have .netrc files +rule_6_2_12: true # Ensure users' .netrc Files are not group or world accessible +rule_6_2_13: true # Ensure no users have .rhosts files +rule_6_2_14: true # Ensure all groups in /etc/passwd exist in /etc/group +rule_6_2_15: true # Ensure no duplicate UIDs exist +rule_6_2_16: true # Ensure no duplicate GIDs exist +rule_6_2_17: true # Ensure no duplicate user names exist +rule_6_2_18: true # Ensure no duplicate group names exist +rule_6_2_19: true # Ensure shadow group is empt +rule_6_2_20: true # Ensure all users' home directories exist + +###################################################### + +############### Section Variables #################### + + +# Bootloader password bootloader_password: p@ssw0rd set_boot_pass: true @@ -273,7 +277,6 @@ selinux_state: enforcing selinux_policy: targeted # Time Synchronization -time_synchronization: chrony time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -306,24 +309,23 @@ warning_banner_issue: | to law enforcement officials. # End Banner -vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: no # Firewall Configs firewall: firewalld # Firewall module (firewalld, nftable) -# Log + +# Log Configs logrotate: "daily" -rsyslog_dest: x.x.x.x +rsyslog_dest: 192.168.122.10 + +# Audit Logs audit_backlog_limit: 8192 auditd: admin_space_left_action: halt # Halts the system when the audit logs are ful max_log_file_action: keep_logs # Handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. max_log_file: 10 # Configure the maximum size (MB of audit log file. + # Section5 Variables sshd: clientalivecountmax: 3 @@ -336,51 +338,33 @@ sshd: #denyusers: #denygroups: + +# Password Policies password_policy: - max_days: 90 - min_days: 7 - warn_age: 7 + max_days: 60 # 5.5.1.1 + min_days: 1 # 5.5.1.2 + warn_age: 7 # 5.5.1.3 -# User Accounts -default_useradd: - INACTIVE: 30 # Number of days for inactive account disable - -# 5.2.5 -sshd_log_level: INFO -# 5.2.7 -sshd_max_auth_tries: 4 -# 5.2.13 -sshd_client_alive_interval: 300 -sshd_client_alive_count_max: 0 -# 5.2.14 -sshd_login_grace_time: 60 -# 5.2.18 -sshd_max_startups: "10:30:60" -# 5.2.19 -sshd_max_sessions: 4 -# 5.3.1 -authselect_profile: cis-profile -# 5.4.1 -pwquality: - minlen: 14 +pwquality: # 5.4.1 + minlen: 8 dcredit: -1 ucredit: -1 ocredit: -1 lcredit: -1 - #minclass: 4 + +# User Accounts +user_account_policy: + inactive_days: 30 # 5.5.1.4 Number of days for inactive account password lock + +# Authselect +authselect_profile: cis-profile + + # 5.4.2 pam_failllock_deny: 3 pam_failllock_timeout: 900 -# 5.4.3 -password_reuse: 5 -# 5.5.1.1 -pass_max_days: 60 -# 5.5.1.2 -pass_min_days: 1 -# 5.5.1.3 -pass_warn_age: 7 -# 5.5.1.4 -useradd_inactive: 30 + + # 5.1.8 cron_allow_users: [] at_allow_users: [] diff --git a/tasks/section_1.yml b/tasks/section_1.yml index cf6b9ab..65e7688 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -847,15 +847,16 @@ - name: "1.10 | Ensure system-wide crypto policy is not legacy (Scored)" block: - - name: 1.10 | Ensure system-wide crypto policy is not legacy (Scored) | Check Current Crypto Policy - slurp: - src: /etc/crypto-policies/config - register: crypto_policy - - - name: 1.10 | Ensure system-wide crypto policy is not legacy (Scored) | Update if not to DEFAULT - command: update-crypto-policies --set DEFAULT + - name: "1.10 | Ensure system-wide crypto policy is not legacy (Scored) | Check Current Crypto Policy" + command: grep -E '^\s*(DEFAULT|FUTURE|FIPS)\s*$' /etc/crypto-policies/config + register: c_policy + changed_when: false + failed_when: false + + - name: "1.10 | Ensure system-wide crypto policy is not legacy (Scored)" + command: update-crypto-policies --set {{ crypto_policy }} when: - - '"LEGACY" in crypto_policy.content|b64decode' + - c_policy.stdout == 'LEGACY' when: - rule_1_10 - rule_1_11 @@ -864,15 +865,14 @@ - level2 - section_1 - rule_1.10 + - rule_1.11 - crypto - name: "1.11 | Ensure system-wide crypto policy is FUTURE or FIPS (Scored)" - shell: | - update-crypto-policies --set {{ crypto_policy }} - update-crypto-policies + command: update-crypto-policies --set {{ crypto_policy }} when: - rule_1_11 - - crypto_policy.stdout == 'DEFAULT' or crypto_policy.stdout == 'LEGACY' + - c_policy.stdout == 'DEFAULT' or c_policy.stdout == 'LEGACY' tags: - level1 - level2 diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 5b77ece..9030b64 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -521,11 +521,11 @@ regexp: '^{{ item.key }}' line: '{{ item.key }} = {{ item.value }}' with_items: - - { key: 'minlen', value: '14' } - - { key: 'dcredit', value: '-1' } - - { key: 'ucredit', value: '-1' } - - { key: 'ocredit', value: '-1' } - - { key: 'lcredit', value: '-1' } + - { key: 'minlen', value: "{{ pwquality['minlen'] }}" } + - { key: 'dcredit', value: "{{ pwquality['dcredit'] }}" } + - { key: 'ucredit', value: "{{ pwquality['ucredit'] }}" } + - { key: 'ocredit', value: "{{ pwquality['ocredit'] }}" } + - { key: 'lcredit', value: "{{ pwquality['lcredit'] }}" } when: - rule_5_4_1 tags: @@ -581,7 +581,7 @@ lineinfile: dest: /etc/login.defs regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" - line: 'PASS_MAX_DAYS {{ pass_max_days }}' + line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" state: present when: - rule_5_5_1_1 @@ -594,7 +594,7 @@ lineinfile: dest: /etc/login.defs regexp: "^\\s*PASS_MIN_DAYS\\s*.*$" - line: 'PASS_MIN_DAYS {{ pass_min_days }}' + line: "PASS_MIN_DAYS {{ password_policy['min_days'] }}" state: present tags: - level1 @@ -606,7 +606,7 @@ lineinfile: dest: /etc/login.defs regexp: "^\\s*PASS_WARN_AGE\\s*.*$" - line: 'PASS_WARN_AGE {{ pass_warn_age }}' + line: "PASS_WARN_AGE {{ password_policy['warn_age'] }}" state: present when: - rule_5_5_1_3 @@ -619,7 +619,7 @@ lineinfile: dest: /etc/default/useradd regexp: "^\\s*INACTIVE\\s*=\\s*.*$" - line: 'INACTIVE={{ useradd_inactive }}' + line: "INACTIVE={{ user_account_policy['inactive_days'] }}" state: present when: - rule_5_5_1_4 From a8a7788deca4093280ff195afda5014407b4e88c Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 18:14:12 +0400 Subject: [PATCH 19/30] fix audit template --- templates/audit/rule_4_1_4.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/rule_4_1_4.rules.j2 b/templates/audit/rule_4_1_4.rules.j2 index 9ecab22..dda9d98 100644 --- a/templates/audit/rule_4_1_4.rules.j2 +++ b/templates/audit/rule_4_1_4.rules.j2 @@ -1,2 +1,2 @@ -w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins \ No newline at end of file +-w /var/log/lastlog -p wa -k logins From 951d77a5df15829455f487e2bddef3d9bb076291 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 18:46:26 +0400 Subject: [PATCH 20/30] fix rule 5.5.1.1 --- tasks/section_5.yml | 20 +++++++++++++++----- templates/audit/rule_4_1_10.rules.j2 | 2 +- templates/audit/rule_4_1_11.rules.j2 | 2 +- templates/audit/rule_4_1_12.rules.j2 | 2 +- templates/audit/rule_4_1_14.rules.j2 | 2 +- templates/audit/rule_4_1_15.rules.j2 | 2 +- templates/audit/rule_4_1_16.rules.j2 | 1 + templates/audit/rule_4_1_8.rules.j2 | 2 +- 8 files changed, 22 insertions(+), 11 deletions(-) diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 9030b64..837842a 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -578,11 +578,21 @@ - section_5 - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" - lineinfile: - dest: /etc/login.defs - regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" - line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" - state: present + block: + - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" + line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" + state: present + + - name: "SCORED | 5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + command: "awk -F: '{if($5 != {{ password_policy['max_days'] }}) print $1}' /etc/shadow" + register: users_exp_output + + - name: "SCORED | 5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + command: "chage --maxdays {{ password_policy['max_days'] }} {{ item }}" + with_items: "{{ users_exp_output.stdout_lines }}" when: - rule_5_5_1_1 tags: diff --git a/templates/audit/rule_4_1_10.rules.j2 b/templates/audit/rule_4_1_10.rules.j2 index 4a283cb..1a86703 100644 --- a/templates/audit/rule_4_1_10.rules.j2 +++ b/templates/audit/rule_4_1_10.rules.j2 @@ -1,4 +1,4 @@ -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access \ No newline at end of file +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access diff --git a/templates/audit/rule_4_1_11.rules.j2 b/templates/audit/rule_4_1_11.rules.j2 index f16cd78..358f999 100644 --- a/templates/audit/rule_4_1_11.rules.j2 +++ b/templates/audit/rule_4_1_11.rules.j2 @@ -2,4 +2,4 @@ -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity \ No newline at end of file +-w /etc/security/opasswd -p wa -k identity diff --git a/templates/audit/rule_4_1_12.rules.j2 b/templates/audit/rule_4_1_12.rules.j2 index eef2edd..c70add1 100644 --- a/templates/audit/rule_4_1_12.rules.j2 +++ b/templates/audit/rule_4_1_12.rules.j2 @@ -1,2 +1,2 @@ -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts \ No newline at end of file +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts diff --git a/templates/audit/rule_4_1_14.rules.j2 b/templates/audit/rule_4_1_14.rules.j2 index 4eb88be..39fedff 100644 --- a/templates/audit/rule_4_1_14.rules.j2 +++ b/templates/audit/rule_4_1_14.rules.j2 @@ -1,2 +1,2 @@ -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete \ No newline at end of file +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete diff --git a/templates/audit/rule_4_1_15.rules.j2 b/templates/audit/rule_4_1_15.rules.j2 index 0ac9ba2..5fae54e 100644 --- a/templates/audit/rule_4_1_15.rules.j2 +++ b/templates/audit/rule_4_1_15.rules.j2 @@ -1,4 +1,4 @@ -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules \ No newline at end of file +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules diff --git a/templates/audit/rule_4_1_16.rules.j2 b/templates/audit/rule_4_1_16.rules.j2 index 4dfe8b1..e5d31c7 100644 --- a/templates/audit/rule_4_1_16.rules.j2 +++ b/templates/audit/rule_4_1_16.rules.j2 @@ -1 +1,2 @@ -w /var/log/sudo.log -p wa -k actions + diff --git a/templates/audit/rule_4_1_8.rules.j2 b/templates/audit/rule_4_1_8.rules.j2 index ef28c58..63d590e 100644 --- a/templates/audit/rule_4_1_8.rules.j2 +++ b/templates/audit/rule_4_1_8.rules.j2 @@ -3,4 +3,4 @@ -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale --w /etc/sysconfig/network -p wa -k system-locale \ No newline at end of file +-w /etc/sysconfig/network -p wa -k system-locale From 04c5b9e57998e44eb25c89800f49612dfc625c70 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 18:50:13 +0400 Subject: [PATCH 21/30] fix rule 5.5.1.2 --- tasks/section_5.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 837842a..48b361d 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -586,11 +586,11 @@ line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" state: present - - name: "SCORED | 5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" command: "awk -F: '{if($5 != {{ password_policy['max_days'] }}) print $1}' /etc/shadow" register: users_exp_output - - name: "SCORED | 5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" + - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" command: "chage --maxdays {{ password_policy['max_days'] }} {{ item }}" with_items: "{{ users_exp_output.stdout_lines }}" when: @@ -601,11 +601,21 @@ - section_5 - name: "5.5.1.2 | Ensure minimum days between password changes is 7 or more (Scored)" - lineinfile: - dest: /etc/login.defs - regexp: "^\\s*PASS_MIN_DAYS\\s*.*$" - line: "PASS_MIN_DAYS {{ password_policy['min_days'] }}" - state: present + block: + - name: "5.5.1.2 | Ensure minimum days between password changes is 7 or more (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_MIN_DAYS\\s*.*$" + line: "PASS_MIN_DAYS {{ password_policy['min_days'] }}" + state: present + + - name: "5.5.1.2 | Ensure minimum days between password changes is 7 or more (Scored)" + command: "awk -F: '{if($4 != {{ password_policy['min_days'] }}) print $1}' /etc/shadow" + register: users_min_output + + - name: "5.5.1.2 | Ensure minimum days between password changes is 7 or more (Scored)" + command: "chage --mindays {{ password_policy['min_days'] }} {{ item }}" + with_items: "{{ users_min_output.stdout_lines }}" tags: - level1 - rule_5.5.1 From ed75a40f8013040896708ad237179208bfc856b2 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 19:31:52 +0400 Subject: [PATCH 22/30] fix rule 5.5.1.[2-5] --- tasks/section_5.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 48b361d..82e2ded 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -623,11 +623,21 @@ - section_5 - name: "5.5.1.3 | Ensure password expiration warning days is 7 or more (Scored)" - lineinfile: - dest: /etc/login.defs - regexp: "^\\s*PASS_WARN_AGE\\s*.*$" - line: "PASS_WARN_AGE {{ password_policy['warn_age'] }}" - state: present + block: + - name: "5.5.1.3 | Ensure password expiration warning days is 7 or more (Scored)" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_WARN_AGE\\s*.*$" + line: "PASS_WARN_AGE {{ password_policy['warn_age'] }}" + state: present + + - name: "5.5.1.3 | Ensure password expiration warning days is 7 or more (Scored)" + command: "awk -F: '{if($6 != {{ password_policy['warn_age'] }}) print $1}' /etc/shadow" + register: users_warn_output + + - name: "5.5.1.3 | Ensure password expiration warning days is 7 or more (Scored)" + command: "chage --warndays {{ password_policy['warn_age'] }} {{ item }}" + with_items: "{{ users_warn_output.stdout_lines }}" when: - rule_5_5_1_3 tags: From b94bb33e188fa919ee308b32fa9c4c4fc62b8592 Mon Sep 17 00:00:00 2001 From: iquzart Date: Wed, 11 Nov 2020 20:41:21 +0400 Subject: [PATCH 23/30] multiple fixes --- defaults/main.yml | 4 +- tasks/section_1.yml | 6 +-- tasks/section_5.yml | 23 +++++----- tasks/section_6.yml | 100 ++++++++++++++++++++++---------------------- 4 files changed, 67 insertions(+), 66 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 79a573c..6443383 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,7 +11,7 @@ section_6: true # Section 1 rules rule_1_1_1_1: true # Ensure mounting of cramfs filesystems is disabled -rule_1_1_1_2: true # Ensure mounting of vFAT filesystems is disabled +rule_1_1_1_2: false # Ensure mounting of vFAT filesystems is disabled rule_1_1_1_3: true # Ensure mounting of squashfs filesystems is disabled rule_1_1_1_4: true # Ensure mounting of udf filesystems is disabled rule_1_1_2: true # Ensure separate partition exists for /tmp | enable and start/restart tmp.mount @@ -203,7 +203,7 @@ rule_5_4_4: true # Ensure password hashing algorithm is SHA-512 rule_5_5_1_1: true # Ensure password expiration is 365 days or less rule_5_5_1_2: true # Ensure minimum days between password changes is 0 or more rule_5_5_1_3: true # Ensure password expiration warning days is 14 or more -rule_5_5_1_4: true # Ensure inactive password lock is 90 days or less +rule_5_5_1_4: false # Ensure inactive password lock is 90 days or less rule_5_5_1_5: true # Ensure all users last password change date is in the past rule_5_5_2: true # Ensure system accounts are secured rule_5_5_3: true # Ensure default user shell timeout is 900 seconds or less diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 65e7688..46ef72e 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -97,7 +97,7 @@ - udf -- name: "1.1.2 | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount (Scored)" +- name: "1.1.2 | Ensure separate partition exists for /tmp | Enable and start/restart tmp.mount (Scored)" systemd: name: tmp.mount daemon_reload: yes @@ -569,13 +569,13 @@ - name: "1.5.3 | Ensure authentication required for single user mode (Scored)" block: - - name: "1.5.3 | Ensure authentication required for single user mode (Scored) - emergency" + - name: "1.5.3 | Ensure authentication required for single user mode (Scored) | Emergency" lineinfile: dest: /usr/lib/systemd/system/emergency.service regexp: '/sbin/sulogin' line: 'execstart=-/usr/lib/systemd/systemd-sulogin-shell rescue' - - name: "1.5.3 | Ensure authentication required for single user mode (Scored) - rescue" + - name: "1.5.3 | Ensure authentication required for single user mode (Scored) | Rescue" lineinfile: dest: /usr/lib/systemd/system/rescue.service regexp: '/sbin/sulogin' diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 82e2ded..9648f88 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -160,7 +160,7 @@ - name: "5.2.2 | Ensure SSH Access is limited (Scored)" block: - - name: "5.2.2 | Ensure SSH access is limited - allowusers" + - name: "5.2.2 | Ensure SSH access is limited (Scored) | AllowUsers" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -171,7 +171,7 @@ when: - "sshd['allowusers']|default('') != ''" - - name: "5.2.2 | Ensure SSH access is limited - allowgroups (Scored)" + - name: "5.2.2 | Ensure SSH access is limited (Scored) | AllowGroups" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -182,7 +182,7 @@ when: - "sshd['allowgroups']|default('') != ''" - - name: "5.2.2 | Ensure SSH access is limited - denyusers (Scored)" + - name: "5.2.2 | Ensure SSH access is limited (Scored) | DenyUsers" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -193,7 +193,7 @@ when: - "sshd['denyusers']|default('') != ''" - - name: "5.2.2 | Ensure SSH access is limited - denygroups (Scored)" + - name: "5.2.2 | Ensure SSH access is limited (Scored) | DenyGroups" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -473,13 +473,13 @@ - name: "5.3.1 | Create custom authselect profile (Scored)" block: - - name: 5.3.1 Create custom authselect profile (Scored) - search profile + - name: 5.3.1 Create custom authselect profile (Scored) | Check for profile shell: authselect list | grep custom/{{ authselect_profile }} register: authselect_list_profiles changed_when: false failed_when: false - - name: 5.3.1 Create custom authselect profile (Scored) - create profile + - name: 5.3.1 Create custom authselect profile (Scored) | Create profile command: authselect create-profile {{ authselect_profile }} -b sssd --symlink-meta when: - authselect_list_profiles.rc != 0 @@ -492,7 +492,7 @@ - name: "5.3.2 | Select authselect profile (Scored)" block: - - name: 5.3.2 Select authselect profile (Scored) - find current profile + - name: 5.3.2 Select authselect profile (Scored) | Get current profile shell: "authselect current | grep \"Profile ID\" | sed 's@Profile ID: @@'" register: authselect_current_profile changed_when: false @@ -543,7 +543,8 @@ with_items: - password-auth - system-auth - - name: 5.4.2 Ensure lockout for failed password attempts is configured (Scored) - deny + + - name: 5.4.2 Ensure lockout for failed password attempts is configured (Scored) | Faillock Deny replace: path: /etc/authselect/custom/{{ authselect_profile }}/password-auth regexp: '^(\s*auth\s+required\s+pam_faillock.so\s+.*deny=)\S+(\s*.*)$' @@ -672,13 +673,13 @@ - name: "5.5.2 | Ensure system accounts are secured (Scored)" block: - - name: 5.5.2 Ensure system accounts are secured (Scored) - find users + - name: 5.5.2 Ensure system accounts are secured (Scored) | Get users shell: "awk -F: '($3 < {{ min_uid }}) {print $1 }' /etc/passwd" changed_when: false check_mode: false register: system_account - - name: 5.5.2 Ensure system accounts are secured (Scored) - lock users + - name: 5.5.2 Ensure system accounts are secured (Scored) | Lock users user: name: "{{ item }}" password_lock: true @@ -687,7 +688,7 @@ when: - item != "root" - - name: 5.5.2 Ensure system accounts are secured (Scored) - set shell to nologin + - name: 5.5.2 Ensure system accounts are secured (Scored) | Set shell to nologin user: name: "{{ item }}" shell: /sbin/nologin diff --git a/tasks/section_6.yml b/tasks/section_6.yml index 6cd84cc..1cbe935 100644 --- a/tasks/section_6.yml +++ b/tasks/section_6.yml @@ -1,6 +1,6 @@ --- -- name: Get users accounts +- name: "Get users accounts" command: "awk -F: '{print $1}' /etc/passwd" register: users changed_when: false @@ -10,7 +10,7 @@ - section_6 -- name: 6.1.1 Audit system file permissions (Not Scored) +- name: "6.1.1 | Audit system file permissions (Not Scored)" cron: name: CIS 6.1.1 Audit system file permissions weekday: "*" @@ -25,7 +25,7 @@ - level2 - section_6 -- name: 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- name: "6.1.2 | Ensure permissions on /etc/passwd are configured (Scored)" file: dest: /etc/passwd owner: root @@ -38,7 +38,7 @@ - level1 - section_6 -- name: 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- name: "6.1.3 | Ensure permissions on /etc/shadow are configured (Scored)" file: dest: /etc/shadow owner: root @@ -51,7 +51,7 @@ - level1 - section_6 -- name: 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- name: "6.1.4 | Ensure permissions on /etc/group are configured (Scored)" file: dest: /etc/group owner: root @@ -64,7 +64,7 @@ - level1 - section_6 -- name: 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- name: "6.1.5 | Ensure permissions on /etc/gshadow are configured (Scored)" file: dest: /etc/gshadow owner: root @@ -77,7 +77,7 @@ - level1 - section_6 -- name: 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- name: "6.1.6 | Ensure permissions on /etc/passwd- are configured (Scored)" file: dest: /etc/passwd- owner: root @@ -90,7 +90,7 @@ - level1 - section_6 -- name: 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- name: "6.1.7 | Ensure permissions on /etc/shadow- are configured (Scored)" file: dest: /etc/shadow- owner: root @@ -103,7 +103,7 @@ - level1 - section_6 -- name: 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- name: "6.1.8 | Ensure permissions on /etc/group- are configured (Scored)" file: dest: /etc/group- owner: root @@ -116,7 +116,7 @@ - level1 - section_6 -- name: 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- name: "6.1.9 | Ensure permissions on /etc/gshadow- are configured (Scored)" file: dest: /etc/gshadow- owner: root @@ -129,9 +129,9 @@ - level1 - section_6 -- name: 6.1.10 Ensure no world writable files exist (Scored) +- name: "6.1.10 | Ensure no world writable files exist (Scored)" block: - - name: 6.1.10 Ensure no world writable files exist (Scored) - find files + - name: "6.1.10 Ensure no world writable files exist (Scored) | Get files" shell: | set -o pipefail df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 @@ -141,7 +141,7 @@ changed_when: false failed_when: false - - name: 6.1.10 Ensure no world writable files exist (Scored) - fix permission + - name: "6.1.10 | Ensure no world writable files exist (Scored) | Set permission" command: "chmod o-x '{{ item }}'" args: warn: false @@ -156,9 +156,9 @@ - level1 - section_6 -- name: 6.1.11 Ensure no unowned files or directories exist (Scored) +- name: "6.1.11 | Ensure no unowned files or directories exist (Scored)" block: - - name: 6.1.11 Ensure no unowned files or directories exist (Scored) - find files + - name: "6.1.11 | Ensure no unowned files or directories exist (Scored) | Get files" shell: | set -o pipefail df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser @@ -168,7 +168,7 @@ failed_when: false register: unowned_files - - name: 6.1.11 Ensure no unowned files or directories exist (Scored) - fix permission + - name: "6.1.11 | Ensure no unowned files or directories exist (Scored) | Set permission" file: path: "{{ item }}" owner: "{{ rule_user_unowned_file }}" @@ -182,9 +182,9 @@ - level1 - section_6 -- name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- name: "6.1.12 | Ensure no ungrouped files or directories exist (Scored)" block: - - name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) - find files + - name: "6.1.12 | Ensure no ungrouped files or directories exist (Scored) | Get files" shell: | set -o pipefail df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup @@ -194,7 +194,7 @@ failed_when: false register: ungrouped_files - - name: 6.1.12 Ensure no ungrouped files or directories exist (Scored) - fix permission + - name: "6.1.12 | Ensure no ungrouped files or directories exist (Scored) | Set permission" file: path: "{{ item }}" group: "{{ rule_group_ungrouped_file }}" @@ -208,7 +208,7 @@ - level1 - section_6 -- name: 6.1.13 Audit SUID executables (Not Scored) +- name: "6.1.13 | Audit SUID executables (Not Scored)" shell: | set -o pipefail df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 @@ -224,7 +224,7 @@ - level1 - section_6 -- name: 6.1.14 Audit SGID executables (Not Scored) +- name: "6.1.14 | Audit SGID executables (Not Scored)" shell: | set -o pipefail df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 @@ -240,7 +240,7 @@ - level1 - section_6 -- name: 6.2.1 Ensure password fields are not empty (Scored) - find users +- name: "6.2.1 | Ensure password fields are not empty (Scored) | Get users" shell: | set -o pipefail getent shadow | grep -Po '^[^:]*(?=::)' @@ -252,7 +252,7 @@ - level1 - section_6 -- name: 6.2.1 Ensure password fields are not empty (Scored) - lock password +- name: "6.2.1 | Ensure password fields are not empty (Scored) | Set password" user: name: "{{ item }}" password_lock: true @@ -265,7 +265,7 @@ - level1 - section_6 -- name: 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- name: "6.2.2 | Ensure no legacy '+' entries exist in /etc/passwd (Scored)" lineinfile: dest: /etc/passwd regexp: '^\+.*' @@ -277,7 +277,7 @@ - level1 - section_6 -- name: 6.2.3 Ensure root PATH Integrity (Scored) +- name: "6.2.3 | Ensure root PATH Integrity (Scored)" command: /bin/true changed_when: false when: @@ -288,7 +288,7 @@ - section_6 - notimplmented -- name: 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- name: "6.2.4 | Ensure no legacy '+' entries exist in /etc/shadow (Scored)" lineinfile: dest: /etc/shadow regexp: '^\+.*' @@ -300,7 +300,7 @@ - level1 - section_6 -- name: 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- name: "6.2.5 | Ensure no legacy '+'' entries exist in /etc/group (Scored)" lineinfile: dest: /etc/group regexp: '^\+.*' @@ -312,9 +312,9 @@ - level1 - section_6 -- name: 6.2.6 Ensure root is the only UID 0 account (Scored) +- name: "6.2.6 | Ensure root is the only UID 0 account (Scored)" block: - - name: 6.2.6 Ensure root is the only UID 0 account (Scored) - find users + - name: "6.2.6 | Ensure root is the only UID 0 account (Scored) | Get users" shell: | set -o pipefail awk -F':' '($3 == 0) { print $1 }' /etc/passwd @@ -322,7 +322,7 @@ changed_when: false failed_when: false - - name: 6.2.6 Ensure root is the only UID 0 account (Scored) - lock users + - name: "6.2.6 | Ensure root is the only UID 0 account (Scored) | Lock users" user: name: "{{ item }}" password_lock: true @@ -336,7 +336,7 @@ - level1 - section_6 -- name: 6.2.7 Ensure users' home directories permissions are 750 or more restrictive (Scored) +- name: "6.2.7 | Ensure users' home directories permissions are 750 or more restrictive (Scored)" command: /bin/true changed_when: false when: @@ -347,7 +347,7 @@ - section_6 - notimplemented -- name: 6.2.8 Ensure users own their home directories (Scored) +- name: "6.2.8 | Ensure users own their home directories (Scored)" command: /bin/true changed_when: false when: @@ -358,7 +358,7 @@ - section_6 - notimplemented -- name: 6.2.9 Ensure users' dot files are not group or world writable (Scored) +- name: "6.2.9 | Ensure users' dot files are not group or world writable (Scored)" command: /bin/true changed_when: false when: @@ -369,7 +369,7 @@ - section_6 - notimplemented -- name: 6.2.10 Ensure no users have .forward files (Scored) +- name: "6.2.10 | Ensure no users have .forward files (Scored)" file: state: absent dest: "~{{ item }}/.forward" @@ -381,7 +381,7 @@ - scored - section_6 -- name: 6.2.11 Ensure no users have .netrc files (Scored) +- name: "6.2.11 | Ensure no users have .netrc files (Scored)" file: state: absent dest: "~{{ item }}/.netrc" @@ -393,7 +393,7 @@ - level1 - section_6 -- name: 6.2.12 Ensure users' .netrc Files are not group or world accessible (Scored) +- name: "6.2.12 | Ensure users' .netrc Files are not group or world accessible (Scored)" command: /bin/true changed_when: false when: @@ -404,7 +404,7 @@ - section_6 - notimplemented -- name: 6.2.13 Ensure no users have .rhosts files (Scored) +- name: "6.2.13 | Ensure no users have .rhosts files (Scored)" file: state: absent dest: "~{{ item }}/.rhosts" @@ -416,7 +416,7 @@ - level1 - section_6 -- name: 6.2.14 Ensure all groups in /etc/passwd exist in /etc/group (Scored) +- name: "6.2.14 | Ensure all groups in /etc/passwd exist in /etc/group (Scored)" command: /bin/true changed_when: false when: @@ -427,14 +427,14 @@ - section_6 - notimplemented -- name: 6.2.15 Ensure no duplicate UIDs exist (Scored) +- name: "6.2.15 | Ensure no duplicate UIDs exist (Scored)" block: - - name: Get uids + - name: Get UIDs command: "awk -F: '{print $3}' /etc/passwd" register: uids changed_when: false - - name: "6.2.15 Ensure no duplicate UIDs exist (Scored)" + - name: "6.2.15 | Ensure no duplicate UIDs exist (Scored)" shell: grep -cE "^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+:{{ item }}:" /etc/passwd register: grep_uid changed_when: "grep_uid.stdout != '1'" @@ -446,14 +446,14 @@ - level1 - section_6 -- name: 6.2.16 Ensure no duplicate GIDs exist (Scored) +- name: "6.2.16 | Ensure no duplicate GIDs exist (Scored)" block: - - name: "6.2.16 Ensure no duplicate GIDs exist (Scored) | Get GIDs" + - name: "6.2.16 | Ensure no duplicate GIDs exist (Scored) | Get GIDs" command: "awk -F: '{print $3}' /etc/group" register: gids changed_when: false - - name: 6.2.16 Ensure no duplicate GIDs exist (Scored) + - name: "6.2.16 | Ensure no duplicate GIDs exist (Scored)" shell: grep -cE "^[A-Za-z0-9_-]+:x:{{ item }}:" /etc/group register: grep_gid changed_when: "grep_gid.stdout != '1'" @@ -465,7 +465,7 @@ - level1 - section_6 -- name: 6.2.17 Ensure no duplicate user names exist (Scored) +- name: "6.2.17 | Ensure no duplicate user names exist (Scored)" command: grep -cE "^{{ item }}:" /etc/passwd register: grep_user_name changed_when: "grep_user_name.stdout != '1'" @@ -478,14 +478,14 @@ - section_6 - notimplmented -- name: 6.2.18 Ensure no duplicate group names exist (Scored) +- name: "6.2.18 | Ensure no duplicate group names exist (Scored)" block: - - name: "6.2.18 Ensure no duplicate group names exist (Scored) | Get groups" + - name: "6.2.18 | Ensure no duplicate group names exist (Scored) | Get groups" command: "awk -F: '{print $1}' /etc/group" register: group_names changed_when: false - - name: "6.2.18 Ensure no duplicate group names exist (Scored)" + - name: "6.2.18 | Ensure no duplicate group names exist (Scored)" command: grep -cE "^{{ item }}:" /etc/group register: grep_group_name changed_when: "grep_group_name.stdout != '1'" @@ -498,7 +498,7 @@ - section_6 - rule_6.2.18 -- name: 6.2.19 Ensure shadow group is empty (Scored) +- name: "6.2.19 | Ensure shadow group is empty (Scored)" command: /bin/true changed_when: false when: @@ -509,7 +509,7 @@ - section_6 - notimplmented -- name: 6.2.20 Ensure all users' home directories exist (Scored) +- name: "6.2.20 | Ensure all users' home directories exist (Scored)" command: /bin/true changed_when: false when: From 32b83029a98df0a6ef818e1a828dae8f0e0f3db0 Mon Sep 17 00:00:00 2001 From: iquzart Date: Sun, 15 Nov 2020 14:37:37 +0400 Subject: [PATCH 24/30] fixes and efi support --- defaults/main.yml | 12 +++++----- handlers/main.yml | 2 +- tasks/main.yml | 23 +++++++++++++++++++ tasks/section_1.yml | 56 ++++++++------------------------------------- 4 files changed, 40 insertions(+), 53 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6443383..e85b495 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,7 +11,7 @@ section_6: true # Section 1 rules rule_1_1_1_1: true # Ensure mounting of cramfs filesystems is disabled -rule_1_1_1_2: false # Ensure mounting of vFAT filesystems is disabled +rule_1_1_1_2: true # Ensure mounting of vFAT filesystems is disabled rule_1_1_1_3: true # Ensure mounting of squashfs filesystems is disabled rule_1_1_1_4: true # Ensure mounting of udf filesystems is disabled rule_1_1_2: true # Ensure separate partition exists for /tmp | enable and start/restart tmp.mount @@ -34,8 +34,8 @@ rule_1_1_18: true # Ensure nodev option set on removable media partitio rule_1_1_19: true # Ensure nosuid option set on removable media partitions rule_1_1_20: true # Ensure noexec option set on removable media partitions rule_1_1_21: true # Ensure sticky bit is set on all world-writable directories -rule_1_1_22: true # Diable automounting -rule_1_1_23: true # Disable USB Storage +rule_1_1_22: true # Disable automounting +rule_1_1_23: true # Disable USB Storage rule_1_2_1: true # Ensure Red Hat Subscription Manager connection is configured rule_1_2_2: true # Disable the RHNSD daemon rule_1_2_3: true # Ensure gpg keys are configured @@ -65,7 +65,7 @@ rule_1_8_1_4: true # Ensure permissions on /etc/motd are configured rule_1_8_1_5: true # Ensure permissions on /etc/issue are configured rule_1_8_1_6: true # Ensure permissions on /etc/issue.net are configured rule_1_8_2: true # Ensure GDM login banner is configured -rule_1_9: true # Ensure updates, patches, and additional security software are installed +rule_1_9: false # Ensure updates, patches, and additional security software are installed rule_1_10: true # Ensure system-wide crypto policy is not legacy rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FIPS @@ -333,8 +333,8 @@ sshd: ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" logingracetime: 60 - #allowusers: - allowgroups: wheel + allowusers: iqbal + #allowgroups: wheel #denyusers: #denygroups: diff --git a/handlers/main.yml b/handlers/main.yml index 73907c6..c70a811 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -12,7 +12,7 @@ - name: generate new grub config become: yes - command: grub2-mkconfig -o /boot/grub2/grub.cfg + command: grub2-mkconfig -o {{ grub_config_file }} #- name: reload dconf # become: yes diff --git a/tasks/main.yml b/tasks/main.yml index 9b89243..8ea9481 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,12 +17,35 @@ tags: - always + + - name: "Set package facts" package_facts: manager: "auto" + tags: + - always - name: "Set service facts" service_facts: + tags: + - always + +- name: Check to see if we are booting with EFI or UEFI + set_fact: + booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" + tags: + - always + +- name: Set fact Grub config file + set_fact: + grub_config_file: "{{ '/boot/efi/EFI/{{ ansible_distribution | lower }}/grub.cfg' if booted_with_efi else '/boot/grub2/grub.cfg' }}" + tags: + - always + +- name: Print all available facts + ansible.builtin.debug: + var: grub_config_file + - include: section_1.yml become: true diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 46ef72e..6183853 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -31,17 +31,7 @@ create: yes when: - rule_1_1_1_2 - tags: - - section_1 - - not_scored - - vfat - -- name: "1.1.1.2 | Remove FAT module" - modprobe: - name: vfat - state: absent - when: - - rule_1_1_1_2 + - not booted_with_efi tags: - section_1 - not_scored @@ -324,8 +314,8 @@ name: autofs enabled: no when: - - "'autofs.service' in ansible_facts.services" - rule_1_1_22 + - "'autofs.service' in ansible_facts.services" tags: - level1 - patch @@ -516,28 +506,17 @@ - patch - rule_1.4.2 -- name: "1.5.1 | Ensure permissions on bootloader config are configured (Scored)" - stat: - path: /etc/grub2.cfg - register: grub_cfg - when: - - rule_1_5_1 | bool - tags: - - level1 - - scored - - grub - - patch - - rule_1.5.1 - - name: "1.5.1 | Ensure permissions on bootloader config are configured (Scored)" file: - path: "{{ grub_cfg.stat.lnk_source }}" + path: "{{ item }}" owner: root group: root mode: 0600 when: - - grub_cfg.stat.exists and grub_cfg.stat.islnk - rule_1_5_1 + with_items: + - /boot/grub2/grubenv + - "{{ grub_config_file }}" tags: - level1 - scored @@ -545,6 +524,7 @@ - patch - rule_1.5.1 + - name: "1.5.2 | Ensure bootloader password is set (Scored)" block: - name: "1.5.2 | Ensure bootloader password is set (Scored) | Install Python Expect" @@ -655,30 +635,14 @@ - patch - rule_1.7.1.2 -############################################### -#- name: "1.7.1.3 | Ensure SELinux policy is configured (Scored)" -# selinux: -# conf: /etc/selinux/config -# policy: "{{ selinux_policy }}" -# state: "{{ selinux_state }}" -# debug: -# msg: "--> Not relevant" -# changed_when: no -# when: -# - rule_1_7_1_3 -# tags: -# - level2 -# - scored -# - selinux -# - patch -# - rule_1.7.1.3 -################################################ -- name: "1.7.1.4 | Ensure the SELinux state is enforcing (Scored)" +- name: "1.7.1.3 | Ensure the SELinux policy is configured (Scored)\n + 1.7.1.4 | Ensure the SELinux state is enforcing (Scored)" selinux: conf: /etc/selinux/config policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" when: + - rule_1_7_1_3 - rule_1_7_1_4 tags: - level2 From c946e94bc775361caf794f1bcdf726617e089863 Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 16 Nov 2020 21:21:11 +0400 Subject: [PATCH 25/30] multiple fixes --- defaults/main.yml | 6 +- handlers/main.yml | 6 +- tasks/main.yml | 15 ++--- tasks/section_1.yml | 24 +++++-- tasks/section_5.yml | 69 ++++++--------------- templates/etc/dm3/greeter.dconf-defaults.j2 | 3 - templates/etc/pam/template_authselect.j2 | 34 ++++++++++ 7 files changed, 80 insertions(+), 77 deletions(-) delete mode 100644 templates/etc/dm3/greeter.dconf-defaults.j2 create mode 100644 templates/etc/pam/template_authselect.j2 diff --git a/defaults/main.yml b/defaults/main.yml index e85b495..8c13f1b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -73,7 +73,7 @@ rule_1_11: true # Ensure system-wide crypto policy is is FUTURE or FI rule_2_1_1: true # Ensure xinetd is not installed rule_2_2_1_1: true # Ensure time synchronization is in use rule_2_2_1_2: true # Ensure chrony is configured -rule_2_2_2: true # Ensure X Window System is not installed +rule_2_2_2: false # Ensure X Window System is not installed rule_2_2_3: true # Ensure rsync service is not enabled rule_2_2_4: true # Ensure Avahi Server is not enabled rule_2_2_5: true # Ensure SNMP Server is not enabled" @@ -270,7 +270,7 @@ aide_cron: aide_month: '*' aide_weekday: '*' -crypto_policy: FIPS #FUTURE +crypto_policy: FUTURE #FIPS # SELinux policy selinux_state: enforcing @@ -344,6 +344,7 @@ password_policy: max_days: 60 # 5.5.1.1 min_days: 1 # 5.5.1.2 warn_age: 7 # 5.5.1.3 + history: 5 # 5.4.3 Password history pwquality: # 5.4.1 minlen: 8 @@ -364,7 +365,6 @@ authselect_profile: cis-profile pam_failllock_deny: 3 pam_failllock_timeout: 900 - # 5.1.8 cron_allow_users: [] at_allow_users: [] diff --git a/handlers/main.yml b/handlers/main.yml index c70a811..ecc3e30 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,9 +14,9 @@ become: yes command: grub2-mkconfig -o {{ grub_config_file }} -#- name: reload dconf -# become: yes -# command: dconf update +- name: reload dconf + become: yes + command: dconf update - name: restart auditd become: yes diff --git a/tasks/main.yml b/tasks/main.yml index 8ea9481..db2f6e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,36 +17,29 @@ tags: - always - - -- name: "Set package facts" +- name: "Set facts | Packages" package_facts: manager: "auto" tags: - always -- name: "Set service facts" +- name: "Set facts | Service" service_facts: tags: - always -- name: Check to see if we are booting with EFI or UEFI +- name: Check if the system booted with UEFI or BIOS set_fact: booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" tags: - always -- name: Set fact Grub config file +- name: Set facts | Grub config file set_fact: grub_config_file: "{{ '/boot/efi/EFI/{{ ansible_distribution | lower }}/grub.cfg' if booted_with_efi else '/boot/grub2/grub.cfg' }}" tags: - always -- name: Print all available facts - ansible.builtin.debug: - var: grub_config_file - - - include: section_1.yml become: true when: section_1 diff --git a/tasks/section_1.yml b/tasks/section_1.yml index 6183853..fb83176 100644 --- a/tasks/section_1.yml +++ b/tasks/section_1.yml @@ -553,13 +553,13 @@ lineinfile: dest: /usr/lib/systemd/system/emergency.service regexp: '/sbin/sulogin' - line: 'execstart=-/usr/lib/systemd/systemd-sulogin-shell rescue' + line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' - name: "1.5.3 | Ensure authentication required for single user mode (Scored) | Rescue" lineinfile: dest: /usr/lib/systemd/system/rescue.service regexp: '/sbin/sulogin' - line: 'execstart=-/usr/lib/systemd/systemd-sulogin-shell rescue' + line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' when: - rule_1_5_3 - ansible_distribution_major_version == "8" @@ -782,13 +782,25 @@ - rule_1.8.1.6 - name: "1.8.2 | Ensure GDM login banner is configured (Scored)" - template: - src: etc/dm3/greeter.dconf-defaults.j2 - dest: /etc/dm3/greeter.dconf-defaults + lineinfile: + dest: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: yes owner: root group: root mode: 0644 - when: + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='Authorized uses only. All activity may be monitored and reported.'" } + notify: reload dconf + when: + - not rule_2_2_2 | bool - "'gdm' in ansible_facts.packages" - rule_1_8_2 tags: diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 9648f88..4cb5aa0 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -498,9 +498,9 @@ changed_when: false failed_when: false - - name: "5.3.2 Select authselect profile (Scored) - select profile\n + - name: "5.3.2 Select authselect profile (Scored) | Set profile\n 5.3.3 Ensure authselect includes with-faillock (Scored)" - command: authselect select custom/{{ authselect_profile }} {{ 5_3_3 | ternary("with-faillock", "") }} --force + command: authselect select custom/{{ authselect_profile }} without-nullok with-sudo with-mkhomedir {{ 5_3_3 | ternary("with-faillock", "") }} --force when: - authselect_current_profile.rc == 0 - authselect_current_profile.stdout != "/".join(["custom", authselect_profile]) @@ -533,67 +533,34 @@ - rule_5.4.1 - section_5 -- name: "5.4.2 | Ensure lockout for failed password attempts is configured (Scored)" - block: - - name: "5.4.2 | Ensure lockout for failed password attempts is configured (Scored) | Unlock Time" - replace: - path: /etc/authselect/custom/{{ authselect_profile }}/{{ item }} - regexp: '^(\s*auth\s+required\s+pam_faillock.so\s+.*unlock_time=)\S+(\s*.*)$' - replace: '\g<1>{{ pam_failllock_timeout }}\g<2>' - with_items: - - password-auth - - system-auth - - - name: 5.4.2 Ensure lockout for failed password attempts is configured (Scored) | Faillock Deny - replace: - path: /etc/authselect/custom/{{ authselect_profile }}/password-auth - regexp: '^(\s*auth\s+required\s+pam_faillock.so\s+.*deny=)\S+(\s*.*)$' - replace: '\g<1>{{ pam_failllock_deny }}\g<2>' +- name: "5.4.2 | Ensure lockout for failed password attempts is configured (Scored)\n + 5.4.3 | Ensure password reuse is limited (Scored)\n + 5.4.4 | Ensure password hashing algorithm is SHA-512 (Scored)" + template: + src: etc/pam/template_authselect.j2 + dest: /etc/authselect/custom/{{ authselect_profile }}/{{ item }} + with_items: + - password-auth + - system-auth when: - rule_5_3_2 - rule_5_3_3 - rule_5_4_2 + - rule_5_4_3 + - rule_5_4_4 tags: - level1 - rule_5.4 - rule_5.4.2 - - section_5 - -- name: "5.4.3 | Ensure password reuse is limited (Scored)" - command: /bin/true - changed_when: false - tags: - - level1 - - rule_5.4 - rule_5.4.3 - section_5 -- name: "5.4.4 | Ensure password hashing algorithm is SHA-512 (Scored)" - command: /bin/true - changed_when: false - when: - - rule_5_4_4 - tags: - - level1 - - rule_5.4.4 - - section_5 - - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" - block: - - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" - lineinfile: - dest: /etc/login.defs - regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" - line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" - state: present - - - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" - command: "awk -F: '{if($5 != {{ password_policy['max_days'] }}) print $1}' /etc/shadow" - register: users_exp_output - - - name: "5.5.1.1 | Ensure password expiration is 365 days or less (Scored)" - command: "chage --maxdays {{ password_policy['max_days'] }} {{ item }}" - with_items: "{{ users_exp_output.stdout_lines }}" + lineinfile: + dest: /etc/login.defs + regexp: "^\\s*PASS_MAX_DAYS\\s*.*$" + line: "PASS_MAX_DAYS {{ password_policy['max_days'] }}" + state: present when: - rule_5_5_1_1 tags: diff --git a/templates/etc/dm3/greeter.dconf-defaults.j2 b/templates/etc/dm3/greeter.dconf-defaults.j2 deleted file mode 100644 index 98679a6..0000000 --- a/templates/etc/dm3/greeter.dconf-defaults.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[org/gnome/login-screen] -banner-message-enable=true -banner-message-text='{{ warning_banner }}' \ No newline at end of file diff --git a/templates/etc/pam/template_authselect.j2 b/templates/etc/pam/template_authselect.j2 new file mode 100644 index 0000000..7dee8d1 --- /dev/null +++ b/templates/etc/pam/template_authselect.j2 @@ -0,0 +1,34 @@ +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} +auth required pam_faillock.so preauth silent deny={{ pam_failllock_deny }} unlock_time={{ pam_failllock_timeout }} {include if "with-faillock"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"} +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_sss.so forward_pass +auth required pam_faillock.so authfail deny={{ pam_failllock_deny }} unlock_time={{ pam_failllock_timeout }} {include if "with-faillock"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry={{ pam_failllock_deny }} remember={{ password_policy['history'] }} +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok remember={{ password_policy['history'] }} +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so From 2c3b6de763b8068b6a4da3add3c10dc46f9fe961 Mon Sep 17 00:00:00 2001 From: iquzart Date: Mon, 16 Nov 2020 22:39:57 +0400 Subject: [PATCH 26/30] gdm banner fix --- defaults/main.yml | 4 ---- tasks/section_2.yml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8c13f1b..204cc9a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -289,10 +289,6 @@ warning_banner_motd: | Authorized uses only. All activity may be monitored and reported. # End Banner -# Warning Banner Content (GDM) -warning_banner: | - Authorized uses only. All activity may be monitored and reported. - # Warning Banner Content (issue, issue.net) warning_banner_issue: | WARNING: This system is for use of authorized users only. diff --git a/tasks/section_2.yml b/tasks/section_2.yml index e1fe7bc..a498fec 100644 --- a/tasks/section_2.yml +++ b/tasks/section_2.yml @@ -51,10 +51,6 @@ - name: "Update package facts" package_facts: manager: "auto" - - - name: "Debug" - debug: - msg: "{{ ansible_facts.services }}" when: - "'xorg-x11-server-common' in ansible_facts.packages" - rule_2_2_2 From 84e19d13013e08655f2b1a4005d1868a3628b062 Mon Sep 17 00:00:00 2001 From: iquzart Date: Tue, 17 Nov 2020 15:29:07 +0400 Subject: [PATCH 27/30] multiple fixes --- handlers/main.yml | 4 ++++ meta/main.yml | 8 +++++--- tasks/section_5.yml | 1 + 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index ecc3e30..fccbd72 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -32,3 +32,7 @@ service: name: sshd state: restarted + +- name: authselect apply changes + become: yes + command: authselect apply-changes \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 93438d0..af08fd7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -9,7 +9,9 @@ galaxy_info: versions: - 8 galaxy_tags: - - docker - - compose - - containers + - cis + - rhel8 + - centos8 + - ol8 + - baseline dependencies: [] \ No newline at end of file diff --git a/tasks/section_5.yml b/tasks/section_5.yml index 4cb5aa0..5e61cf0 100644 --- a/tasks/section_5.yml +++ b/tasks/section_5.yml @@ -542,6 +542,7 @@ with_items: - password-auth - system-auth + notify: authselect apply changes when: - rule_5_3_2 - rule_5_3_3 From 7045531cb10b090483d641d1418fc688556b431a Mon Sep 17 00:00:00 2001 From: iquzart Date: Tue, 17 Nov 2020 16:04:57 +0400 Subject: [PATCH 28/30] updated docs --- README.md | 60 +++++++++++++++++++++++++++++++++++++---------- defaults/main.yml | 2 -- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 84470a1..b62e749 100644 --- a/README.md +++ b/README.md @@ -1,39 +1,73 @@ -CIS - CentOs +CIS - RHEL 8 Based Systems ========= -Asible role to apply CIS Benchmark on RHEL 8 based systems (Under Development) +Asible role to apply CIS Benchmark on RHEL 8 based systems. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Create below partitions at the time of installation. The role will not create any of these partitions. + +``` +1.1.6 | Ensure separate partition exists for /var (Scored) +1.1.7 | Ensure separate partition exists for /var/tmp (Scored) +1.1.11 | Ensure separate partition exists for /var/log (Scored) +1.1.12 | Ensure separate partition exists for /var/log/audit (Scored) +1.1.13 | Ensure separate partition exists for /home (Scored) + +``` + +Support Matrix +-------------- + +| Destro | Status | +| --- | --- | +| CentOS 8 | Supported (Tested) | +| RHEL 8 | Supported (Tested) | +| Oracle Linux 8 | Supported (Under Testing) | + Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +deafult/main.yml variables are pretty self explanatory. + + +Notes +------ -Dependencies ------------- -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +The role will setup Authselect with a custom profile when you enable CIS rules 5.3.1, 5.3.2, 5.4.2, 5.4.3, 5.4.4. +The recommended approch to join the node to an Active Directory domain with 'realmd' + +Update realmd-distro conf (/usr/lib/realmd/realmd-distro.conf) with below. +``` +[commands] +sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service +&& /usr/bin/systemctl start oddjobd.service" + +sssd-disable-logins = /bin/true +``` Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: +- name: CIS Baseline Setup + hosts: cis + remote_user: vagrant + become: yes + + roles: + - cis-centos - - hosts: servers - roles: - - { role: username.rolename, x: 42 } License ------- -BSD +MIT Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Muhammed Iqbal diff --git a/defaults/main.yml b/defaults/main.yml index 204cc9a..2636c3a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -255,11 +255,9 @@ rule_6_2_20: true # Ensure all users' home directories exist # Bootloader password bootloader_password: p@ssw0rd -set_boot_pass: true # AIDE config_aide: true -# AIDE cron settings aide_cron: cron_user: root cron_file: /etc/crontab From fa9ad93f7eb9aa1decfc55cf49038d8a3722a1b5 Mon Sep 17 00:00:00 2001 From: iquzart Date: Tue, 17 Nov 2020 16:07:04 +0400 Subject: [PATCH 29/30] updated docs --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b62e749..28e7cd6 100644 --- a/README.md +++ b/README.md @@ -53,14 +53,15 @@ sssd-disable-logins = /bin/true Example Playbook ---------------- -- name: CIS Baseline Setup - hosts: cis - remote_user: vagrant - become: yes - - roles: - - cis-centos +``` + - name: CIS Baseline Setup + hosts: cis + remote_user: vagrant + become: yes + roles: + - cis-centos +``` License ------- From 216429de6e9b75e09e6e927bcbcef293137ee8a9 Mon Sep 17 00:00:00 2001 From: iquzart Date: Tue, 17 Nov 2020 16:08:32 +0400 Subject: [PATCH 30/30] clean up --- files/etc/pam.d/password-auth | 26 -------------------------- files/etc/pam.d/system-auth | 26 -------------------------- 2 files changed, 52 deletions(-) delete mode 100644 files/etc/pam.d/password-auth delete mode 100644 files/etc/pam.d/system-auth diff --git a/files/etc/pam.d/password-auth b/files/etc/pam.d/password-auth deleted file mode 100644 index a3bf1a6..0000000 --- a/files/etc/pam.d/password-auth +++ /dev/null @@ -1,26 +0,0 @@ -#%PAM-1.0 -# This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. -auth required pam_env.so -auth required pam_faillock.so preauth audit deny=5 unlock_time=900 -auth sufficient pam_unix.so nullok try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 -auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 -auth requisite pam_succeed_if.so uid >= 1000 quiet -auth required pam_deny.so - -account required pam_faillock.so -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 1000 quiet -account required pam_permit.so - -password requisite pam_pwquality.so try_first_pass local_users_only retry=5 authtok_type= -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6 -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/files/etc/pam.d/system-auth b/files/etc/pam.d/system-auth deleted file mode 100644 index a3bf1a6..0000000 --- a/files/etc/pam.d/system-auth +++ /dev/null @@ -1,26 +0,0 @@ -#%PAM-1.0 -# This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. -auth required pam_env.so -auth required pam_faillock.so preauth audit deny=5 unlock_time=900 -auth sufficient pam_unix.so nullok try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 -auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 -auth requisite pam_succeed_if.so uid >= 1000 quiet -auth required pam_deny.so - -account required pam_faillock.so -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 1000 quiet -account required pam_permit.so - -password requisite pam_pwquality.so try_first_pass local_users_only retry=5 authtok_type= -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6 -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so