From 830d42c11b55db79bd98ced2bfa01ba2faa84a9b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 6 Dec 2023 14:56:23 +0200 Subject: [PATCH 01/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/3 by editing the destination path! Signed-off-by: Diana-Maria Dumitru --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 97620c4..8311441 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -19,7 +19,7 @@ - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" ansible.builtin.template: src: etc/chrony.conf.j2 - dest: /etc/chrony.conf + dest: /etc/chrony.d/chrony.conf owner: root group: root mode: '0644' From 269b56b04e9d6821d3aa9dcce883204460d50d6a Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 6 Dec 2023 15:02:57 +0200 Subject: [PATCH 02/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/4 by masking both the socket and the service! Signed-off-by: Diana-Maria Dumitru --- tasks/section_2/cis_2.2.x.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 549600a..e1ea61a 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -308,7 +308,7 @@ when: - amzn2023cis_rpc_server == "remove" - - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask socket" ansible.builtin.systemd: name: rpcbind.socket masked: true @@ -316,6 +316,15 @@ daemon_reload: true when: - amzn2023cis_rpc_server == "mask" + + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + ansible.builtin.systemd: + name: rpcbind.service + masked: true + state: stopped + daemon_reload: true + when: + - amzn2023cis_rpc_server == "mask" when: - "'rpcbind' in ansible_facts.packages" - amzn2023cis_rule_2_2_17 From 9e7ef28c7f3a2de7ed7178323b7d43dd53221236 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 6 Dec 2023 15:17:41 +0200 Subject: [PATCH 03/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/6 by editing the value of `clientalivecountmax` to 3! Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index aaf7219..129e098 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -535,7 +535,7 @@ amzn2023cis_logrotate: "daily" amzn2023cis_sshd_config_file: /etc/ssh/sshd_config amzn2023cis_sshd: - clientalivecountmax: 0 + clientalivecountmax: 3 clientaliveinterval: 900 logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! From e3ffb8bb20d7419f8adb198a1070895411bc42cb Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 6 Dec 2023 15:23:27 +0200 Subject: [PATCH 04/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/8 by editing the regexp value and adding another task with `replace` module! Signed-off-by: Diana-Maria Dumitru --- tasks/section_4/cis_4.6.x.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 88e787c..c6307d3 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -89,17 +89,22 @@ - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs and /etc/profile" ansible.builtin.lineinfile: path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' + regexp: '(?i)(umask\s*\d\d\d)' line: '{{ item.line }} 027' with_items: - - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + ansible.builtin.replace: + path: /etc/bashrc + regexp: '\s+umask\s*\d\d\d' + replace: '\numask 027' + + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Editing USERGROUPS_ENAB" ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^USERGROUPS_ENAB' From 592fbbd69616339c96e412a7d0329d1d82a222b6 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 7 Dec 2023 11:30:54 +0200 Subject: [PATCH 05/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/2 by using `import_tasks` module so as the rules will get added and executed! Signed-off-by: Diana-Maria Dumitru --- tasks/section_1/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index f6acd63..a9db36c 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -54,7 +54,7 @@ file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - ansible.builtin.include_tasks: + ansible.builtin.import_tasks: file: cis_1.6.1.x.yml when: not amzn2023cis_selinux_disable @@ -67,5 +67,5 @@ file: cis_1.8.yml - name: "SECTION | 1.9 | Crypto policies" - ansible.builtin.include_tasks: + ansible.builtin.import_tasks: file: cis_1.9.yml From 7bc0c12b8a308ce982821186577e7e443449793c Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 20 Dec 2023 13:57:02 +0200 Subject: [PATCH 06/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks. Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 19 +++++++++ tasks/section_4/cis_4.2.x.yml | 72 +++++++++++++++++++++++++++-------- 2 files changed, 76 insertions(+), 15 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 90bb606..a556392 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -161,6 +161,25 @@ - ssh - level1_server +- name: "PRELIM | Section 4.2 | SSH - Identify files in sshd_config.d Dir" + ansible.builtin.find: + patterns: '*.conf' + path: /etc/ssh/sshd_config.d + register: sshd_d_conf_files + when: + - "'openssh-server' in ansible_facts.packages" + tags: + - always + +- name: "PRELIM | Section 4.2 | SSH - Search for main cfg file" + ansible.builtin.stat: + path: "{{ amzn2023cis_sshd_config_file }}" + register: main_sshd_cfg + when: + - "'openssh-server' in ansible_facts.packages" + tags: + - always + - name: "PRELIM | Section 5.2 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index c8151a3..20f8a98 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -125,10 +125,13 @@ - name: "4.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ amzn2023cis_ssh_loglevel }}' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_5 tags: @@ -142,10 +145,13 @@ - name: "4.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_6 tags: @@ -161,10 +167,13 @@ - name: "4.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_7 tags: @@ -176,10 +185,13 @@ - name: "4.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_8 tags: @@ -195,10 +207,13 @@ - name: "4.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_9 tags: @@ -214,10 +229,13 @@ - name: "4.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_10 tags: @@ -252,10 +270,13 @@ - name: "4.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_12 tags: @@ -267,10 +288,13 @@ - name: "4.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_13 tags: @@ -327,10 +351,13 @@ - name: "4.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_16 tags: @@ -342,10 +369,13 @@ - name: "4.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_17 tags: @@ -361,10 +391,13 @@ - name: "4.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ amzn2023cis_ssh_maxsessions }}' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_18 tags: @@ -380,10 +413,13 @@ - name: "4.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ amzn2023cis_sshd['logingracetime'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_19 tags: @@ -397,17 +433,23 @@ block: - name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ amzn2023cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" - name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ amzn2023cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_20 tags: @@ -419,4 +461,4 @@ - nist_sp800-53r5_CM-2 - nist_sp800-53r5_CM-6 - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - nist_sp800-53r5_IA-5 \ No newline at end of file From 710425be1fc17c60c7dc72b48b692627d84fc1ac Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Tue, 30 Jan 2024 09:54:43 +0200 Subject: [PATCH 07/25] Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- tasks/section_2/cis_2.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index e1ea61a..98677df 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -316,7 +316,7 @@ daemon_reload: true when: - amzn2023cis_rpc_server == "mask" - + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" ansible.builtin.systemd: name: rpcbind.service From 95857f77bbbcaa1f513c545409e42de3ef4674fc Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Tue, 30 Jan 2024 10:05:16 +0200 Subject: [PATCH 08/25] Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- tasks/section_4/cis_4.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index c6307d3..297300b 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -98,7 +98,7 @@ - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" ansible.builtin.replace: path: /etc/bashrc regexp: '\s+umask\s*\d\d\d' From 9488e1951f573897f86b033ab94887e736509a78 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Tue, 30 Jan 2024 10:12:11 +0200 Subject: [PATCH 09/25] Removing trailing whitespaces and fixing an end-of-file Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 4 ++-- tasks/section_4/cis_4.2.x.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a556392..bfbac94 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -167,7 +167,7 @@ path: /etc/ssh/sshd_config.d register: sshd_d_conf_files when: - - "'openssh-server' in ansible_facts.packages" + - "'openssh-server' in ansible_facts.packages" tags: - always @@ -176,7 +176,7 @@ path: "{{ amzn2023cis_sshd_config_file }}" register: main_sshd_cfg when: - - "'openssh-server' in ansible_facts.packages" + - "'openssh-server' in ansible_facts.packages" tags: - always diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 20f8a98..6134cb4 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -213,7 +213,7 @@ validate: sshd -t -f %s with_items: - "{{ sshd_d_conf_files.files }}" - - "{{ main_sshd_cfg.stat }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_9 tags: @@ -461,4 +461,4 @@ - nist_sp800-53r5_CM-2 - nist_sp800-53r5_CM-6 - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 \ No newline at end of file + - nist_sp800-53r5_IA-5 From 6a3c7ec2b112fcc7087d551e09dca3be5168b5f9 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 1 Feb 2024 15:59:41 +0200 Subject: [PATCH 10/25] Refactoring docs Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 998 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 782 insertions(+), 216 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 129e098..cee463e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,13 +1,33 @@ --- # defaults file for amazon2023-cis +# This variable is used to state if the system where +# the role is executed is a container image or not. +# The role discovers this dinamically and sets this +# variable's value to 'true' or it leaves it unchanged +# ('false') based on its findings. system_is_container: false +# This variable holds the name of the "yml" file, in which +# the role would store the container's variables. This +# file would get created only if the role determines that +# it is executed on a container image. container_vars_file: is_container.yml -# Run the OS validation check -# Supported OSs will not need for this to be changed - see README e.g. CentOS +# This variable is used to run the OS version and family +# check. This validation check determines if the role is +# executed against a supported OS. Setting it to 'true' will +# mean that the OS validation will be executed. Setting it +# to 'false' would mean otherwise. +# If you know that your OS finds itself among the supported +# Oss then this variable's value does not need to be changed. +# If not, you should change it accordingly - see README e.g. CentOS os_check: true +# The following variables are used in order to determine if +# certain sections of the role should get executed or not. +# If you desire for a certain section to not get executed +# against your OS, simply change that section's variable +# value to 'false'! amzn2023cis_section1: true amzn2023cis_section2: true amzn2023cis_section3: true @@ -15,63 +35,118 @@ amzn2023cis_section4: true amzn2023cis_section5: true amzn2023cis_section6: true -# This is used for audit purposes to run only specific level use the tags +# This is used for audit purposes to run only a specific level +# use the following tags: # e.g. # - level1-server amzn2023cis_level_1: true amzn2023cis_level_2: true +# This variable is used to determine whether SELinux +# should be enabled or not. All the tasks regarding +# the hardening of SELinux will get executed only if +# this variable's value is set to 'false'. If it is set +# to 'true', then that means that SELinux is considered +# disabled by the role, therefore the role will not +# execute any hardening tasks against it! amzn2023cis_selinux_disable: false + +# This variable refers to Legacy Boot, also known as +# Legacy BIOS boot, which is a boot mode that emulates +# the traditional BIOS. The variable is used in a task +# that ensures the necessary permissions on the bootloader +# config are in place. Setting the value to 'true', will mean +# that those permisions will be set for the configuration of +# BIOS boot. Setting it to 'false', will mean that the Legacy +# Boot (BIOS boot) is not in use, which means that the +# permissions will have to be set for the configuration of +# efi boot. amzn2023cis_legacy_boot: false ## Python Binary -## This is used for python3 Installations where python2 OS modules are used in ansible +## This is used for python3 Installations where python2 OS modules +## are used in ansible python2_bin: /bin/python2.7 -## Benchmark name used by audting control role -# The audit variable found at the base -## metadata for Audit benchmark -benchmark_version: 'v1.0.0' - +## Benchmark name and profile used by audting control role +# The audit variable can be found at the base benchmark: AMAZON2023-CIS +benchmark_version: 'v1.0.0' -# Whether to skip the reboot +# This variable states to the role whether to skip +# the reboot or not. If it is set to 'false', the role +# would reboot the system before audit, which could +# give better audit results. skip_reboot: true -# default value will change to true but wont reboot if not enabled but will error +# This variable is used in a handler task, that is notified +# if a certain task's changes are considered to be in need +# of a reboot. The default value will change to true when +# the handler gets executed but the system will reboot only +# if the 'skip_reboot' variable indicates it. +# Otherwise, a warning message will get displayed, which will +# alert the user that a reboot is needed based on the latest +# changes! change_requires_reboot: false -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +### +### Settings for associated Audit role using Goss +### + +# Note that there are also variables regarding the retrieval +# and configuration of Goss and the audit role at the end +# of this file. -### Goss is required on the remote host +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# How to retrive goss -# Options are copy or download - detailed settings at the bottom of this file -# you will need to access to either github or the file already dowmloaded +## How to retrive audit binary +# Options are copy or download, using either the path +# provided in variable `audit_local_copy` for copying or +# the url given in variable `audit_files_url` for downloading. get_audit_binary_method: download -# how to get audit files onto host options -# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role +# onto the system. The options are as follows: +# "git" - clone from git repository as specified in variable "audit_file_git" +# in the version specified by variable "audit_git_version"; +# "copy" - copy from path as specified in variable "audit_local_copy"; +# "download" - download from url as specified in variable "audit_files_url"; audit_content: git -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run +# This variable governs whether the audit, using +# the separately maintained audit role using Goss, +# is carried out. run_audit: false -# Timeout for those cmds that take longer to run where timeout set +# This variable specifies the timeout (in ms) for audit commands that +# take a very long time: if a command takes too long to complete, +# it will be forcefully terminated after the specified duration. audit_cmd_timeout: 60000 -# Some tests can be resource heavy allow these to take place +## Resource-intensive Tests +# This variable governs whether resource-intensive audit tests are carried out amzn2023cis_run_heavy_tests: true -### End Goss enablements #### -#### Detailed settings found at the end of this document #### - -# These variables correspond with the CIS rule IDs or paragraph numbers defined in -# the CIS benchmark documents. -# PLEASE NOTE: These work in coordination with the section # group variables and tags. -# You must enable an entire section in order for the variables below to take effect. -# Section 1 rules +### +### End Audit Settings for associcated Audit role using Goss +### + +## The following variables correspond with the CIS rule IDs or paragraph numbers +## defined in the CIS benchmark documents. +## PLEASE NOTE: These work in coordination with the section # group variables +## and tags. You must enable an entire section in order for the variables below +## to take effect. If you want a specific rule to not get executed simply change +## that rule's variable's value to 'false'! + +## Section 1 rules +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, +# Secure Boot Settings, Additional Process Hardening, Mandatory Access Control and Command Line Warning Banners) +# Configure Filesystem Kernel Modules amzn2023cis_rule_1_1_1_1: true amzn2023cis_rule_1_1_1_2: true amzn2023cis_rule_1_1_1_3: true @@ -79,50 +154,58 @@ amzn2023cis_rule_1_1_1_4: true amzn2023cis_rule_1_1_1_5: true amzn2023cis_rule_1_1_1_6: true amzn2023cis_rule_1_1_1_7: true +# Configure /tmp amzn2023cis_rule_1_1_2_1: true amzn2023cis_rule_1_1_2_2: true amzn2023cis_rule_1_1_2_3: true amzn2023cis_rule_1_1_2_4: true +# Configure /var amzn2023cis_rule_1_1_3_1: true amzn2023cis_rule_1_1_3_2: true amzn2023cis_rule_1_1_3_3: true +# Configure /var/tmp amzn2023cis_rule_1_1_4_1: true amzn2023cis_rule_1_1_4_2: true amzn2023cis_rule_1_1_4_3: true amzn2023cis_rule_1_1_4_4: true +# Configure /var/log amzn2023cis_rule_1_1_5_1: true amzn2023cis_rule_1_1_5_2: true amzn2023cis_rule_1_1_5_3: true amzn2023cis_rule_1_1_5_4: true +# Configure /var/log/audit amzn2023cis_rule_1_1_6_1: true amzn2023cis_rule_1_1_6_2: true amzn2023cis_rule_1_1_6_3: true amzn2023cis_rule_1_1_6_4: true +# Configure /home amzn2023cis_rule_1_1_7_1: true amzn2023cis_rule_1_1_7_2: true amzn2023cis_rule_1_1_7_3: true +# Configure /dev/shm amzn2023cis_rule_1_1_8_1: true amzn2023cis_rule_1_1_8_2: true amzn2023cis_rule_1_1_8_3: true amzn2023cis_rule_1_1_8_4: true -amzn2023cis_rule_1_1_18: true -amzn2023cis_rule_1_1_19: true -amzn2023cis_rule_1_1_20: true -amzn2023cis_rule_1_1_21: true amzn2023cis_rule_1_1_9: true +# Configure Software and Patch Management amzn2023cis_rule_1_2_1: true amzn2023cis_rule_1_2_2: true amzn2023cis_rule_1_2_3: true amzn2023cis_rule_1_2_4: true +# Filesystem Integrity Checking amzn2023cis_rule_1_3_1: true amzn2023cis_rule_1_3_2: true amzn2023cis_rule_1_3_3: true +# Secure Boot Settings amzn2023cis_rule_1_4_1: true amzn2023cis_rule_1_4_2: true +# Additional Process Hardening amzn2023cis_rule_1_5_1: true amzn2023cis_rule_1_5_2: true amzn2023cis_rule_1_5_3: true amzn2023cis_rule_1_5_4: true +# Configure SELinux amzn2023cis_rule_1_6_1_1: true amzn2023cis_rule_1_6_1_2: true amzn2023cis_rule_1_6_1_3: true @@ -131,6 +214,7 @@ amzn2023cis_rule_1_6_1_5: true amzn2023cis_rule_1_6_1_6: true amzn2023cis_rule_1_6_1_7: true amzn2023cis_rule_1_6_1_8: true +# Command Line Warning Banners amzn2023cis_rule_1_7_1: true amzn2023cis_rule_1_7_2: true amzn2023cis_rule_1_7_3: true @@ -140,9 +224,12 @@ amzn2023cis_rule_1_7_6: true amzn2023cis_rule_1_8: true amzn2023cis_rule_1_9: true -# Section 2 rules +## Section 2 rules +# Section 2 is Services (Special Purpose Services, and service clients) +# Configure Time Synchronization (chrony) amzn2023cis_rule_2_1_1: true amzn2023cis_rule_2_1_2: true +# Configure Special Purpose Services amzn2023cis_rule_2_2_1: true amzn2023cis_rule_2_2_2: true amzn2023cis_rule_2_2_3: true @@ -161,20 +248,25 @@ amzn2023cis_rule_2_2_15: true amzn2023cis_rule_2_2_16: true amzn2023cis_rule_2_2_17: true amzn2023cis_rule_2_2_18: true +# Service Clients amzn2023cis_rule_2_3_1: true amzn2023cis_rule_2_3_2: true amzn2023cis_rule_2_3_3: true amzn2023cis_rule_2_3_4: true amzn2023cis_rule_2_4: true -# Section 3 rules +## Section 3 rules +# Section 3 is Network Configuration +# Disable unused network protocols and devices amzn2023cis_rule_3_1_1: true amzn2023cis_rule_3_1_2: true amzn2023cis_rule_3_1_3: true amzn2023cis_rule_3_1_4: true amzn2023cis_rule_3_1_5: true +# Network Parameters (Host Only) amzn2023cis_rule_3_2_1: true amzn2023cis_rule_3_2_2: true +# Network Parameters (Host and Router) amzn2023cis_rule_3_3_1: true amzn2023cis_rule_3_3_2: true amzn2023cis_rule_3_3_3: true @@ -184,8 +276,10 @@ amzn2023cis_rule_3_3_6: true amzn2023cis_rule_3_3_7: true amzn2023cis_rule_3_3_8: true amzn2023cis_rule_3_3_9: true +# Configure a firewall utility amzn2023cis_rule_3_4_1_1: true amzn2023cis_rule_3_4_1_2: true +# Configure firewall rules amzn2023cis_rule_3_4_2_1: true amzn2023cis_rule_3_4_2_2: true amzn2023cis_rule_3_4_2_3: true @@ -195,6 +289,8 @@ amzn2023cis_rule_3_4_2_6: true amzn2023cis_rule_3_4_2_7: true # Section 4 rules +# Section 4 is Access, Authentication and Authorization +# Configure time-based job schedulers amzn2023cis_rule_4_1_1: true amzn2023cis_rule_4_1_2: true amzn2023cis_rule_4_1_3: true @@ -204,6 +300,7 @@ amzn2023cis_rule_4_1_6: true amzn2023cis_rule_4_1_7: true amzn2023cis_rule_4_1_8: true amzn2023cis_rule_4_1_9: true +# Configure SSH Server amzn2023cis_rule_4_2_1: true amzn2023cis_rule_4_2_2: true amzn2023cis_rule_4_2_3: true @@ -224,28 +321,27 @@ amzn2023cis_rule_4_2_17: true amzn2023cis_rule_4_2_18: true amzn2023cis_rule_4_2_19: true amzn2023cis_rule_4_2_20: true - +# Configure privilege escalation amzn2023cis_rule_4_3_1: true amzn2023cis_rule_4_3_2: true amzn2023cis_rule_4_3_3: true amzn2023cis_rule_4_3_4: true amzn2023cis_rule_4_3_5: true amzn2023cis_rule_4_3_6: true - +# Configure authselect amzn2023cis_rule_4_4_1: true amzn2023cis_rule_4_4_2: true - +# Configure PAM amzn2023cis_rule_4_5_1: true amzn2023cis_rule_4_5_2: true amzn2023cis_rule_4_5_3: true amzn2023cis_rule_4_5_4: true - +# Set Shadow Password Suite Parameters amzn2023cis_rule_4_6_1_1: true amzn2023cis_rule_4_6_1_2: true amzn2023cis_rule_4_6_1_3: true amzn2023cis_rule_4_6_1_4: true amzn2023cis_rule_4_6_1_5: true - amzn2023cis_rule_4_6_2: true amzn2023cis_rule_4_6_3: true amzn2023cis_rule_4_6_4: true @@ -253,6 +349,8 @@ amzn2023cis_rule_4_6_5: true amzn2023cis_rule_4_6_6: true # Section 5 rules +# Section 5 is Logging and Auditing +# Configure rsyslog amzn2023cis_rule_5_1_1_1: true amzn2023cis_rule_5_1_1_2: true amzn2023cis_rule_5_1_1_3: true @@ -260,30 +358,28 @@ amzn2023cis_rule_5_1_1_4: true amzn2023cis_rule_5_1_1_5: true amzn2023cis_rule_5_1_1_6: true amzn2023cis_rule_5_1_1_7: true - +# Configure journald amzn2023cis_rule_5_1_2_1_1: true amzn2023cis_rule_5_1_2_1_2: true amzn2023cis_rule_5_1_2_1_3: true amzn2023cis_rule_5_1_2_1_4: true - amzn2023cis_rule_5_1_2_2: true amzn2023cis_rule_5_1_2_3: true amzn2023cis_rule_5_1_2_4: true amzn2023cis_rule_5_1_2_5: true amzn2023cis_rule_5_1_2_6: true amzn2023cis_rule_5_1_2_7: true - amzn2023cis_rule_5_1_3: true - +# Ensure auditing is enabled amzn2023cis_rule_5_2_1_1: true amzn2023cis_rule_5_2_1_2: true amzn2023cis_rule_5_2_1_3: true amzn2023cis_rule_5_2_1_4: true - +# Configure Data Retention amzn2023cis_rule_5_2_2_1: true amzn2023cis_rule_5_2_2_2: true amzn2023cis_rule_5_2_2_3: true - +# Configure auditd rules amzn2023cis_rule_5_2_3_1: true amzn2023cis_rule_5_2_3_2: true amzn2023cis_rule_5_2_3_3: true @@ -305,7 +401,7 @@ amzn2023cis_rule_5_2_3_18: true amzn2023cis_rule_5_2_3_19: true amzn2023cis_rule_5_2_3_20: true amzn2023cis_rule_5_2_3_21: true - +# Configure auditd file access amzn2023cis_rule_5_2_4_1: true amzn2023cis_rule_5_2_4_2: true amzn2023cis_rule_5_2_4_3: true @@ -316,10 +412,11 @@ amzn2023cis_rule_5_2_4_7: true amzn2023cis_rule_5_2_4_8: true amzn2023cis_rule_5_2_4_9: true amzn2023cis_rule_5_2_4_10: true - amzn2023cis_rule_5_3: true # Section 6 rules +# Section 6 is System Maintenance +# System File Permissions amzn2023cis_rule_6_1_1: true amzn2023cis_rule_6_1_2: true amzn2023cis_rule_6_1_3: true @@ -332,6 +429,7 @@ amzn2023cis_rule_6_1_9: true amzn2023cis_rule_6_1_10: true amzn2023cis_rule_6_1_11: true amzn2023cis_rule_6_1_12: true +# Local User and Group Settings amzn2023cis_rule_6_2_1: true amzn2023cis_rule_6_2_2: true amzn2023cis_rule_6_2_3: true @@ -344,286 +442,754 @@ amzn2023cis_rule_6_2_9: true amzn2023cis_rule_6_2_10: true amzn2023cis_rule_6_2_11: true -## Section 1 vars - -#### 1.1.2 -# These settings go into the /etc/fstab file for the /tmp mount settings -# The value must contain nosuid,nodev,noexec to conform to CIS standards -# amzn2023cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" -# If set true uses the tmp.mount service else using fstab configuration -amzn2023cis_tmp_svc: false - -#### 1.1.9 -amzn2023cis_allow_autofs: false - -# 1.9 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.9 states do not use LEGACY +## +## Section 1 Control Variables +## + +## Control 1.1.2 - Configure /tmp +# This variable is used in order to determine which method +# shall be used by the role in order to ensure that the +# "nodev,noexec,nosuid" options are set for "/tmp". +# If it is set to 'true', the role will use the tmp.mount +# service otherwise, the role will use the fstab configuration. +amzn2023cis_tmp_svc: true + +## Control 1.9 - Ensure system-wide crypto policy is not legacy +# This variable helps in determining which type of crypto policy +# the role will set. As per the description of Control 1.9, +# the "LEGACY" option is not to be used! A reason for this would +# be the fact that "LEGACY" includes older algorithms that might +# be considered less secure. You can choose from other options +# such as: +# "DEFAULT" - includes a set of cryptographic algorithms that are +# considered secure; +# "FUTURE" - may include newer algorithms that will replace older +# ones; +# "FIPS" - designed to comply with specific cryptographic standards +# defined by NIST. They are often required in certain +# government or regulated environments; amzn2023cis_crypto_policy: 'DEFAULT' -# Added module to be allowed as default setting (Allowed options in vars/main.yml) +# If you want to have a crypto policy module, you can specify it +# here, as the value of the following variable. Allowed options +# for this can be found in the "vars/main.yml" file at the +# "amzn2023cis_allowed_crypto_policies_modules" variable! amzn2023cis_crypto_policy_module: '' -# System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with IP forwarding and routing of packages +# are skipped. amzn2023cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. amzn2023cis_ipv6_required: true -# AIDE +## Control 1.3.1 - Ensure AIDE is installed +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to 'true', all of the settings related to AIDE +# will be applied! amzn2023cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 - Ensure filesystem integrity is regularly checked +# These are the crontab settings for periodical checking of the filesystem's +# integrity using AIDE. The sub-settings of this variable provide the parameters +# required to configure the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OSs, which allows tasks to +# be scheduled and executed automatically at a certain point in time. amzn2023cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) must be in the range `1-31`. aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) must be in the range `1-12`. aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' -# SELinux policy +## Control 1.6.1.3 - Ensure SELinux policy is configured +# SELinux implements Mandatory Access Control (MAC). The SELinux policy uses +# a series of rules which define how processes can interact with each other +# and the various system resources. There are two such policies: +# "targeted" - targeted processes run in their own domain, called a confined domain. +# In a confined domain, the files that a targeted process has access to, +# are limited. If a confined process is compromised by an attacker, the +# attacker’s access to resources and the possible damage they can do is +# also limited; +# "mls" - implements Multi-Level Security (MLS), which introduces even more kinds +# of labels (sensitivity and category) and rules that govern access based +# on these; +# The following variable is used to choose which type of SELinux policy will be configured +# by the role. +# CIS provides guidance for the configuration of the "targeted" policy! amzn2023cis_selinux_pol: targeted -# chose conf or enforcing or permissive + +## Control 1.6.1.4 - Ensure the SELinux mode is not disabled +# SELinux can run in one of three modes. This variable is used to select which +# mode shall be used. These are the options: +# "enforcing" - Is the default, and recommended, mode of operation; in enforcing +# mode SELinux operates normally, enforcing the loaded security policy +# on the entire system; +# "permissive" - The system acts as if SELinux is enforcing the loaded security policy, +# including labeling objects and emitting access denial entries in the logs, +# but it does not actually deny any operations. While not recommended for +# production systems, permissive mode can be helpful for SELinux policy +# development; +# "disabled" - Is strongly DISCOURAGED; not only does the system avoid enforcing the +# SELinux policy, it also avoids labeling any persistent objects such as +# files, making it difficult to enable SELinux in the future; amzn2023cis_selinux_enforce: enforcing -# Whether or not to run tasks related to auditing/patching the desktop environment +## Controls 1.7.1, 1.7.2, 1.7.3 - Warning Banner Content +# The following variable is used in templates such as "issue.j2", +# "issue.net.j2" and "motd.j2" which are responsible for configuring +# warning banners. The value of this variable represents the +# content of the warning banner message. +amzn2023cis_warning_banner: Authorized uses only. All activity may be monitored and reported. -## 2. Services +## +## Section 2 Control Variables +## -### 2.1 Time Synchronization -#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +## Control 2.1.2 - Ensure chrony is configured +# The following list of servers is present in the template file +# chrony.conf.j2 used for setting the configuration for chrony. +# These servers are Time Synchronization servers. amzn2023cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org +# This variable is also present in the aforementioned template file +# used for setting the chrony configuration. The variable is added next +# to each server from the above list and is used to specify the minimum +# poll interval between updates from a particular time source. Other options +# alongside their accurate and complete descriptions can be consulted at this +# link: 'https://chrony-project.org/doc/3.4/chrony.conf.html'. amzn2023cis_chrony_server_options: "minpoll 8" -### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +## Control 2.2 - Special Purpose Services +# The set of rules that make up section 2.2, are used for ensuring that +# certain services are not installed on the OS. +# The following list of variables determine if a service shall be kept +# on the OS or if it shall be uninstalled. +# Set this variable to `true` to keep service `avahi`; otherwise, the service is uninstalled. amzn2023cis_avahi_server: false +# Set this variable to `true` to keep service `cups`; otherwise, the service is uninstalled. amzn2023cis_cups_server: false +# Set this variable to `true` to keep service `dhcp`; otherwise, the service is uninstalled. amzn2023cis_dhcp_server: false +# Set this variable to `true` to keep service `dns`; otherwise, the service is uninstalled. amzn2023cis_dns_server: false +# Set this variable to `true` to keep service `dnsmasq`; otherwise, the service is uninstalled. amzn2023cis_dnsmasq_server: false +# Set this variable to `true` to keep service `vsftpd`; otherwise, the service is uninstalled. amzn2023cis_vsftpd_server: false +# Set this variable to `true` to keep service `tftp`; otherwise, the service is uninstalled. amzn2023cis_tftp_server: false +# Set this variable to `true` to keep service `httpd`; otherwise, the service is uninstalled. amzn2023cis_httpd_server: false +# Set this variable to `true` to keep service `nginx`; otherwise, the service is uninstalled. amzn2023cis_nginx_server: false +# Set this variable to `true` to keep service `dovecot`; otherwise, the service is uninstalled. amzn2023cis_dovecot_server: false +# Set this variable to `true` to keep service `imap`; otherwise, the service is uninstalled. amzn2023cis_imap_server: false +# Set this variable to `true` to keep service `samba`; otherwise, the service is uninstalled. amzn2023cis_samba_server: false +# Set this variable to `true` to keep service `squid`; otherwise, the service is uninstalled. amzn2023cis_squid_server: false +# Set this variable to `true` to keep service `snmp`; otherwise, the service is uninstalled. amzn2023cis_snmp_server: false -# snmp can be a dependacy for many packages - it is masked only by default if installed + +## Control 2.2.12 - Ensure net-snmp is not installed or the snmpd service is not enabled +# The following variable is used to determine if snmp should be removed +# If snmp is installed, it is masked by default therefore it complies +# from the very begining with CIS's requirements! Given the fact that +# many packages or applications include snmp as a dependency, it would +# be best to leave this variable's value set to 'false'. amzn2023cis_remove_snmp: false + +## Control 2.2.13 - Ensure telnet-server is not installed +# This variable ensures that telnet-server is not installed on the OS. +# Switching it to 'true' will keep the server, leaving it to 'false' will +# remove it! amzn2023cis_telnet_server: false + +## Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +# This variable is used to determine whether you intend to use your machine as a mail server or not. +# If you do not intend to use it as such, the mail transfer agent (MTA) will be configured to only +# process local mail, in order to reduce chances of security risks. Set to 'false' if your machine +# is not a mail server or to 'true' if it is! amzn2023cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# -# optional either remove or mask + +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked +# In order for the OS to meet CIS's requirements regarding this rule, it is accepted to +# either mask nfs-server or remove nfs-utils. Set the following variables value as it best +# suits your needs, choosing between "mask" or "remove". amzn2023cis_nfs_server: mask + +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# In order for the OS to meet CIS's requirements regarding this rule, it is accepted to +# either mask rpcbind services or remove rpcbind. Set the following variables value as it +# best suits your needs, choosing between "mask" or "remove". amzn2023cis_rpc_server: mask + +## Control 2.2.18 - Ensure rsync-daemon is not installed or the rsyncd service is masked +# In order for the OS to meet CIS's requirements regarding this rule, it is accepted to +# either mask rsyncd service or remove rsync-daemon. Set the following variables value as +# it best suits your needs choosing between "mask" or "remove". amzn2023cis_rsync_server: mask -#### 2.3 Service clients +## Control 2.3.1 - Ensure telnet client is not installed +# This variable specifies to the role if telnet is required +# or not. If it is set to 'true' then telnet will not be +# uninstalled. amzn2023cis_telnet_required: false + +## Control 2.3.2 - Ensure LDAP client is not installed +# This variable specifies to the role if LDAP is required +# or not. If it is set to 'true' then LDAP will not be +# uninstalled. amzn2023cis_openldap_clients_required: false + +## Control 2.3.3 - Ensure FTP client is not installed +# This variable specifies to the role if FTP is required +# or not. If it is set to 'true' then FTP will not be +# uninstalled. amzn2023cis_ftp_client: false -## Section3 vars +## +## Section 3 Control Variables +## + ## Sysctl +# Sysctl is a command-line utility on Unix-like OSs that allows +# administrators and users to query and modify kernel parameters +# at run time. It is commonly used for performance optimization, +# security hardening, etc. +# Updating sysctl after modifications is necessary to make the +# changes persistent and ensure they are applied each time the +# system restarts! +# This variable's value controls the execution of a Post task +# responsible for updating sysctl. The default value is 'false', +# but throughout the role, some tasks need sysctl to get +# updated in order for the changes made by them to be fully +# implemented. Therefore, those tasks are setting this variable's +# value to 'true' so as to execute the needed update! amzn2023cis_sysctl_update: false + +# The following variable is responsible for the execution of a +# handler that flushes the ipv4 route table. Although the default +# value is 'false', some tasks are in need of this handler to get +# executed, therefore, they are setting this variable's value to 'true'! amzn2023cis_flush_ipv4_route: false +# The following variable is responsible for the execution of a +# handler that flushes the ipv6 route table. Although the default +# value is 'false', some tasks are in need of this handler to get +# executed, therefore, they are setting this variable's value to 'true'! amzn2023cis_flush_ipv6_route: false -### Firewall Service - either firewalld, iptables, or nftables -#### Some control allow for services to be removed or masked -#### The options are under each heading -#### absent = remove the package -#### masked = leave package if installed and mask the service +## Controls 3.4.1.x and 3.4.2.x Firewall Service +# This variable represents the toggle for which firewall service is used. +# The options are either firewalld or nftables. amzn2023cis_firewall: firewalld -##### firewalld +## Control 3.4.2.1 - Ensure firewalld default zone is set +# This variable specifies which default zone should be set +# for firewalld. A firewall zone defines the trust level for +# a connection, interface or source address binding. The +# default zone is the zone that is used for everything that +# is not explicitly bound/assigned to another zone. +# Options are: +# "block" - All incoming connections are dropped with an +# icmp-host-prohibited message. Only network +# connections initiated from within the system +# are possible; +# "**drop**" - This is the zone with the lowest level of trust. +# All incoming connections are dropped with no reply, +# and only outgoing connections are allowed; +# "public" - This represents untrusted networks. It is implemented +# when you don't trust other servers on the network. +# This is recommended when you have a server hosted on +# the cloud or local network; +# "external" - Used when you want to configure the firewall as a NAT +# gateway. The external zone is used for NAT masquerading +# such that your internal network stays private but +# reachable from external systems; +# "**internal**" - Used for internal networks when you trust other +# computers or servers on your LAN; +# "dmz" - Used for servers or computers in a DMZ ( Demilitarized Zone ). +# These will not be accessible to systems on your network +# and only specific incoming connections are allowed; +# "work" - Used at your place of work where you trust most +# of the computers and co-workers' PCs; +# "home" - Used in the home environment especially on desktops and laptops on +# your LAN. The implication is that you trust most of the +# devices on your home LAN and that some services are allowed; +# "trusted" - All connections are accepted; amzn2023cis_default_zone: public -# These settings are added to demonstrate how this update can be done (eventually will require a new control) -amzn2023cis_firewalld_ports: - - number: 80 - protocol: tcp - -#### nftables +## Control 3.4.2.2 - Ensure at least one nftables table exists +# With this variable you can chose if you want to automatically +# create a new nftable or not. Setting it to 'true' will enable +# that. Otherwise, the tasks will firstly check if there are any +# nftables and if not, they will alert the user about this! amzn2023cis_nft_tables_autonewtable: true +# This variable sets the name of the nftable created. amzn2023cis_nft_tables_tablename: filter -amzn2023cis_nft_tables_autochaincreate: true - -# Warning Banner Content (issue, issue.net, motd) -amzn2023cis_warning_banner: Authorized uses only. All activity may be monitored and reported. -# End Banner - -## Section4 vars - -### 4.1 Configure System Accounting -#### 4.1.2 Configure Data Retention -amzn2023cis_auditd: - space_left_action: email - action_mail_acct: root - admin_space_left_action: halt - max_log_file_action: keep_logs - -# The audit_back_log_limit value should never be below 8192 -amzn2023cis_audit_back_log_limit: '8192' - -# The max_log_file parameter should be based on your sites policy -amzn2023cis_max_log_file_size: '10' - -### 4.1.3.x audit template -update_audit_template: false - -## Advanced option found in auditd post -amzn2023cis_allow_auditd_uid_user_exclusions: false -# This can be used to configure other keys in auditd.conf -amzn2023cis_auditd_extra_conf: {} -# Example: -# amzn2023cis_auditd_extra_conf: -# admin_space_left: '10%' - -## Preferred method of logging -## Whether rsyslog or journald preferred method for local logging -## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -amzn2023cis_syslog_service: rsyslog -amzn2023cis_rsyslog_ansiblemanaged: true - -#### 4.2.1.6 remote and destation log server name -amzn2023cis_remote_log_server: false -amzn2023cis_remote_log_host: logagg.example.com -amzn2023cis_remote_log_port: 514 -amzn2023cis_remote_log_protocol: tcp -amzn2023cis_remote_log_retrycount: 100 -amzn2023cis_remote_log_queuesize: 1000 - -#### 4.2.1.7 -amzn2023cis_system_is_log_server: false - -# 4.2.2.1.2 -# amzn2023cis_journal_upload_url is the ip address to upload the journal entries to -amzn2023cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames -amzn2023cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" -amzn2023cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" -amzn2023cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" - -# 4.2.2.1 -# The variables below related to journald, please set these to your site specific values -# amzn2023cis_journald_systemmaxuse is the max amount of disk space the logs will use -amzn2023cis_journald_systemmaxuse: 10M -# amzn2023cis_journald_systemkeepfree is the amount of disk space to keep free -amzn2023cis_journald_systemkeepfree: 100G -amzn2023cis_journald_runtimemaxuse: 10M -amzn2023cis_journald_runtimekeepfree: 100G -# amzn2023cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks -amzn2023cis_journald_maxfilesec: 1month - -#### 4.3 -amzn2023cis_logrotate: "daily" +## Control 3.4.2.3 - Ensure nftables base chains exist +# This variable is similar to the one from Control 3.4.2.2. +# Setting it to 'true' will automatically create nft chains. +# Otherwise, the tasks will display the already existing chains. +amzn2023cis_nft_tables_autochaincreate: true -## Section4 vars +## +## Section 4 Control Variables +## -# This will allow use of drop in files when CIS adopts them. +# This variable stores the path to the sshd configuration file +# that the role will use, in order to implement different +# needed controls related to sshd. amzn2023cis_sshd_config_file: /etc/ssh/sshd_config +## Controls 4.2.4, 4.2.19, 4.2.20 --various sshd settings amzn2023cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. clientalivecountmax: 3 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it from being terminated due to inactivity. clientaliveinterval: 900 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! + # WARNING: make sure you understand the precedence when working with the values + # of the following variables + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config # allowusers: + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config # allowgroups: systems dba + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config # denyusers: + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config # denygroups: -# 4.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +## Control 4.2.5 - Ensure SSH LogLevel is appropriate +# This variable refers to the loglevel used for ssh. +# The loglevel allows you to control the amount of detail +# included in the server's log files regarding ssh-related +# activities. +# Options recommended by CIS are: +# INFO - the basic level that only records login activity of +# SSH users. In many situations, such as Incident Response, +# it is important to determine when a particular user was +# active on a system. The logout record can eliminate those +# users who disconnected, which helps narrow the field; +# VERBOSE - specifies that login and logout activity as well as the key +# fingerprint for any SSH key used for login will be logged. +# This information is important for SSH key management, especially +# in legacy environments; amzn2023cis_ssh_loglevel: INFO -# 4.2.19 SSH MaxSessions setting. Must be 4 our less +## Control 4.2.18 - Ensure SSH MaxSessions is set to 10 or less +# This variable contains the maximum number of open sessions permitted +# from a given connection. This number should be 10 or less. amzn2023cis_ssh_maxsessions: 4 -amzn2023cis_inactivelock: - lock_days: 30 +# This variable controls the execution of a preliminary task that +# installs authconfig. Authconfig is a command-line +# utility used for configuring authentication and identity +# sources on Linux systems. +# If this variable's value is set to 'true' then authconfig +# will be installed, otherwise, it will not be installed. amzn2023cis_use_authconfig: false -# 4.3.1/4.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example -# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk + +## Control 4.3.3 - Ensure sudo log file exists +# This variable contains the path to the sudo +# log file. +amzn2023cis_sudolog_location: "/var/log/sudo.log" + +## Control 4.3.5 - Ensure sudo authentication timeout is configured correctly +# This variable contains the timeout value for sudo authentication. +# Setting a timeout value reduces the window of opportunity for +# unauthorized privileged access to another user. +# CIS requires a value of 15 or less according to your site's +# policy. +amzn2023cis_sudo_timestamp_timeout: 15 + +## Control 4.3.6 - Ensure access to the su command is restricted +# This variable contains the name of the needed empty group +# that will be specified for use of the su command. +# This group's name should be chosen according to site +# policy. +amzn2023cis_sugroup: nosugroup + +## Controls 4.4.1, 4.4.2 - Custom authselect profile settings +# Authselect is another authentication configuration tool +# that aims to provide a more modern and modular approach +# for authentication settings configuration. amzn2023cis_authselect: + # This setting is just a placeholder taken from the CIS + # examples, which might lead to failure. This setting needs + # to be adjusted in order to minimise risk. custom_profile_name: custom-profile + # This setting is just a placeholder taken from the CIS + # examples, which might lead to failure. This setting needs + # to be adjusted in order to minimise risk. default_file_to_copy: "sssd --symlink-meta" + # This setting is just a placeholder taken from the CIS + # examples, which might lead to failure. This setting needs + # to be adjusted in order to minimise risk. options: with-sudo with-faillock without-nullok -# 4.3.1 Enable automation to create custom profile settings, using the settings above +## Control 4.4.1 - Ensure custom authselect profile is used +# This variable enables automation to create custom profile settings, using the variables above amzn2023cis_authselect_custom_profile_create: false -# 4.3.2 Enable automation to select custom profile options, using the settings above +## Control 4.4.2 - Ensure authselect includes with-faillock +# This variable enables automation to select custom profile options, using the variables above amzn2023cis_authselect_custom_profile_select: false +# This option is used at your own risk. It is responsible for +# enabling faillock for users. +# Only to be used on a new clean system that is not using authselect! +# THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS !! +amzn2023cis_add_faillock_without_authselect: false +# This needs to be set to "ACCEPT" in order for the option +# mentioned above to be implemented! +amzn2023cis_4_4_2_risks: NEVER + +## Controls 4.4.2, 4.5.2 - faillock configurations +amzn2023cis_pam_faillock: + # This variable holds the time in seconds before the account is unlocked. + # CIS states that this value should be at least 900 and should never be 0. + unlock_time: 900 + # This variable holds the number of attempts before the account is locked. + # CIS states that this value should be greater than 0 and no greater than 5. + deny: 5 + # This variable controls for how long failed login attempts are remembered + # for an account. + remember: 5 + +## Control 4.5.1 - Ensure password creation requirements are configured +amzn2023cis_pam_password: + # This variable specifies the minimum length that a password must + # have to be considered valid. CIS states that this value should be + # at least 14. + minlen: 14 + # This variable specifies the minimum number of character classes + # that must be represented in a password. Requiring a minimum + # number of classes ensures diversity in password composition. + # CIS states that this value should be at least 4. + minclass: 4 +## Controls 4.6.1.x - password configuration amzn2023cis_pass: + ## Control 4.6.1.1 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 4.6.1.2 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 1 + ## Control 4.6.1.3 + # This variable governs, how many days before a password expires, the user will be warned! + # CIS requires a value of at least 7. warn_age: 7 -# UID settings for interactive users -# These are discovered via logins.def if set true -discover_int_uid: false -min_int_uid: 1000 -max_int_uid: 65533 - -# 4.3.3 var log location variable -amzn2023cis_sudolog_location: "/var/log/sudo.log" - -#### 4.3.6 -amzn2023cis_sudo_timestamp_timeout: 15 - -# 4.3.7 -amzn2023cis_sugroup: nosugroup +## Control 4.6.1.4 - Ensure inactive password lock is 30 days or less +amzn2023cis_inactivelock: + # The following variable refers to the period of time when + # users can be inactive. Once that period of time is over, + # users will be automatically disabled. The value should be + # 30 or less. + lock_days: 30 -### 4.4.2 authselect and faillock -## This option is used at your own risk it will enable faillock for users -## Only to be used on a new clean system if not using authselect -## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## -amzn2023cis_add_faillock_without_authselect: false -# This needs to be set to ACCEPT -amzn2023cis_4_4_2_risks: NEVER +## Control 4.6.1.5 - Ensure all users last password change date is in the past +# This variable tells the role if the fixing for control 4.6.1.5 shall +# be implemented automatically or not. Setting it to 'true' will ensure +# that the role executes all the necesary changes, in order for this rule +# to become compliant. Otherwise, the role will allert the user with a +# warning, that lists all accounts that have the last PW change date in +# the future. +amzn2023cis_futurepwchgdate_autofix: true -# Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 10 = 600) +## Control 4.6.3 - Ensure default user shell timeout is 900 seconds or less amzn2023cis_shell_session_timeout: + # This variable contains the name of the file in which TMOUT will + # be configured file: /etc/profile.d/tmout.sh + # This variable holds the value of TMOUT which determines + # the number of seconds after which a shell is automatically + # terminated. TMOUT value is in seconds (e.g. 60 seconds * 10 = 600) + # CIS states that this value shall never exceed 900 or be equal to 0. timeout: 600 -# Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords -amzn2023cis_futurepwchgdate_autofix: true -# 4.5.1 -## PAM -amzn2023cis_pam_password: - minlen: 14 - minclass: 4 +## +## Section 5 Control Variables +## + +## Control 5.1 - Configure Logging +# The following variable contains the preferred method used +# for logging. The options are "rsyslog" or "journald". +# The value of this variable controls the importing of +# certain tasks from section 5.1. If the chosen option +# is "rsyslog" then only tasks from 5.1.1.x will be executed. +# Otherwise, only tasks from 5.1.2.x will be executed. +amzn2023cis_syslog_service: rsyslog +## Control 5.1.1.5 - Ensure logging is configured +# This variable determines if rsyslog configuration +# shall be ansible managed or not. If you set it to +# 'true' then configuration lines will be automatically +# added to rsyslog. +amzn2023cis_rsyslog_ansiblemanaged: true -amzn2023cis_pam_faillock: - unlock_time: 900 - deny: 5 - remember: 5 +## Control 5.1.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable is used to toggle the execution of control 5.1.1.6, which +# ensures rsyslog sends logs to a remote host. If you do not wish for +# this particular feature to be implemented simply switch the value of +# the variable to 'false'. +amzn2023cis_remote_log_server: false +# This variable holds the name chosen for the remote log host. +amzn2023cis_remote_log_host: logagg.example.com +# This variable represents the port number for the remote log host +amzn2023cis_remote_log_port: 514 +# The following variable mentions the protocol used for sending the +# logs to the remote host. +amzn2023cis_remote_log_protocol: tcp +# This variable represents the number of retries that rsyslog +# will attempt to resume the transmission of logs, in case of a +# network or connection failure. +amzn2023cis_remote_log_retrycount: 100 +# This variable refers to the maximum number of messages that can +# be held in the internal queue before they are transmitted to their +# destination. +amzn2023cis_remote_log_queuesize: 1000 + +## Control 5.1.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +# This variable decides whether the system is considered to be a log +# server or not. In the case of option 'true' being selected, the role +# will not proceed to implement control 5.1.1.7. Otherwise, rsyslog +# will not receive logs from a remote client! +amzn2023cis_system_is_log_server: true + +## Control 5.1.2.1.2 - Ensure systemd-journal-remote is configured +# The following variable represents the IP address where the entries +# of the journal will be uploaded to. +amzn2023cis_journal_upload_url: 192.168.50.42 +## The following variables contain default paths. Users are allowed +## to create their own custom paths! +# This variable represents the path to the private key used by +# systemd-journal-remote. The key is part of the server's +# configuration for secure communication. +amzn2023cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable represents the path to the server certificate file +# used by systemd-journal-remote. This certificate is used to verify +# the server's identity. +amzn2023cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable represents the path to a file containing trusted +# certificate authorities that the client trusts. It is used by +# the client to verify the authenticity of the server's certificate. +amzn2023cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + +## Control 5.1.2.6 - Ensure journald log rotation is configured per site policy +## The variables below are related to journald log rotation, +## please set these to your site's specific values! +# This variable represents the max amount of disk space the logs will use. +# When the journal files exceed this size, older journal files +# are deleted to keep the disk space usage below the specified +# limit. The value is in megabytes. +amzn2023cis_journald_systemmaxuse: 10M +# This variable represents the amount of disk space to be kept free. +# If the free disk space falls below this threshold, older logs are +# deleted to free up space. The value is in gigabytes. +amzn2023cis_journald_systemkeepfree: 100G +# This variable is similar to "amzn2023cis_journald_systemmaxuse" +# only that it refers to in-memory space. "Runtime" is about logs +# that are stored in memory (RAM) and are not present on disk. +# These logs are temporary and exist only for the duration +# of the current system runtime. +amzn2023cis_journald_runtimemaxuse: 10M +# This variable is similar to "amzn2023cis_journald_systemkeepfree" +# only that it refers to in-memory space that should be kept free. +# "Runtime" is about logs that are stored in memory (RAM) and are not +# present on disk. These logs are temporary and exist only for the +# duration of the current system runtime. +amzn2023cis_journald_runtimekeepfree: 100G +# This variable sets the maximum time that logs are retained on disk. +# Logs older than the specified duration are deleted. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear. +# For example: "2week" i.e. two weeks +amzn2023cis_journald_maxfilesec: 1month + +## Control 5.2.1.3 - Ensure audit_backlog_limit is sufficient +# This variable represents the audit backlog limit, i.e. the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192`. +amzn2023cis_audit_back_log_limit: '8192' + +## Control 5.2.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach, +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +amzn2023cis_max_log_file_size: '10' + +## Control 5.2.2.x - Configure Data Retention +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. +amzn2023cis_auditd: + # This variable tells the system what action to take when the system has detected + # that it is starting to get low on disk space. + # The options for setting this variable are as follows: + # "ignore" - the system does nothing when presented with the aforementioned issue; + # "syslog" - a message is sent to the system log about disk space running low; + # "email" - the system sends an email notification to the email address + # specified in the "action_mail_acct" variable; + # "exec" - the system executes a custom command when disk space is running + # low; + # "suspend" - the system suspends recording audit events until more space is available; + # "single" - the audit daemon will put the computer system in single user mode; + # "halt" - the system is halted when disk space is critically low; + space_left_action: email + # This variable specifies an e-mail address or alias to which any alert messages + # should be sent. The default setting is root, but you can enter any local or + # remote account as long as e-mail and the network are properly configured on + # your system and /usr/lib/sendmail exists. + action_mail_acct: root + # This variable tells the system what action to take when the system has detected + # that it is low on disk space. + # The options for setting this variable are as follows: + # "ignore" - the system does nothing when presented with the aforementioned issue; + # "syslog" - a message is sent to the system log about disk space running low; + # "email" - the system sends an email notification to the email address + # specified in the "action_mail_acct" variable; + # "exec" - the system executes a custom command when disk space is running + # low; + # "suspend" - the system suspends recording audit events until more space is available; + # "single" - the audit daemon will put the computer system in single user mode; + # "halt" - the system is halted when disk space is critically low; + # CIS prescribes either `halt` or `single`. + admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # "ignore" - the system does nothing when the size of a log file is full; + # "syslog" - a message is sent to the system log indicating the problem; + # "suspend" - the system suspends recording audit events until the log file is cleared or rotated; + # "rotate" - the log file is rotated (archived) and a new empty log file is created; + # "keep_logs" - the system attempts to keep as many logs as possible without violating disk + # space constraints; + # CIS prescribes the value `keep_logs`. + max_log_file_action: keep_logs -## Section6 vars +## Control 5.2.3.x - Audit template +# This variable's value controls the execution of a main task +# responsible for importing the yml file needed for configuring +# the auditd rules (auditd.yml). The default value is 'false', +# but tasks responsible for the configuration mentioned earlier, +# are setting it to 'true'. +update_audit_template: false +# This variable is used to condition the execution of a POST task +# from the "auditd.yml" file. That task implements an advanced option +# and it only gets executed if this variable's value is set to 'true'. +# The advance option sets users whose actions are not logged by auditd. +amzn2023cis_allow_auditd_uid_user_exclusions: false + +# This variable can be used to configure other keys in auditd.conf +# Example: +# amzn2023cis_auditd_extra_conf: +# admin_space_left: '10%' +amzn2023cis_auditd_extra_conf: {} + +## Control 5.3 - Ensure logrotate is configured +# This variable is used to specify the regularity of +# log file rotation. +amzn2023cis_logrotate: "daily" + +## +## Section 6 Control Variables +## + +## Control 6.1.9 - Ensure permissions on /etc/gshadow- are configured +# This variable contains the name of the file where the list +# of package discrepancies can be found! amzn2023cis_rpm_audit_file: /var/tmp/rpm_file_check -# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +## Control 6.1.10 - Audit system file permissions +# The following variable is a toggle for enabling/disabling the automated +# removal of world-writable permissions from all files. +# Possible values are 'true' and 'false'. amzn2023cis_no_world_write_adjust: true -amzn2023cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# This will allow the removal of .netrc, .forward or .rhosts if found from user home_dirs -amzn2023cis_remove_other_dot_files: false +## Control 6.2.10 - Ensure local interactive user home directories are configured +# The minimum and maximum UIDs to be used when enforcing +# and checking control 6.2.10 can either be discovered +# automatically via logins.def or set manually in this +# file. +# If min/maxx UIDs are to be discovered automatically, +# set this variable to 'true', otherwise to 'false'. +discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable "dicover_int_uid" has +# been set to 'true'. +min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable "dicover_int_uid" has +# been set to 'true'. +max_int_uid: 65533 +## Control 6.2.11 - Ensure local interactive user dot files access is configured +# This variable will allow the removal of .netrc, .forward or .rhosts files. +amzn2023cis_remove_other_dot_files: false +# This variable states if filesystem links should be followed or not. amzn2023cis_6_2_11_home_follow_symlinks: false #### Goss Configuration Settings #### From 4a7ce35aeca7234fa905bfe4e7836d0ecd4f0952 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 14 Feb 2024 08:59:04 +0200 Subject: [PATCH 11/25] Small fixings for https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19 Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cee463e..644d2db 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1147,8 +1147,16 @@ amzn2023cis_allow_auditd_uid_user_exclusions: false # Example: # amzn2023cis_auditd_extra_conf: # admin_space_left: '10%' -amzn2023cis_auditd_extra_conf: {} - +amzn2023cis_auditd_extra_conf: + # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a + # specific action to alert that the system is running low on disk space. Must be lower than + # the 'space_left' variable. + admin_space_left: 50 + # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a + # specific action to alert that the system is running low on disk space(last chance to do something + # before running out of disk space). Must be lower than the 'space_left' variable. + space_left: 75 + ## Control 5.3 - Ensure logrotate is configured # This variable is used to specify the regularity of # log file rotation. From c28b8a4ea1abfbd5e615c899fa729a453c78cae6 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 14 Feb 2024 09:07:27 +0200 Subject: [PATCH 12/25] Removing trailing whitespace Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 644d2db..cee187b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1156,7 +1156,7 @@ amzn2023cis_auditd_extra_conf: # specific action to alert that the system is running low on disk space(last chance to do something # before running out of disk space). Must be lower than the 'space_left' variable. space_left: 75 - + ## Control 5.3 - Ensure logrotate is configured # This variable is used to specify the regularity of # log file rotation. From 8bf9197c197413b4f5f12da758234a083b90a975 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 14 Feb 2024 10:21:36 +0200 Subject: [PATCH 13/25] Fixing fail message so that is states the correct number of the rule that requires the root password to be set Signed-off-by: Diana-Maria Dumitru --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 678c65a..4409349 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,7 +31,7 @@ - name: Ensure root password is set ansible.builtin.assert: that: root_passwd_set.rc == 0 - fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" + fail_msg: "You have rule 4.6.6 enabled this requires that you have a root password set" success_msg: "You have a root password set" tags: - level1-server From f5ec60cb3c773cd4e3c13a83bd4ed9631076f633 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 15 Feb 2024 11:49:42 +0200 Subject: [PATCH 14/25] Fixing inconsistencies for issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22 Signed-off-by: Diana-Maria Dumitru --- tasks/section_1/cis_1.1.7.x.yml | 2 -- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_4/cis_4.1.x.yml | 4 ++-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 53a7424..811c83a 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -38,7 +38,6 @@ notify: Change_requires_reboot when: - item.mount == "/home" - - amzn2023cis_rule_1_1_7_1 - amzn2023cis_rule_1_1_7_2 or amzn2023cis_rule_1_1_7_3 tags: @@ -47,6 +46,5 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - rule_1.1.7.4 - nist_sp800-53r5_AC-3 - nist_sp800-53r5_MP-2 diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index f951332..5377ff2 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -66,7 +66,7 @@ /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 validate: aide -D --config %s when: - - amzn2023cis_rule_1_3_2 + - amzn2023cis_rule_1_3_3 tags: - level1-server - aide diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 758c94c..5592247 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -46,7 +46,7 @@ - level1-server - patch - cron - - rule_5.1.3 + - rule_4.1.3 - nist_sp800-53r5_AC-3 - nist_sp800-53r5_MP-2 @@ -170,6 +170,6 @@ - level1-server - patch - cron - - rule_5.1.9 + - rule_4.1.9 - nist_sp800-53r5_AC-3 - nist_sp800-53r5_MP-2 From 5593023037a21d44e8ef1eda38fb9f1c5316ba71 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 15 Feb 2024 11:54:30 +0200 Subject: [PATCH 15/25] Fixing minor syntax issues by adding missing "PATCH" keywords or missing "|". Signed-off-by: Diana-Maria Dumitru --- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_4/cis_4.2.x.yml | 2 +- tasks/section_4/cis_4.6.x.yml | 2 +- tasks/section_6/cis_6.2.x.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index f951332..6d8efb7 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -53,7 +53,7 @@ - rule_1.3.2 - nist_sp800-53r5_AU-2 -- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" +- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 6134cb4..345a2ca 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "4.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "4.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: "/etc/ssh/sshd_config" owner: root diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 88e787c..9e6e32a 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -2,7 +2,7 @@ - name: "4.6.2 | PATCH | Ensure system accounts are secured" block: - - name: "4.6.2 | Ensure system accounts are secured | Set nologin" + - name: "4.6.2 | PATCH | Ensure system accounts are secured | Set nologin" ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index c100d41..20a8dda 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -78,7 +78,7 @@ - nist_sp800-53r5_CM-7 - nist_sp800-53r5_IA-5 -- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" block: - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" From 9ee76ca43bc7f8a6e9bf2f6064136f3790497b35 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 15 Feb 2024 13:21:02 +0200 Subject: [PATCH 16/25] Fixing PRELIM task "PRELIM | 4.3.3 | Find all sudoers files" mentioned in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22. Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bfbac94..fabe6d3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -234,17 +234,15 @@ - authconfig - auditd -- name: "PRELIM | 4.3.3 | Find all sudoers files." +- name: "PRELIM | 4.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false register: amzn2023cis_sudoers_files when: - - amzn2023cis_rule_4_3_3 or - amzn2023cis_rule_4_3_4 + - amzn2023cis_rule_4_3_4 tags: - - rule_4.3.3 - rule_4.3.4 - sudo - patch From 3bec70eaa5e496d46c7d4dc3584e150f80f6e8ec Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 15 Feb 2024 13:48:48 +0200 Subject: [PATCH 17/25] Removing 1.1.2.1 from multiline task 1.1.2.2 ,1.1.2.3, 1.1.2.4 because it was not supposed to be there! Signed-off-by: Diana-Maria Dumitru --- tasks/section_1/cis_1.1.2.x.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 514651d..8f13c6e 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -54,7 +54,6 @@ # via systemd - name: | - "1.1.2.1 | PATCH | Ensure /tmp is configured" "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" @@ -67,15 +66,13 @@ notify: Systemd restart tmp.mount when: - amzn2023cis_tmp_svc - - amzn2023cis_rule_1_1_2_1 or - amzn2023cis_rule_1_1_2_2 or + - amzn2023cis_rule_1_1_2_2 or amzn2023cis_rule_1_1_2_3 or amzn2023cis_rule_1_1_2_4 tags: - level1-server - patch - mounts - - rule_1.1.2.1 - rule_1.1.2.2 - rule_1.1.2.3 - rule_1.1.2.4 From e8f766fb1109bd9c60bfd8435006b16c5020ba84 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Fri, 16 Feb 2024 09:29:10 +0200 Subject: [PATCH 18/25] Removing prelim for installing authconfig, as it is not used. Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bfbac94..90b2cfd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -213,27 +213,6 @@ - rule_5.2.4.6 - rule_5.2.4.7 -- name: "PRELIM | Install authconfig" - ansible.builtin.package: - name: authconfig - state: present - become: true - when: - - amzn2023cis_use_authconfig - - amzn2023cis_rule_5_3_1 or - amzn2023cis_rule_5_3_2 or - amzn2023cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages or - "auditd-lib" not in ansible_facts.packages' - tags: - - level1-server - - level1-workstation - - rule_5.3.1 or - rule_5.3.2 or - rule_5.3.3 - - authconfig - - auditd - - name: "PRELIM | 4.3.3 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false From e14d2482ea3b563a58e06acd2ee794969382507e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 17:48:27 +0000 Subject: [PATCH 19/25] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.17.0...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.18.0...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1) --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1acf801..873f275 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.18.0 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From a4806227ab1723fda46b4ab3d65dda582de509ba Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 21 Feb 2024 09:23:58 +0200 Subject: [PATCH 20/25] Removing the 6.1.12 duplicate task and adding it to the 6.1.10 task as it was implementing something needed by 6.1.10. Signed-off-by: Diana-Maria Dumitru --- tasks/section_6/cis_6.1.x.yml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 826117a..56bff01 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -191,6 +191,11 @@ when: - amzn2023cis_6_1_10_perms_results.stdout_lines is defined - amzn2023cis_no_world_write_adjust + + - name: "6.1.10 | PATCH | Ensure sticky bit is set on all world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false when: - amzn2023cis_rule_6_1_10 tags: @@ -198,6 +203,7 @@ - patch - files - permissions + - stickybits - rule_6.1.10 - nist_sp800-53r5_AC-3 - nist_sp800-53r5_MP-2 @@ -278,21 +284,6 @@ - nist_sp800-53r5_AC-3 - nist_sp800-53r5_MP-2 -- name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - changed_when: false - failed_when: false - when: - - amzn2023cis_rule_6_1_12 - tags: - - level1-server - - patch - - stickybits - - permissons - - rule_6.1.12 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 - - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed" block: - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Find all SUID executables" From f6e12ab53e558d9179f42ba03898f1c1aa19931f Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 21 Feb 2024 10:41:18 +0200 Subject: [PATCH 21/25] De-commenting allow and deny variables for sshd. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cee187b..0a32227 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -798,26 +798,26 @@ amzn2023cis_sshd: # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - # allowusers: + allowusers: "" # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, https://linux.die.net/man/5/sshd_config - # allowgroups: systems dba + allowgroups: "" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - # denyusers: + denyusers: "" # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - # denygroups: + denygroups: "" ## Control 4.2.5 - Ensure SSH LogLevel is appropriate # This variable refers to the loglevel used for ssh. From 5b2165dba29b659c8c2ad817312c6a56911bf24f Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Thu, 22 Feb 2024 08:10:46 +0200 Subject: [PATCH 22/25] Removing double import of cis_5.3.yml. Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 447229f..b70adc3 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -37,7 +37,3 @@ - name: "SECTION | 5.3 | Configure LogRotate" ansible.builtin.import_tasks: file: cis_5.3.yml - -- name: "SECTION | 5.3 | Configure logrotate" - ansible.builtin.import_tasks: - file: cis_5.3.yml From 08d3be94ec54067379033b867c045a7290f9314c Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 6 Dec 2023 15:23:27 +0200 Subject: [PATCH 23/25] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/8 by editing the regexp value and adding another task with `replace` module! Signed-off-by: Diana-Maria Dumitru --- tasks/section_4/cis_4.6.x.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 9e6e32a..aca9748 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -89,17 +89,22 @@ - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs and /etc/profile" ansible.builtin.lineinfile: path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' + regexp: '(?i)(umask\s*\d\d\d)' line: '{{ item.line }} 027' with_items: - - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + ansible.builtin.replace: + path: /etc/bashrc + regexp: '\s+umask\s*\d\d\d' + replace: '\numask 027' + + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Editing USERGROUPS_ENAB" ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^USERGROUPS_ENAB' From d39be029677a62e96a51760d2c8963581989b52b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Tue, 30 Jan 2024 10:05:16 +0200 Subject: [PATCH 24/25] Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- tasks/section_4/cis_4.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index aca9748..e0183ed 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -98,7 +98,7 @@ - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } - - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" ansible.builtin.replace: path: /etc/bashrc regexp: '\s+umask\s*\d\d\d' From 8205dfd322a613466b51178e2bf8c3e6a3815905 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Fri, 23 Feb 2024 13:08:00 +0200 Subject: [PATCH 25/25] Updating regexps as suggested! Signed-off-by: Diana-Maria Dumitru --- tasks/section_4/cis_4.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index e0183ed..9e81563 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -92,7 +92,7 @@ - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs and /etc/profile" ansible.builtin.lineinfile: path: "{{ item.path }}" - regexp: '(?i)(umask\s*\d\d\d)' + regexp: '(?i)^\s*umask\s*\d{3,4}' line: '{{ item.line }} 027' with_items: - { path: '/etc/profile', line: 'umask' } @@ -101,7 +101,7 @@ - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" ansible.builtin.replace: path: /etc/bashrc - regexp: '\s+umask\s*\d\d\d' + regexp: '^\s*umask\s*\d{3,4}' replace: '\numask 027' - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Editing USERGROUPS_ENAB"